The 12 Day of Christmas Security Tips
13/12/2023Embracing the Sharing Economy: A Path to Sustainable Living
08/01/2024As the festive season creeps away, you are bored of turkey and the constant repeats on TV. Our focus shifts to the new year and what improvements can be made. One question I have been asked is how a company should respond to an attack. These attacks could be social engineering, an exploit in software, or a malicious insider, all can cause immense damage and harm to a company. When this happens, a strong planned response is needed to stop an attack quickly.
Some organisations will need external assistance or will already have a prearranged retainer to assist in their time of need or their staff will have a plan!
If you don’t have resources or the skills in your team, contact your account manager who will be able to put you in contact with one of our security team or one of our partners if you’re under attack and need an Incident Response.
Do you need help to prepare your company and team before an attack? Contact your account manager and they can arrange a call with me or the team to discuss areas where we can help mitigate and manage the risk for you before the unfortunate happens.
Some companies reading this will want to go at it alone and I have included some areas to think about in your organisations for pre-attack, during, and after an attack.
Pre-Attack Preparation:
- Backup Data:
- Regularly back up data and verify the integrity of those backups.
- Keep Systems patched:
- Ensure all software and operating systems are up to date.
- Protective Security:
- Use antivirus software across all devices and apply network and local firewall policies to restrict user traffic and applications where appropriate.
- Strong Passwords and MFA:
- Ensure strong passwords are used and MFA enabled across your environment to reduce password-based attacks.
- Have a plan:
- Should an attack occur have a documented plan in your organization with key stakeholders and users aware of their part in the process.
- Firewall / Network:
- Have a diagram of your network to refer to.
- Plan firewall rules to disconnect segments of the network as needed.
- Tools:
- Be prepared by downloading tools and have ready hardened machines that could be used by the admin team.
During an Attack:
- NCSC Guidance:
- Virus scan:
- Scan your estate for viruses and isolate devices before they are infected. Depending on the type of attack it might be safer to leave devices offline until you have contained the infection.
- Assign someone in the business to update and inform the users of their required actions.
- Secure Your Backup:
- Ensure your backups are safe and disconnected from the potentially compromised networks.
- Immediate Isolation:
- Disconnect non-company-managed devices such as BYOD, NAS drives, and IOT equipment from the network, these could be infected or be distributing malware.
- Disconnect devices from the network that have no business impact (Computers for screens etc).
- Containment of malware within network segments using Firewall rules to restrict traffic and further infection.
- If machines are being ransomed quickly it would be safer to turn them all off and seek external assistance.
- Identify the Problem:
- Determine the type of malware or ransomware and the extent of the infection. Your AV software should provide the name of the sample.
- If you have an EDR / XDR service blocklist the Hash and IP / Domain.
- Assess firewall traffic and block the IP / Domain to your block rule.
After an Attack:
- Research the Attack:
- How did the attack occur and why?
- Are there any ways you can mitigate this in the future?
- Adopt a Vulnerability scanning program to help mitigate threats in the future.
- Change Passwords:
- Change passwords on a clean safe machine, especially if credentials could have been compromised or if you are unsure of their status.
- Outsource Security:
- Outsource the management of security for your Endpoint and Servers with an MDR solution. The team will be able to remove and mitigate threats in your environment.
- Patching:
- Adopt a Patch scanning and update program for all devices within the network. Having it managed will help reduce your risk.
- Before reconnecting BYOD devices to the network ensure they are updated and patched and have been scanned for malware.
- Report the attack:
- Follow the ICO guidance in the UK GDPR data breach reporting (DPA 2018) | ICO
Author: Ben Large