Cyber Incident Response. Only without the guesswork

Cyber Security looks at a ransomware attack and uses VISULOX for incident response

No one wants to react to a cyber incident or a data breach - because this inevitably means that something big has happened. To what extent and with what consequences can usually not be answered seriously at the time of occurrence and identification. Of course, preventing a cyber incident sometimes has the highest priority. However, this is not always possible. And then it is a case of rolling up one's sleeves and starting as quickly as possible to eliminate the danger, close the gaps, clean up the infrastructure, restore normal operations and finally raise the walls a little higher again for later.

A security incident or data breach is often a high-pressure situation and, for many involved, far removed from everyday life. Pre-planned security incident response measures help companies respond in an immediate and organised manner and ideally prevent unnecessary operational impact and reputational damage.

If you want to protect your organisation from malicious attacks, you should learn more about remediation techniques and why full logging and visibility of all privileged activities within the infrastructure are fundamental for your cyber security team.

In this article, we will learn more about the importance of a structured approach to dealing with cyber security breaches and why full and robust documentation after an incident is worth its weight in gold.

The Incident Response Plan

Planning is half the battle. The crux but also the priority in remediating a security breach is to prepare a cyber incident response plan in advance. This is because the steps to identify security breaches or incidents, from threat detection to finding the technical gateway of ultimate compromise, should be established and rehearsed on a regular basis. Without such preparation , chaos is inevitable.

The process can and certainly does vary from company to company and threat to threat. Rarely do compromised accounts and systems, lateral movement patterns and attack paths used match those already known. Since one normally knows neither the time of the attack, nor the target and the planned path to get there, the exercises mentioned require special attention. The more scenarios are known, the easier it is to combine different perspectives. All of this is the organisational basis for responding to cyber incidents and must be borne in full by the company management.

Here are the incident response or remediation steps required by default for such a plan:

Preparation

Preparation is everything. One of the most important steps is to be well prepared for an emergency. What steps are necessary to call an emergency. Who talks to whom and how to communicate internally and externally. The preparation and initiation of a response plan will indicate how well the organisation will handle the incident. Specifically, a robust incident response policy, an effective response strategy and a firm process organisation should be established.

2. identification

An incident must be clearly identified and named as a cyber incident. In an emergency, the designated response team must determine whether the incident is acute and, depending on available information from various sources, e.g. intrusion detection systems, firewall logs or detected anomalies, etc., deduce what type of threat it is.

3. containment

The next step relates to containment of further consequential damage by deliberately isolating compromised network segments or (if necessary) shutting down production servers in an orderly fashion. In order to preserve evidence and identify, for example, how systems were infiltrated, it is important that these steps are documented and that there is a clear picture of the situation before the incident.

Who did what when where?
Answer it.

4. eradication

After the first fires have been extinguished, the next step is to eradicate the threat. The goal of the response team is now to close the gateways used, to check the systems for further malware and to roll out security updates and patches, taking into account the preservation of all information and assets. All activities in this phase must be documented.

5. recovery

Data recovery and integrity preservation through clean start-up and testing of systems are the goals of the fifth phase of the incident response plan. The response team should continue to monitor affected networks and systems and log anomalies even after confirming that they have been properly restored.

6 Lessons learned

The response team should write a report on the incident to gain insight into what went well and what to look for in a next exercise. Likewise, such a report serves to possibly shift the burden of proof in the event of an insurance claim, serves as training material for staff to mitigate the impact of possible future incidents or as a basis for further hardening measures.

Despite an incident response plan, the threat actor may have gained access to sensitive credentials. This implies that passwords or keys should not be recycled. The escalation of privileged user accounts was most likely used to maliciously move laterally in the infrastructure. The management and especially the careful handling of sensitive credentials is a fundamental aspect of Privileged Access Management (PAM).

Watch out for privileged user accounts

Below are the benefits of a PAM solution and how it can help clean up after a cyber incident and get you back on top of the situation.

  1. The moment the cyber incident is detected, you are able to automatically disable all privileged accounts and remove users from the infrastructure. In the process, privileged users are prevented from reusing your credentials.
  2. Get an overview at any time of how many administrative accounts are actually used in your infrastructure, for what purpose. Eliminate or control unnecessary privileged user accounts if necessary.
  3. Control and de-anonymise function and service accounts.
  4. Search specifically for suspicious user activity in certain time periods or locations in historical data.
  5. Get seamless documentation and tracking of administrative activities by internal and external administrative staff at any point in time through records of meetings

A central solution for control and documentation in case of emergency.

VISULOX Privileged Access Management is the central access component between the user and his tasks. It can be used to document who has access to which application and when, and who authorised it and when. Via VISULOX Privileged Access Management the presentation of an application also takes place and is also documented. This gives you control and an overview of all activities in the system. And all this without changes to the client or server, during operation.

VISULOX-privileged-access-management

Control You centralized all accesses of privileged users to internal IT and
OT systems

Harmonise Harmonise heterogeneous access requirements according to organisational guidelines

Rely anytime, anywhere on audit-proof records of every activity within IT and OT

VISULOX has been developed by amitego in Germany since 2003 and is used worldwide by small to medium-sized companies, including DAX30 companies, across all sectors.

We have more topics we like to write about.

3 good reasons to say goodbye to VPN

3 good reasons to say goodbye to VPN

VPNs are more widespread, but they pose a high risk. 3 reasons why VPN should be replaced with a PAM solution with Remote Support should be exchanged.

Cookie Consent with Real Cookie Banner