CSIRT Doomsday Preppers
Recent events in cybersecurity have demonstrated that anyone and everyone is susceptible to a security breach. It does not matter what industry the company is in, what the size of the company is, or even if they have close relations with government agencies. Some of the most noteworthy incidents in the news at the moment are:
o A vulnerability present in the SolarWinds Orion business software used to monitor corporate and government networks allowed attackers to weaponize the code and distribute a malware called SUNBURST.
o Attackers gained access to the internal network and encrypted servers. They then left a ransom note threatening to release documentation relating to HR, legal, accounting, and administration, as well as the source codes for certain games.
o The email inbox, calendar, and collaboration suite developed by Microsoft contained several Zero-Day vulnerabilities that allowed for Remote Code Execution [RCE], backdoor installation, data theft, and malware distribution.
Each of these incidents are unique in how they started, but they all required a response to fix them. Although the old adage says an ounce of prevention is worth a pound of cure, sometimes, how a company goes about responding to a breach is more important than the defensive hardware/software, preventative security steps, and other safeguards that they put in place, which may inevitably be circumnavigated. In the case of cybersecurity, an ounce of preparation for a breach may be more important than an ounce of prevention for a breach.
Companies need to begin shifting their mentality when regarding the field of cybersecurity and their role within it. Because of…
-The dogged persistence of attackers
-The drastic increase and far-reaching impact of recent breaches
-And the complexities within the field of the information technology
…companies now have a responsibility to their customers and themselves to stop thinking about breaches as a possibility and start considering that breaches may be an eventuality. This line of thinking will allow businesses to have quicker responses, minimize the damage to their clients and reputation, and pave the way towards optimal recovery.
Incident response needs to be swift and decisive. Without proper preparation, most companies will struggle to even know where to begin in the event of a security breach. This will create a sluggish, uncoordinated response effort that will take months to find and repair the damage, all while continually harming business operations until the solution is implemented. In some of the worst-case scenarios, companies may not disclose that they have even experienced a breach until weeks or months later, if ever.
To this end, every organization should develop and maintain a Computer Security Incident Response Team [CSIRT]. The purpose of the CSIRT is multi-fold.
· They will conduct risk analysis and identify the most likely threats that the organization will face and the ones that they should be allocating resources towards protecting against.
o This will hone the effectiveness of the incident response when that risk or breach presents itself.
· They will develop a Computer Security Incident Response Plan [CSIRP].
o The plan will be a comprehensive strategy that guides the actions of security personnel within the organization.
o This CSIRP will be developed for multiple contingencies so that a variety of possible scenarios are accounted for.
· They will be the investigative force that determines which network event led to the incident that violated the corporate or legal security policies and caused the breach that compromised the confidentiality, integrity, or accessibility of company data.
· They will also determine the best course of action to lead the business down the path to recovery.
The importance of a CSIRT cannot be overstated. At the end of the day, a breach is extremely likely to happen, and having an Incident Response Team and Plan can be the difference between a total security breach or a well-handled and properly mitigated incident.
Action Plan/Recommendations
· Create a diverse Computer Security Incident Response Team.
o Hire members that have:
§ Technological backgrounds
§ Security backgrounds
§ Legal backgrounds
§ Public Relations backgrounds
· Develop a Computer Security Incident Response Plan.
o Develop plans for the threats and risks that are most likely to target the business.
· Evaluate Computer Security Incident Response Plan for effectiveness during different breach scenarios.
o Review the results of the evaluation to inform future decisions.
· Evaluate the Computer Security Incident Response Team using Paper, Table-Top, and Simulated tests.
o Review the results of the evaluation to determine the effectiveness of the team and apply necessary changes to improve performance.
References
Browne, Ryan. (2021, February 9). “Cyberpunk 2077 Game Developer Says it’s Been Hit with a Cyberattack”. Retrieved from: CD Projekt Red
Jibilian, I & Canales, K. (2021, February 25). “Here’s a Simple Explanation of How the Massive SolarWinds Hack Happened and Why it’s Such a Big Deal”. Retrieved from: SolarWinds
Osborne, Charlie. (2021, March 16. “Everything You Need to Know About the Microsoft Exchange Server Hack”. Retrieved from: Microsoft Exchange
Panettieri, Joe. (2020, December 14). “Hackers Weaponize SolarWinds Orion for Worldwide Cyberattacks; SolarWinds & FireEye Release Countermeasures”. Retrieved from: SUNBURST
