Five Actions To Take Immediately After a Cyber Attack

By Todd Weller, Hexis Cyber Solutions



For retailers, it’s now no longer a matter of “if” you will be compromised by a cyberattack, but “when” you will be. But they can mitigate the impact of attacks now and in the future by preparing a response plan with policy-based automation.



2014 was a major wake up call for the retail industry; household brands like Target and Michaels made front page news after it was announced that millions of customers’ data had been compromised through point-of-sale (POS) attacks. The big takeaway from these incidents: I’s no longer a matter of “if” you get attacked, but rather “when” you get attacked. The result can be millions of dollars of lost revenue, compromised personal information, potential legal fees, and most importantly the loss of trust and reputation of the company. This kind of damage is irreparable.



Having a sound security strategy in place is crucial, and this includes the basics such as perimeter defenses and best practices. But perimeter based solutions no longer are adequate by themselves and a proper security program should include network and systems monitoring, tools to automate those activities that can be automated, and to elevate serious incidents to analysts when a human touch is required. It’s virtually impossible for human workers alone to keep the network safe, and the demand for trained professionals makes hiring and retaining them costly and difficult. Having tools like automated malware removal can help your defense systems significantly. There are strategic steps that can be taken to improve your response to security incidents and mitigate the impact of malware and advanced persistent threats (APTs) that make it through your defenses. Here are five:



1. Detect and Identify

Retailers are now multichannel operations with storefronts, online shopping and mobile apps. This increase in customer engagement across a variety of mediums also increases the attack surface of your enterprise and the number of vectors for attack.



Once a threat has been identified in the system and verified as not a false positive, a cross-functional team is needed to oversee response. Members of this team should include representatives from management, security, IT, facilities/physical security, legal, finance, HR and corporate communications. The team should identify compromised devices and analyze the malware to determine how it got in, its behavior, its diffusion and any stolen data.



2. Contain (or Not Contain)

Retailers deal directly with the public and therefore face a challenge in providing physical and IT security without interrupting a customer’s shopping experience, whether it is foot traffic or web site traffic. Once you have identified the nature, extent and severity of the attack, the incident response team is faced with two options: contain it or remove it. Containing and stopping the attack involves quarantining the compromised hosts or systems or disabling some functions, removing user access to the system and determining and blocking the access point.



Containing is appropriate if you’re dealing with a ‘drive-by’ type attack in which a virus or other rudimentary threat is introduced and the attacker quickly moves on to the next victim. But if you believe you’re dealing with advanced malware or an APT that watches and alters its techniques depending on your reaction, the more effective approach could be to jump directly to the removal phase, without tipping off the attacker that you’re on to them.



3. Remove and Recover

Thoroughly removing the threat is critical to reducing the risk of reinfection and regaining normal operation, especially when dealing with an APT that can move elsewhere within the network and attack again. The time and costs of mitigating and recovering from malware attacks is significant. According to a 2014 global report from the Ponemon Institute, it takes an organization an average of 31 days, at an average cost of $20,000 per day, to resolve a cyberattack, making the average cost of a single breach around $640,000.



Once infected hosts have been identified:



• Stop and kill all active processes

• Remove and save all files installed by the attack for later investigation

• Separate sensitive data from the network

• Apply necessary patches

• Update/reset all affected login accounts

• Assess file damage

• Reinstall affected files

• Notify all affected parties

• Disconnect affected hosts

• Perform daily reboot



4. Be Proactive

A proactive stance requires changing your mindset from ‘if’ to ‘when’ an attack will happen so that you can better anticipate threats and take action to reduce the amount of time an APT lives in your organization. This includes actively investigating your environment for Indicators of Compromise (IOCs) by continuing to collect data from multiple sources and looking for known malware signatures via behavioral detection algorithms. Stay current with the latest threat intelligence and deploy them as appropriate in the context of your environment.



In addition, many retailers’ networks are often running outdated and unsupported software, such as Windows XP. Unsupported operating systems can be security risks because they are not being patched and updated. An effective security posture includes making sure that all software is being supported by its vendors, and that patches, updates and fixes are applied in a timely, well-managed process.



5. Automate Incident Response

Being proactive can initially be time consuming because you are investing resources in looking for attacks before they occur. In the long term it makes economic sense, but it may be difficult to justify in the short term because of the additional resources required. This is why automation goes hand in hand with a proactive approach. Automation eliminates the need to perform manual work that is crucial but time consuming, such as collecting endpoint data from a large number of hosts and searching for IOCs.



After an organization has been hacked, reducing the amount of time the malware lives within the environment is paramount, but the process can’t stop there. To truly gain an advantage against attackers, security and IT teams need to adopt a proactive approach with policy-based automation so that organizations can reduce the time and costs the team spends on incident response. Retailers need tools that will magnify and expand the efforts and capabilities of their IT security teams. Once the network is armed with the proper solutions, they can then shift the bulk of resources from focusing on what happened in the past, to creating a safer future.

Todd Weller, is VP, corporate development, Hexis Cyber Solutions, a wholly-owned subsidiary of The KEYW Holding Corp., provides complete cybersecurity solutions for commercial companies, government agencies, and the intelligence community. He can be reached at [email protected]; or at Hexiscyber.com.