While organizations do a lot to prevent a cyber attack event from ever happening, it’s become clear that no organization is bullet proof. In fact, one of the big cyber security trends that has taken hold during the last few years is the adoption of the assume breach model. This model is based on the idea that it is impossible to prevent all security breaches, so the organization needs to take steps to minimize damage when a breach does happen (and to deal with the costs afterward). There’s a lot of information out there on what to do after an attack, but what should you do while the attack is in progress? In this article we’ll discuss what you can do to mitigate the damage caused by a cyber attack event by slowing or even stopping its progress.
Every cyber attack event is different, so there is no such thing as a checklist that is guaranteed to thwart an attacker’s efforts. However, there are some general things you can do to hopefully put a stop to the attack before the attacker can gain access to any type of personal information, credit card numbers or other high-value data.
If an organization detects a cyber attack in progress, it may be tempting to immediately shut everything down to try and prevent the attacker from gaining access to a target. However, the first thing you should do is verify the attack. In some ways, the idea of verifying the attack may sound silly given the fact that your intrusion detection and prevention system is alerting you to an attack in progress. Even so, there is always the possibility that the system could be producing a false positive.
Most organizations practice defense in depth, and likely have a number of different cyber security products in place.
If a cyber attack event is really happening, then you should see signatures of the attack across multiple security defenses. If an attack is recognized only by a single security product, then there is at least a chance that it’s a false alarm. This is especially true if an attacker would have had to breach multiple defenses before getting to the point that it was detected.
Once you confirm that an attack is real, then it’s time to begin making some phone calls. First, call your ISP, which may be in the best position to shut down the attack. This is because the ISP likely has the ability to block the attacker’s packets in route to your network.
You will obviously want to contact your security team right away, but it may also be beneficial to contact the security vendors whose products you are using. They may be able to use the logging data collected by those products to perform a forensic analysis of the cyber attack event. This data can be useful if you end up needing to get law enforcement involved, but it can also be helpful to the security vendors because they may be able to use the data to make their product more resistant to future attacks.
One of the most important things to keep in mind about a cyber attack event is that you can never be 100% sure of the attacker’s intentions. More than likely, attackers are after high-value data that they can sell, but there is also a chance that their ultimate goal is to perform a ransomware attack, or that they want to take other steps to damage the business. That being the case, it may be prudent to disconnect your backup if you think that there is a chance the attacker may gain access to it. After all, once the attack is over, your backups offer the best chance of putting everything back to the way that it was, so you don’t want to run the risk of having those backups compromised.
When a cyber attack event occurs, the most important thing is to shut down the attack and compile as much forensic data as you can. Once the attack has ended, regroup and evaluate where your defenses worked and where they did not. Only by using this information proactively will you be able to prevent a future attack.