Detection and response to cyber attacks includes the capability to detect an attack that has already succeeded in getting past your existing defences in order to respond to such an attack effectively, and to ensure that it can never happen again. Detection and Response is your best defence against attackers using innovative tactics or a zero-day exploit no one has seen yet. Any gulf between detection and response means that organisations are missing a vital window of opportunity to stop attacks before attackers reach their objective, which could include server encryption, data exfiltration, and ransomware deployment.
Response readiness requires time and investment across people, processes and technology. Before a breach occurs, one needs to think about what aspects in the organisation might be of value to attackers, such as confidential client and employee data, information on intellectual property, mergers and acquisitions, and plans for growth. Then pair that with the endpoints and servers that are critical to the smooth running of the businesses and which the organisation can’t function without. Merging the two together guides you towards allocating your cybersecurity investment to defending your most critical assets. This can include endpoint monitoring and backing up business-critical servers. Turnkey vulnerability management platforms like F-Secure’s RDR technology can provide you with these capabilities. Preventing cyber attacks includes the ability to defend against traditional threats such as malware, ransomware, spam, and online scams using endpoint protection platforms.
Most modern day cyber-attacks start with an endpoint compromise. This is why deploying an endpoint detection agent before a cyber-attack is crucial. It helps responders get immediate visibility and data into how the attacker got in, what they have accessed, and what they might be trying to achieve. Every organisation should also allocate a team of ‘first responders’: the team that are called upon when an incident is suspected. This team of first responders will need to know what steps must be taken to investigate the suspected incident; How to access data and telemetry to confirm if the incident needs to be escalated; How to manage the incident for the first 48 hours and; When to call in incident response teams, either internally or externally.
First-responder training shouldn’t be limited to security people and IT staff. Many different types of staff need to be trained in first response activities – from personal assistants to human resources, office managers, and analysts. One also needs to make sure that the first responder team encompasses of all your IT estate, including a map of all endpoints, hardware, and software, with clear roles and responsibilities. One also shouldn’t ignore the possibility of an organisation’s own staff, or ex-staff intentionally orchestrating cyber attacks on the IT network. As much as there should be legally-binding contractual conditions of employment to prevent such possibilities, human nature can’t always be predicted and some people with a bone to pick, or incentivised financially or in other ways by an attacker, may do something very irresponsible without thinking too much about the consequences.