Process #2: Incident Response
Today I want to write to you about the challenges presented by this new (hopefully temporary) COVID-19 reality. There are many aspects to this, but I would like to draw your attention to Incident Response: Is your company (still) prepared when a security incident occurs?
When you are following the government directives, as we do at Orange Cyberdefense, you are probably at home. You are working hard to keep productivity up and you try to stay in touch with your colleagues. At first, it was a bit of an adjustment, but by now you are getting the hang of it. Your operational team has provided remote access for you, and you and your team seem to manage to keep the projects moving forward.
But what would happen if things suddenly started going South? What if someone got phished? What if a hacker managed to get in? What if ransomware started trashing your fileserver? The world has seemingly slowed down due to the quarantine measures, but the bad guys certainly have not. Are you still ready to handle security incidents?
What are the challenges?
The sudden quarantine measures have brought a lot of change to many companies. Working remotely has become the default, and only a minority of employees are allowed at the office. This has initiated an immediate need for companywide remote capabilities. Business must continue, and IT should accommodate, but frugally of course, since we all need to watch our spending in these times of crisis. Did everyone make sure to take security into account? Did we deploy VPN or did we just enable straight RDP access? (Shodan says quite a few chose the latter solution since RDP enabled endpoints are up by 46%) Did we give everyone a company-managed computer to use for working remotely or are we allowing unsecured home devices to access our network and data?
It might be tempting for some to shrug at security, claiming that these unprecedented circumstances justify ‘temporary’ workarounds. But I think we all know that:
1) this situation will last for a while and
2) these workarounds might be a hearty invitation for hackers to come in and make themselves comfortable on your servers.
The bad guys are, after all, used to working remotely. Unfortunately, we are not:
- We are used to be able to go to our colleague’s desk to ask questions.
- We are used to going down to the server room to check up on one of the servers that is not responding.
- We are used to be able to quickly pull the team together when something seems amiss.
We have to face the fact that we are currently operating with a disadvantage. On the one hand, the switch to remote has inevitably increased the attack surface. And on the other hand, we are forced to work 100% remotely, which is something we are absolutely not used to, and often not prepared for either.
So ask yourself these questions:
- Would you notice malicious activity as quickly as you normally would?
- Would your security team know how to react to incidents right now?
- Would they be able to do what they are supposed to do remotely?
- How long would it take now to recover from an incident?
I assure you, however, that although it might all seem daunting at first,there is by no means a reason to panic. The situation presents a challenge for you and your team to overcome. It will make your team stronger and might be a driving force to realize some beneficial best practices.
What can you do?
Security professionals are working overtime these days to handle and check all these sudden changes. Here are some tips on how to start surmounting the challenges presented by the current circumstances.
1) Review or create your Incident Response Plan
First of all, if you currently have no Incident Response Plan, it is time to start drafting one. Having this document present and ready is what makes the difference between a short disruption and a major outage. Your incident responders would eventually be able to solve the incident without the upfront plan, but it will probably take them longer. Precious time might be wasted before the response actions are having an impact.
If you do have an incident response plan, you should review it, keeping the current circumstances in mind. The majority of the plan will probably remain the same, but practical adjustments might be required. Here are some example questions you can use for the review process:
- Does everyone have access to the incident response plan while working remotely? Would they still have access to it if the internal network was no longer reachable?
- What about network documentation?
- Do you rely on paper documentation at some point in the procedure? How will this be accessed?
- Can all actions in the incident response plan be executed remotely?
- Can you still quarantine whichever server needs to be quarantined remotely?
- What if the internal network was no longer reachable?
- Is there someone on–site?
- Could you send someone on–site if needed? Who? Just one? A team? What about social distancing?
- How is the redundancy in your IT team? What if one or more key persons fell ill?
2) Adjust your communication channels
Communication is key when working remotely, whether you are doing your day to day tasks or handling a critical incident. You do not want team members doing double work, and neither do you want vital information to get lost in between communication channels.
Here are some tips:
- Set up a digital war room:
- Centralize Incident Response team communication using tools like teams, slack…
- Centralize collected information: create a single source of truth
- Create clear communication channels and use them to keep the team up to date at regular intervals, for example, regular update meetings using tools like Teams, Skype, etc.
- Provide regular and proactive feedback to stakeholders and customers: doing so indicates that you are taking hold of the situation and will minimize tickets and interruptions.
- Transparency: during an incident, you want to operate as efficiently as possible. Yes, your incident response team might come in contact with sensitive information, but you cannot let that stop the investigation. Time is of the essence.
- Document: Make sure everything and anything related to the incident is documented and make it available to the whole team during and after the incident. Real-time collaboration tools can be a great addition for this.
3) Review your backup
The first question in most incidents is this: “How are your backups?”. Make sure your backup plan still covers all essential data and systems
- If you have offline backups (which is awesome by the way)
- How would you recover from them?
- How are you currently handling your offline backups?
- Is human intervention required?
- Are these backups still being created?
- Is everything still being backed up regularly?
- Users might be keeping more essential data locally on their mobile systems, which are no longer regularly connecting to your internal network. Are these systems being backed up?
- Can you still restore backups while working remotely?
4) Adjust to the increased attack surface
Make sure that none of the changes made to allow teleworking have compromised security in any way.
- Are employees connecting to your network from home? How are they connecting?
- Are new technologies being used for these connections? Did you make changes to existing technologies?
- Where are employees connecting from? Are they using company-managed devices or private devices?
- Are you actively managing the remote devices? Are they receiving their patches? Anti-virus signatures?
- How did you provide access to internal services? (e.g. ticketing service) Are they now reachable from the internet by anyone or is something like VPN required?
5) Check monitoring, detection and response capabilities
As your attack surface increased, you need to adjust your monitoring as well, so you can detect security events and incidents as soon as possible. You should also make sure you can still keep an eye on the mobile endpoint devices.
- Are you still monitoring devices that are not connected to your internal network?
- Have you enabled logging/monitoring on the new technologies you have implemented? Is anyone keeping tabs on them?
- Can you still perform remote interventions on mobile endpoint devices?
6) prepare to return to normal
This COVID-19 crisis will (hopefully) not last forever, so we should be prepared for when we can go back to the normal situation. A lot of (mobile) endpoints are currently scattered across the country, for example in employee’s homes, but these devices will come back into the corporate network when all of this is over. Unless you have been able to implement impeccable endpoint protection, detection and monitoring on those endpoint devices, you have to assume that some of these devices might return in a compromised state. You should consider how you will handle this, and how you will mitigate the security risk that these devices represent at that time. There is no single, perfect solution for this, but a possibility would be to implement a staged return combined with measures that allow your IT Security team to isolate and check all devices before they are fully connected to the network.
7) Review your insurance
This final remark might seem trivial, but more and more companies have been signing up for cyber insurance. We recommend checking the details of the contract to make sure you fulfill the required conditions, and the insurance will be applicable under the current circumstances.
You should also verify that if your insurance includes an emergency hotline and incident response service, you will still be able to make use of their services during the quarantine measures.
How can we help?
If you are unsure about something, feel free to pop a question to my colleagues or me, we are happy to help you out.
My colleagues at Orange Cyberdefense have written an interesting report on security during this COVID-19 crisis. You can find it here: https://orangecyberdefense.com/be/white-papers/covid-19-a-biological-hazard-goes-digital/. I highly recommend reading it; it contains a lot of useful tips and insights, as well as some indications of what the future may hold.
Furthermore, Orange Cyberdefense can:
- Advise you on your incident response plan, or help you create it;
- Review your security measures, advise on improvements, and help implement them;
- Help you detect and respond to security incidents through our Cyber Defense Center;
- Be there in your time of need: 24/7 Incident Response Hotline: +32 3 808 21 92
Share the post