Page 30 - index
P. 30
What NOT to do When You’ve Been Attacked
By Todd Weller, VP, Corporate Development, Hexis Cyber Solutions
Sometimes knowing what NOT to do in the event of an emergency can be just as important as what
you SHOULD do. For example, don’t throw water on a grease fire; don’t run if you encounter a bear
in the woods; and don’t leave the scene of a car accident. There are similar rules of thumb when
dealing with the aftermath of a cyberattack.
In a previous article I talked about the five things to do to effectively and efficiently handle an
attack and minimize the damage done. Once a breach happens the consequences can be
devastating. But acting too hastily can lead to missteps that may expose the organization to
additional attacks, hamper the investigation, or slow response.
Here are three tips on actions to avoid:
1) Don’t tip your hand needlessly. You may decide to contain the attack but be careful
how you respond. Actions such as hacking back or submitting the malware to a reporting
site will inform the adversary they’ve been discovered.
The same is true if the team uses the compromised network to coordinate incident
response efforts, rather than establish out-of-band communications. Hackers will deploy
another technique while the team is distracted and busy dealing with the first attack.
2) Don’t start investigating without a plan. An overzealous response can compound the
damage.
For example, utilizing an external tool to attempt to find the threat can taint the data
required to perform proper timeline analysis and inspect other important information
such as prefetch data (data that is preloaded to speed the boot process and shorten
application startup time). Prefetch data can provide valuable forensics artifacts that
might help answer the “what”, “where” and “when” of an attack.
3) Don’t keep it to yourself. Inform management and the right people using the incident
notification call list and call tree. Collaboration can help to more effectively deal with the
situation.
For organizations that choose to hire professional services to help, make sure
knowledge transfer is part of the process to help keep costs in check.
When an attack happens seconds count. The 2014 Verizon Data Breach Investigation Report found
that in 75 percent of cases the breach wasn’t discovered for weeks, months, or even years. But it
typically only took hours or minutes for the attacker to accomplish the mission.
You want to act swiftly, but you don’t want to make matters worse with uninformed actions.
30 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
