Page 42 - cdm-2014
P. 42
$3000 per day. And these are just purely internal costs due to lost productivity, mitigation,
additional monitoring and analysis. Gartner estimates that Target could face losses of up to
$420 million because of its data breach, including reimbursement to banks for reissuing millions
of cards, fines for PCI non-compliance and direct customer service costs. Other estimates
exceed $1 billion.
To comprehensively remove the threat and recover, the team must identify all infected hosts on
the network and then perform the following steps on the hosts known to be compromised:
•Stop or kill all active processes of the attacker.
•Remove all the files, backdoors and malicious programs the attacker created and save them as
evidence for the investigation.
•Protect sensitive data by separating it from the compromised system(s) or network.
•Check all associated systems including those through trusted relationships.
•Apply patches and fixes to eliminate vulnerabilities and correct any improper
settings/misconfigurations to prevent subsequent similar attacks.
•Update all login accounts and passwords that may have been accessed by the attacker.
•Perform a damage assessment on each system/file.
•Reinstall the affected files or the entire system as needed.
•Turn on functions in stages in order of priority, verify successful restoration, and notify all
affected parties.
•Disconnect the infected hosts and, if necessary, obtain forensic information.
•Perform daily reboots of systems to eliminate memory-only resident malware.
Depending on the nature and scope of the attack, in this phase additional members of the
cross-functional team may need to become actively involved. Follow-on activities may include
addressing regulatory requirements and reporting, financial audits, as well as formal
communications and disclosures to other third parties such as shareholders, customers,
partners and the media as necessary.
4. Be Proactive
At this point most teams breathe a collective sigh of relief and believe they are out of the woods.
And in some ways that is true, having executed a thorough response, mitigated the impact of
the attack, and learned from it to prevent future similar attacks. But sophisticated and relentless
attackers learn from their experience as well. APTs often return with nuanced versions of the
attack and the organization will be back on the defensive, repeating this process again and
! " $ !
! # ! "
