Whenever a
business is hit by a Cyberattack, the first priority of course is restore
mission critical applications as quickly as possible. Then from there it is all about dealing with the
fallout from it, especially when it comes to facing customers and possibly law
enforcement. Then the last thing on your
mind would be to conduct a detailed forensics investigation to examine what led
to the breach, and how it can be avoided again.
But there is still
a question that will linger in your mind”
“Who was the Cyberattacker that launched this variant against my
business?” While it is easier now to
determine this when compared to the past, it is still a 50-50 proposition. And in the end, you may even not think it’s
worth it, because after all, if the Cyberattacker is in a foreign country, how
will you bring them to justice?
In fact, this
entire process that I have just portrayed is technically called “Attribution”. More information about this can be seen at the
link below:
But maybe its
time to take a step back now, and assess the chances of you becoming a
victim. I don’t mean that you have to
follow a NIST or CISA based framework to the letter, but take a simple, real-world approach to it. Here are some tips to do this:
1)
Examine
your own business:
Take
a very close stock of your business model.
Take a close look at all of the digital and physical assets that you
have, and then ask yourself this very basic question: “What is it a potential Cyberattacker will go
after?” Of course, this will primarily depend
upon what you have, but also keep in mind that a Cyberattacker will try to get
access to something low on the totem pole in order to get to something much
higher and valuable, like the database that holds the passwords of your
employees and customers. In other words,
follow this quote:
“Know your enemy and you will win
a hundred battles; know yourself and you will win a thousand."
(SOURCE: https://www.darkreading.com/cyberattacks-data-breaches/how-to-identify-cyber- adversary-what-to-look-for)
2)
Your
security tools:
This
is a subject that I have written about before, on many occasions. But in this instance, ask your IT Security
team took a quick look at what you really have, then ask yourself these
questions:
*How
many brands come from just one vendor?
*How
many come from multiple vendors?
*Is
it possible to cut down on what I have and strategize?
*How
much time does it take to make sure that each device is always optimized?
If
your business still has the traditional Perimeter Defense model, then going
after these security devices will be amongst the first choices for the Cyberattacker
to go after. After all, once they break
through this, they can get access to just about anything. But if you have the Zero Trust Security
model, then this is entirely different.
But the bottom line here is that you want to consolidate all of your
security tools, and deploy them in the most strategic areas. And if possible, try to stick to just one or
two vendors for all of this. It will
make it a lot easier for the IT Security team to manage, and will not have to
parse through so many varying log output files.
The moral of the story here: With
too many tools, your attack surface is greatly increased!!!
3)
Timing:
Examine
how long it takes you to actually detect and respond to a security breach. Believe it or not, it takes a business an
average of seven months to do this. The
metrics that reflect this are known as the “Mean Time To Detect” and the “Mean
Time To Respond”, also known as “MTTD” and “MTTR”, respectively. You will want to of course respond to a
breach and contain as soon as possible.
But try also to set specific goals for yourself as well. For example, it should take no longer that
three hours to detect and contain a breach, should it ever happen.
4)
Examination:
Finally,
take a look at your own IT and Network Infrastructure. For instance, or are you still 100% On Prem,
or in the Cloud, using something like the AWS or Microsoft Azure? Or are you still using a Hybrid based
approach? If you are still On Prem, you
are putting your business at grave risk, IMHO.
You are far better off going to a total, 100% Cloud based
infrastructure. At least with this, you
will get, for the most part, all of the tools readily available to protect your
infrastructure.
My
Thoughts On This:
Finally, make
some time to study the various methods that Cyberattackers have used in the past
in order to launch their malicious payloads.
Most of this should be available online, especially from either NIST or
CISA. Finally, remember to take the above-mentioned
steps from a holistic approach, and above all, be honest to yourself when you
do this kind of informal assessment.
No comments:
Post a Comment