Small Business Cyber Security Response and Recovery. Part III – Identify what’s happening
How to prepare for a cyber incident, from response through to recovery
Part 3 – Identify what’s happening
In order to be able to mitigate a cyber incident one has to be aware in the first place that a cyber incident has taken or is taking place. It might sound obvious, but in the case of a cyber incident, it is not necessarily the case. According to the IBM security ‘Cost of a Data Breach Report 2021’, the average number of days it took to identify and contain a data breach was 287. ‘To put this into perspective, if a breach occurring on the 1st of January took 287 days to identify, the breach wouldn’t be contained until the 14th of October.’ Where it took 212 days to identify the breach and 75 to contain it. In the case of compromised credentials, the statistics are even less optimistic – 250 days to identify and 91 days to contain. That’s nearly a year long. And the longer a data breach takes place, the more costly it is. Yes, this data applies to large enterprises, but it is presented here to make you aware, that an attacker will not ‘advertise’ the fact that they compromised your system. Depending on their objectives they might never make themselves obviously visible.
Signs that might indicate a cyber incident
So, how to determine that a cyber incident is or has taken place. Here are some of the most common signs indicating a cyber incident:
- Computer/network running slow – because of malicious activity, unknown to the user, taking place
- Strange computer behaviour such as:
- Too many antivirus warnings pop up for no apparent reason
- New toolbars or extensions in your browser you didn’t install
- The cursor on your screen moves without you doing it
- Redirected Internet searches
- Login issues – if log-in credentials have been compromised and the hackers changed them users can find themselves being logged out of their accounts
- Missing data or users unable to access documents
- You are being told that strange emails are coming out of your domain
- Requests for unauthorised payments
- Messages demanding a ransom for the release of your files
- Your files have been encrypted and you are unable to access them
Find out what has happened
There are many ways in which your IT or OT systems could have been compromised. In order to find out what has happened, you need to collect some information about the incident. Here is a list of potential questions to help you with this. Answers to them will help your IT team deal with the situation.
- What problem has been reported and who reported it?
- What services, programs, and/or hardware are not working?
- Are there any signs that data might have been lost – have you received ransom requests or your data has been posted on the internet?
- Has any information, and if so what kind, lost, corrupted, or disclosed to unauthorised parties?
- Have your customers noticed any problems? Can they use your services?
- Who designed the affected system, and who maintains it?
- When did the problem occur or first came to your attention?
- What is the scope of the problem, what areas of your enterprise are affected?
- Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
- What is the potential impact of the incident on the business?
Stop the incident getting any worse
See if you are able to identify the specifics of the attack and in result, the cause for the incident – look at your security software such as antivirus alerts or server/audit logs for information.
If you are unable to do this, run your antivirus programme to complete a full scan, and note down the results. If your antivirus programme does not produce any results, try using an antivirus from a different provider.
With the information collected look for advice online from trusted sources such as police or security websites. You might be able to find information on how to resolve your problem. But caution is advised when acting on unverified advice.
If your internet connection is down contact your ISP in the first instance. It could be that the ISP is experiencing problems with their network due to a problem they are aware of and it has nothing to do with a cyber attack.
Do you require help with preparing for and dealing with cyber incidents?
If you have any questions or require help or advice on preparing for and dealing with cyber incidents, please contact us at SEQRED.
SEQRED specialises in all areas of cybersecurity including Critical Infrastructure Protection, Cloud Services Security, Audits or Threat Intelligence. For a full list of our services visit our website – www.seqred.pl
Stay safe rather than sorry!