David Stubley Chief executive 7 Elements
At 7 Elements, we manage security incidents for our clients that cover a broad spectrum of threats, from highly capable advanced persistent threats through to opportunistic and untargeted attacks using commonly available exploit code. All incidents are unique and 7 Elements believe that preparation is key to any incident response.
However, it can be difficult for organisations to anticipate what exactly will be required in the event of an incident. For many, incident response procedures tackle scenarios identified through business continuity risks or following internal incidents. This results in an inward focus that leaves incident management procedures lacking.
An inward focus does not effectively anticipate the full suite of scenarios that an organisation may face during an incident as it does not take into account the evolving threat landscape and changing external environment. Without placing incident response measures in this dynamic external context, organisations may find their response measures lacking in the face of current attacks.
Gaining information about factors external to your organisation, such as threats, is a challenge, but organisations have an opportunity to gain insight by carrying out reviews of incidents that have made the headlines.
Groups conducting attacks, whether for financial gain or other motives, will frequently use the same methods of compromise. This is demonstrated in the recent attacks on the electronic point-of-sale systems in the US retail sector and the ongoing use of targeted phishing e-mails to gain access to corporate networks, among others.
The use of similar methods by attackers means organisations have an opportunity to identify attack approaches and vulnerabilities that could be applicable to them. Organisations should therefore look to use the experiences of others within their sector to enhance their own incident management procedures.
While the full details of an incident will not be publicly available, organisations can gain insight into the incidents of others through information-sharing forums and employees’ individual relationships with their counterparts in other organisations.
It is likely that an organisation will be able to gain sufficient information to identify the vulnerabilities exploited by attackers and key attack vectors. This information can be used to review the incident and determine if the organisation is itself vulnerable to such an attack. Organisations should therefore conduct reviews of incidents that impact other similar organisations.
Once an organisation has identified whether it is vulnerable to a similar incident, it can then identify potential attack scenarios and play these out within the context of their environment. This is often done through security testing and red teaming.
An organisation will then be able to understand whether it has sufficient controls in place to prevent an incident and test their effectiveness in the context of a similar attack. By keeping abreast of the threat landscape, spotting trends within relevant industries and reacting to the external environment, organisations will be able to plan effectively for incidents.
Taking the time before an incident occurs to prepare correctly will inevitably lead to a robust and fit-for-purpose approach to cyber security-related incidents, and in the event of such an incident, the ability to respond effectively and rapidly.
So, on the basis of learning from others, the two key questions that all chief executives and chief information security officers should be asking on a regular basis are “Are we vulnerable to the attacks being reported in the media?” and “If we were compromised, would an attacker be able to gain access to unencrypted sensitive data?” Each question should then be followed with “What assurance activity have we done to confirm this position?”
By learning from others’ misfortunes, organisations may be able to avoid the pain of going through a similar experience and should an attack occur, organisations will have taken the time to develop resilient incident response measures with which to tackle these anticipated threats.
7 Elements are an approved government provider of penetration testing and has recently been named 2016 SME Cyber Defender of the Year for their incident response services. For more information please visit www.7elements.co.uk
