Not a Second to Lose...
Nine things your IT team must do in the first 24 hours hours of a cyber attack
By Johnny Mays and Rodrigo Macias
Cyberattacks are inevitable and always will be. Often, they happen when you least expect them — and when they happen, they happen quickly. The first 24 hours of a cyberattack are critical, and responding appropriately only occurs if your team — and your organization — is prepared.
Proactive planning is vital. Having a defined plan allows your organization to react seamlessly, protecting your company’s assets, data, and activity. This means preparing proactively and practicing periodically to be ready to execute the plan when an attack comes.
MGO has developed a roadmap to help organizations mitigate attacks within the first 24 hours of a breach. Instead of paying the ransom, ensure your company gets back to business after an attack. Understanding these top nine issues will prepare you to emerge unscathed after those first 24 hours.
- Know who to contact — and how. When a cyberattack occurs, you will want to notify several groups within the first 24 hours: law enforcement, your legal counsel, the board of directors, incident response team, and cyber insurance. Think of them as your first line of defense in an emergency—you call them for help.
End users—individuals whose information or data is directly impacted—can be notified about the breach later, as there is a substantial amount of confidentiality involved. Businesses must avoid disclosing any weaknesses or exposures immediately following an attack.
2. Isolate and investigate.
Once you know which computers or systems have been affected, you want to isolate those involved and limit the damage. This way, you can utilize them for future investigation. By doing this, you can learn what went wrong, where your potential weak spots are, and how to avoid future mistakes. You want to move quickly to secure the systems and fix vulnerabilities — the only thing worse than one breach is multiple breaches. Remember to take all affected equipment offline and update your credentials so hackers cannot use the old ones to get back inside. Before completely shutting down any equipment, be sure you have surveyed the damage with a snapshot or copy the authorities can later review. An alternative to this is taking the affected equipment off the network to quarantine it—there will be no need to shut it down as it has been effectively partitioned from the rest of the network.
The designated incident response team will perform an immediate internal investigation upon isolation to determine the attack’s impact on critical business functions so the organization can jump into action to remediate. This team will also use their analysis to identify the attacker and discover other vulnerabilities where security can be tightened.
3. Implement manual procedures.
Before a breach, you want to define any manual, non-automatic procedures your team will need to implement during or after an attack. These procedures will allow for business “as usual” even during disruption. It is crucial to have these manual procedures in place already so that when the time arrives to use them, you know exactly what to do.
The implementation of these manual procedures must occur within the first 24 hours of the attack.
4. Contact your security service provider.
Work with your team of forensic experts. They will be able to determine if encryption was enabled at the time of the breach. They will analyze preserved data, review logs to see who had access to it and verify the compromised information. Your incident response team will also hand you forensic reports based on their findings, which you can use to take remedial measures.
5. Know your cyber insurance.
Review your cyber insurance regularly to make sure the policy provides the right level of coverage for your organization.
Generally, you want policies that support data recovery and cover the costs of business interruption.
6. Designate responsibility — ahead of time.
A cyberattack can cause chaos — it is designed to do so. It is crucial to designate responsibilities to different members of your cyber team so that everyone knows what is expected of them to bring the situation under control when a breach occurs. This will allow your organization to respond more seamlessly to the event.
7. Retain audit logs.
Audit logs provide a sort of breadcrumb trail to follow at an information systems level. (I’d discuss who is responsible for making sure these logs are functioning.) Ensure your audit logs are retained in the system so that you can respond within the first 24 hours of the breach. If you get attacked and do not have the audit logs, you probably won’t figure out what happened. This best practice generally suggests that logs should be retained for six months to a year.
8. Segment your network.
Setting up your network ahead of time to be segmented is essential because if a breach occurs on one server or site, it won’t lead to another breach. This allows you to isolate a breach and shut down one segment instead of taking the entire network offline. Your annual security assessment would be able to tell you if your segmentation plan was effective in containing the breach after the initial 24 hours.
9. Store backups — and back up daily at least.
The best way to recover from a ransomware attack is to have your backups ready to use. For this to be effective, your backups must be reliable; stored in a safe, separate place, and tested periodically to ensure that if something happens, you can bring the organization back online within those first 24 hours.
Be prepared for those first 24 hours.
Every organization should expect to be targeted, and all organizations need to have a plan of action to mitigate their risk when a cyberattack occurs. Because the first 24 hours of a breach are so crucial, the roadmap should be dedicated to helping operations protect themselves and prevent the attack from going to other areas of the organization. By preparing a plan, you will respond appropriately and get the company back on track with minimal lost revenue.