In 2020, the world experienced multiple high-profile cybersecurity breaches across sectors, exposing the personal information of millions. In the face of ever-evolving cyber crime as the world moves towards digital-first infrastructure, it begs the question: what are the steps your company can take to respond to and recover from a data breach? And how do you defend yourself from these threats going forward?
According to Nithen Naidoo, CEO and founder of Snode Technologies, a practical yet simplistic approach must be taken by companies faced with a cybersecurity incident. “We believe that simplicity is the ultimate sophistication in taking a robust response to a security breach. Our modus operandi in these situations is to gain comprehensive visibility, and fast. Based on this approach, we endeavour to perform a rapid response, minimise business impact, contain the incident, assist the organisation in communicating about the incident and help them recover.”
Post-breach, the primary port of call is to gain rapid visibility to remediate the effects of the incident. To contain the breach, it is important for defense, forensics and recovery teams to run in tandem. “The first step is to isolate the infiltrator and cut off their remote access to the network. This ensures that the channels of exfiltration are shut down, and no further sensitive data is exposed. Simultaneously, our defense team, and possibly an independent forensics team, is deployed to evaluate what has transpired – what is patient zero? – to gain insight into the threat actor’s tools and tactics in order to understand how the initial attack vector led to widespread compromise, and how to block them from a second wave of attack. Detective control landscapes give us insight into how to lock intruders down, deny them access to other elements of the environment and limit and reduce and manage the client’s risk exposure,” states Naidoo.
Thereafter, it is essential to put detective and preventive control measures to leverage network visibility and telemetry intelligence. This means analysing known threats within the network, assessing anomalies within the system, understanding potential data exfiltration, evaluating C2 channels and monitoring the lateral movement of attackers within the environment.
Finally, Naidoo states that communication is the most important aspect of your organisation’s response to a cyber breach. The transparency and efficiency with which you communicate is integral to maintaining your business’ reputation and public trust. The first mistake that many companies make is not communicating at all, or downplaying the situation. “Trying to sweep the issue under the carpet does not help. Fundamental to surviving an attack is how you respond – the real test is how well you communicate, both internally and externally, about how you are remediating and mitigating the risk.”
The second mistake companies often make is communicating too soon. Naidoo says, “In any breach situation, there is naturally pressure from the board and C-suite executives to have all the answers, right now. The shortfall responders fall into is not having all of the facts, but want to provide all of the information possible to assure stakeholders and shareholders. Sharing incomplete information while an investigation is ongoing may end up hurting the brand and erodes trust in the ecosystem around you, as it becomes dubious whether or not you have a grip on the situation. The key is to take the time to collate all of the information to provide accurate feedback. Thereafter, you can communicate that the risk has been contained and managed, and that the company is busy performing a comprehensive investigation around the extent of the breach.”
The third mistake often made in a post-breach strategy is communicating too much. “This can occur when information around your breach is prematurely disclosed through non-official channels. This erodes public trust as it may be viewed as an attempt to disguise the truth,” says Naidoo.
Naidoo concludes that while it is possible to proactively manage the cyberattack by having the right preventative cybersecurity tools in place to shut down data exfiltration and unauthorised access after a cyber breach, the best possible outcome is afforded by already having a proactive cyber approach in place. “In the real-life scenario of a potential assailant considering breaking into your home, an alarm and other security measures are strong deterrents for two reasons: they act as an early warning system enabling you to react appropriately, and prevent a negative event from occurring. The same can be said for cybersecurity: it is paramount to have a strong, end-to-end cyber defense capability in place that proactively manages the risk before a risk event occurs.”