7. Security Toolkit: When you Experience an Attack
When You Experience an Attack
Every cyber attack is different, and the process of dealing with and responding to that attack will vary widely. Here, we've outlined some of the common things to consider if (or when) an attack occurs. This outline is not one-size-fits-all. Instead, you can use these bullet points to think through what questions to ask and what actions to take. This outline can help organizations develop plans before an attack has ever occurred, and it can help organizations experiencing an attack to determine what to do next.
- Investigate whether you have been attacked/compromised immediately
- Helps to have a well-trained team of staff and volunteers who can serve as an early warning team on any suspicious behavior or changes to their environment
- Assume that any significant changes in performance, account access, or notifications from other organizations, your Internet or cloud providers that indicate strange behavior (e.g. lots of spam from your org, network congestion from your ISP, unusual Internet traffic patterns, etc.) are potentially signs of either an attack (DDOS) or a compromise (successful attack).
- Attacks or compromises might be seemingly limited but assume that they will grow/get worse.
- Move quickly to assess and take action; be prepared to take action before you are certain your systems have been compromised – may have a false positive which isn’t the worse thing in the world.
- Before an attack, your executive team should collect and verify contact information (personal email addresses and phone numbers) for all staff members. In the initial stages of a security incident, most systems will be considered untrusted and/or locked down thus preventing normal methods of communication.
- Work with your security provider, your EDR vendor, your SIEM vendor or even use your firewall and system logs to help identify/confirm problems.
- An attack with cryptoware may be noticed by users before it has completed its spread and encryption – so shutting down or cutting off access may limit damage.
- Consult and follow your cyber security incident response policy.
- If you don’t have a cyber incident response policy, consider:
- Communicating with your leadership via out-of-band phone, text, chat, etc.
- What your IT and leadership team understand about how the attack was able to gain access the environment is tentative knowledge and may be wrong.
- If you have cybersecurity insurance, contact your agent.
- If you have cybersecurity counsel or general counsel, contact them.
- Designating an incident coordinator or manager - typically not someone from the IT team.
- Communicating with your staff as appropriate on what they can expect and what they can communicate to others.
- Generally, don’t communicate about a potential incident publicly or with third parties until advised by your leadership or counsel.
- Talking to your tech team / tech partners for additional assistance.
- Attempting to isolate and shutdown access to systems.
- Where possible maintain remote connectivity for IT to manage access.
- Restrict inbound and outbound firewall traffic to only IT personnel/remote connectivity from trusted public Ips.
- Limit or stop traffic across all endpoints. For instance, on virtual servers, disable the virtual NIC.
- Talk with your cloud service providers about limiting or stopping traffic (case management, document management, email, etc.)
- Reset all passwords, including administrators, users, service accounts, temp accounts, guest accounts, etc.
- Review user accounts for anything that may have been suspiciously added.
- Talk with your cloud service providers about doing the same (case management, document management, email, etc.).
- Collect and backup all log information from all systems including servers, firewalls, VPNs, email, etc.
- If there is a ransomware note or a malicious email, get a copy of it.
- Take screenshots of any unusual activity, such as logins from unknown accounts, antivirus/EDR pop-ups, configuration changes, etc.
- Create a detailed timeline of all events from the moment you became aware of the security incident.
- Be careful not to alter/delete any potential evidence that can be used by the forensics company.
- Attempt to identify the source of the security breach. The compromise may have occurred from malware, phishing email, misconfigured firewall rule, zero-day exploit, easily guessable password, etc. Check all servers and networking devices (i.e., firewalls, VPNs, email, etc.) for suspicious login activity.
- If you don’t have cybersecurity insurance, you will likely need to:
- Get IT and legal help from partners who have worked on cyber incidents.
- Working quickly to mitigate the damage.
- Getting outside expertise to Investigate the incident, determine the extent of the damage, determine, to the extent possible, whether there was data access or exfiltration.
- Decide whether and how to negotiate with the criminals involved - there are firms that specialize in these negotiations.
- Plan for and securely restore technology services:
- Consult with your insurance/security/legal teams before proceeding.
- May need to do this on alternative physical or virtual network and system environment in case confidence is low that the security breach has been identified or if you need the affected environment for forensic analysis.
- Will likely need to greatly expand logging and monitoring of the environment.
- Likely need to install EDR software.
- May need to prioritize which services to restore.
- May want to avoid restoring unnecessary or out-of-date, insecure systems or network infrastructure.
- Assume that accounts and access can be compromised again.
- Consider MFA deployment across all systems on an expedited basis.
- Review privileges and limit to the extent feasible.
- Modify password policies to be more stringent, if necessary.
- Consider modifying any sharing policies/configurations that were previously in place (i., disable sharing via anonymous links).
- Adjust or implement stronger email security systems to protect against malicious attachments/links and email security attacks such as phishing and business email compromises (BEC).
- Provide users with security awareness training.
- Restrict who has remote access (if that is even possible with COVID).
- Review firewall rules for any old/unused rules and disable them.
- Revise firewall rules to be more restrictive.
- Monitor electronically and with all users on high alert.
- Decide what changes to make to improve security (to avoid a repeat attack).
- Work on communications/compliance as necessary (regulators/government entities, funders, clients, employees, and the public).
- Backups are not comprehensive, up-to-date, and accessible.
- Not certain whether the backups have backed-up the security compromise – might be restore access/backdoor.
- Not enough capacity in the environment to setup the restored environment.
- It may take a long time to recover massive data, especially when restoring from cloud-based backups on slow internet connections.
- Criminals are posting exfiltrated data on the dark web/shame sites.
- Criminals sell reconnaissance information to other criminals. There is potential for another attack.
- Forensic analysis is inconclusive.
- Not enough/inaccessible IT documentation to rebuild the environment. May be missing installer packages for critical software or detailed configurations needed for certain connections/applications.
- Outdated IT credentials to access systems or networking devices.
- Backups are not comprehensive, up-to-date, and accessible.
Cyber insurance is essential in helping your organization recover after a data breach. Insurance can help with costs that can include business disruption, equipment damage, legal fees, public relations expenses, forensic analysis, and costs associated with legally mandated notifications. Insurance also helps companies comply with state regulations that require a business to notify customers of a data breach involving personally identifiable information.
Cybersecurity insurance policies can also cover customer notifications in the event of a breach, an option to monitor the information of anyone impacted for a specified period, and payment of costs incurred in the recovery of compromised data.
Exercise: Sample Incident and Response
Below is a fact pattern describing a typical data breach. It outlines a number of actions taken by a member of staff in one column, and in the second column it outlines a list of places to review from the toolkit while considering the fact pattern.Try to spot the things the member of staff has done that increase risk. Think about what you would do in that situation. Use the fact pattern as a tool for discussing security with the rest of your office.
You are working on an immigration case with a pro bono attorney at a private law firm. There is a sudden emergency that requires documents to be filed urgently. You need to get more confidential client information immediately to meet the deadline and share it back with the pro bono counsel.
This has all unfolded, while at the airport with your family, as you head to your cousin’s wedding. You think, “I’ve got time, 6-hour plane ride—I’ll get it all done in no time”. You log into the airport’s public Wi-Fi and begin downloading the client’s data and texting the client about the documentation that is outstanding.
In flight you connect to the free in-flight airplane wireless network, login to your 365 Webmail to review the document from the pro bono lawyer and save it on your laptop. You also;
Finally, you’ve made it through the 6-hour flight and to the hotel. You decide to wrap things up at the Starbucks in the hotel’s lobby. You have a few email exchanges between the pro bono attorney and your client, and you e-fax all documents to immigration services. Now, it is time to get some rest. The next morning, while everyone prepares for the wedding, you receive an--alert your Gmail has been signed in at a different location.
Congratulations, enjoy the wedding!