Cyber attack on your company? This is how to react correctly in an emergency!
by Tina Siering
Tip #1 for emergencies: Never pay a ransom!
A very popular (and financially lucrative) variant of cybercrime is encryption and extortion through ransomware. Companies, but also municipalities such as the Anhalt-Bitterfeld district, have increasingly become the focus of such attacks in recent years. It is malware that initially infiltrates the IT system unnoticed in order to encrypt important data at a certain point in time. The attackers make the renewed release of the data dependent on a ransom payment.
If ransomware has undermined your IT network's security measures and you cannot access your data, you should still remain calm. Think strategically about possible next steps instead of paying the ransom. After all, you won't always get your data back as a result - and if you pay, you'll be doing exactly what the cybercriminals want, encouraging them to repeat.
The correct procedure for a successful cyberattack with ransomware consists of several steps. First, it is necessary to find the infection path and avoid further infection. Second, the affected system must be rebooted. Afterwards, the data can be restored from existing backups. For precautionary purposes, this means that regular backups must be made and these must also be partitioned off accordingly, e.g. in different VLANs.
Tip #2 for emergencies: Act tactically instead of reacting haphazardly
Cyber criminals rely on the element of surprise and hope to hit unprepared companies. The fatal thing is that it takes an average of six months for the compromise of a system or network to be detected. If your network is then affected, the key is to act quickly. That's why your IT department should have a plan ready that can be used to make far-reaching decisions in a short period of time. Such a cyber emergency plan saves your employees from chaos in the early stages of a successful cyber attack. It enables a considered response.
The typical contingency plan aims to ensure that no additional damage can be done to the network after a cyber attack has been detected. To achieve this, parts of the IT infrastructure or even all systems must often be temporarily taken offline at the same time. An important point of the incident response plan - also called incident response plan - are the guest networks. These should be deactivated as a first-aid measure to prevent malicious code from spreading via the open WLAN or guest devices.
A properly prepared incident response plan ensures that the in-house IT security team is informed in sufficient detail to be able to execute measures independently. In the event of an emergency, timely responses are often essential, so it would be a hindrance to have to obtain permission from a higher-level department first. Consequently, all decision-making paths and competencies should already have been defined before the emergency. To do this, define authority for high-impact decisions, such as shutting down mission-critical systems, in writing in advance. This document must be confirmed by the company management. It should also name deputies who will take action if certain IT specialists are not available on the day of the cyberattack.
Tip #3 for emergencies: Keeping an eye on all system levels
Both preventively and in acute cases, it is important to protect the entire IT infrastructure with efficient early attack detection, such as Allgeier secion's Active Cyber Defense (ACD) service. The 24/7 threat hunting and incident response service proactively and continuously analyzes the corporate network for anomalies. In the event that systems are compromised, the company is informed immediately and receives concrete recommendations for action from the ACD team to avert damage from the attackers.
The goal is to ensure that no malicious code can operate unnoticed at a system level that has received little attention. Continuous monitoring of all levels therefore serves to detect and eliminate cyber threats at an early stage. In organizations that fail to do so, malware can remain undetected in the system for the six-month period mentioned earlier. More than enough time for data to accumulate, spread to other system layers, and play into the attackers' hands. Time is THE critical factor! After all, by the time the cyberattack is finally discovered, it may have already caused widespread damage. To avoid such scenarios, effective tools (hardware and software) for regular monitoring of all system levels are part of the cyber attack prevention plan to detect threats immediately and thus minimize the critical time gap between "protection" and "response".
Tip #4 for emergencies: Change passwords and access!
"Change your password!" is one of the best-known tips after a cyber attack. What applies to the private e-mail account also applies on a larger scale to corporate networks. Therefore, this topic is an important item in your cyber contingency plan. When changing credentials, as with the other actions taken after a successful hacker attack, speed is of the essence.
Stolen passwords, access codes and hijacked email accounts lend themselves well to cyber criminals to wreak maximum havoc in an attack. That's why a strategy must be ready to go that describes how, for example, employees can get replacement passwords while corporate IT is in emergency mode. In addition, responsibilities should be clear and deputies should be known who will change access data and send replacement passwords by secure means in the event of an attack.
Tip #5 for emergencies: better precaution than aftercare
Those who take precautions in the area of Incident Response Readiness (IRR) are not left behind. In a well-prepared company, a successful cyber attack causes significantly less damage, if any at all. A good cyber defense strategy enables the corporate IT security team to detect security incidents as quickly as possible at any time.
Developing and implementing such a strategy is a comprehensive process. For many companies, it is worth booking an IR workshop in this context. In this, cyber security experts make suggestions for concrete possible preparatory measures that fit the company. In this way, the individual cyber emergency plan can become an effective tactical tool for prevention.
For example, such a plan should also think about the impact of a cyber attack at the end of the month. If the systems required for payment processing are also affected, it is not only value creation that comes to a standstill. Salaries cannot be paid or invoices settled, which can have serious consequences. To avert these, an emergency plan can contain organizational regulations for such cases.
Conclusion on cyberattacks on companies
Cyberattacks on businesses and organizations are a worldwide phenomenon. Even in large enterprise networks, malware is still overlooked for too long a period of time. By the time the attack is discovered, criminals can do great damage, such as encrypting data or rendering network areas unusable. To minimize the damage of a successful cyber attack, a well-developed, ready-to-go cyber contingency plan is worth its weight in gold. This explains the steps needed to respond quickly to a hacking attack in a way that can be implemented even in the excitement of an attack on the business. With good preparation through incident response readiness, companies proactively prepare for emergencies: employees have built up the necessary expertise through training to respond appropriately to the security incident, clear procedures for various emergency scenarios have been established, and responsibilities are clearly assigned.
Need help upgrading your IT security for 2022? Contact us!
Related articles
For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).
Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.
Read more … New ransomware trend: Why criminals increasingly rely on intermittent encryption
Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.