A proactive threat defense is an absolute must in the current cybersecurity landscape. Chief information security officers should put measures in place that can identify suspicious activity and other anomalies in as timely a manner as possible. But when a cybersecurity event is detected, what comes next?
The National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity encompasses the five key functions organizations need to understand and implement to support a more unified data protection stance. In the previous parts of this series, we examined functions including:
Once an enterprise’s CISO and IT stakeholders have an understanding of the key systems in their infrastructure, have worked to protect the delivery of critical services and are able to pinpoint activity related to a cybersecurity event, the next step is to respond to this activity. It’s imperative that this response includes efforts to contain and mitigate the damage, but it’s important to understand that efforts shouldn’t end there.
Today, we’re closely examining the Respond function, which includes the processes CISOs and their teams should follow after threat detection.
Respond: NIST Framework definition
Through the lens of the NIST Framework, the purpose of the Respond function is to establish and put in place the necessary procedures that enable stakeholders “to take action regarding a detected cybersecurity event.” This function builds upon the efforts CISOs and their teams have taken under the Identify, Protect and Detect functions, and encompasses mitigation of the detected threat, as well as other critical steps.
While each part of the framework is critically important, the processes and activities carried out as part of the Respond function can very easily make or break the outcome of a cybersecurity event. Timely detection of the threat is incredibly helpful, but making quick efforts to analyze the issue, contain the damage and carry out response plans can mean the difference between a large scale breach, or unsuccessful intrusion on the part of hackers.
To respond to a threat appropriately, there are a few key processes to plan and put in place ahead of time. In this way, the CISO can effectively direct efforts and security teams understand their roles and responsibilities in responding to anomalous network activity while safeguarding the business’s most crucial informational assets and supporting systems.
Categories included in the Respond function are:
Similar to the Detect function, timeliness is critical during an organization’s response. Any delay in carrying out response plans and mitigation can create additional opportunities for malicious actors to expand the reach of the threat, and potentially make off with stolen data or interrupt key services. In this way, CISOs must ensure their teams fully understand their roles and responsibilities as part of response plans, and can carry these out in an expert and streamlined manner.
Responding to today’s threat environment: Targeted attacks
Let’s take a look at a real-world threat that underscores the importance of a quick and decisive response. In the current threat landscape, targeted attacks that hone in on a specific victim or industry are becoming increasingly common.
As Trend Micro researchers explained, these cybersecurity incidents can be motivated by an array of different factors, but one of the most powerful and popular goals among hackers is information theft. Malicious actors will focus their efforts against a certain business or group in order to make off with highly sensitive and highly valuable data assets, which can range from company intellectual property to customer data and beyond. Once the target organization is breached, hackers move laterally to support data collection and then exfiltrate the data, which can then be used for further malicious activity like fraud, or sold on underground marketplaces. Overall, 25 percent of all data breaches over the last decade were targeted attacks motivated by information theft.
Targeted attacks could also be driven by espionage, such as when hackers attack and breach the systems of government organizations, activist or political groups. A prime example of this includes hacking group Pawn Storm (APT28, Fancy Bear), which attacked the systems of victims associated with government, security research and political organizations.
Whatever the goal, the potential damage of a targeted attack can be considerably severe, and can include:
Mitigating damage with robust response
Particularly when an organization is targeted by an attack, it’s imperative that CISOs are able to expertly direct response efforts in a way that can help prevent the damages described above. Targeted attacks are typically carried out by motivated hackers seeking out specific results, but by following through with strong response plans and containing the damage, CISOs and their stakeholders can effectively reduce the level of impact their company incurs.
“It is imperative that an incident response plan as well as an overarching crisis management plan be developed, deployed and tested regularly prior to a cyber attack,” said Ed Cabrera, Trend Micro Chief Cybersecurity Officer. “After all, the cybercriminals attacking your business have thoroughly prepared their attack. Organizations need to respond with the same level of focus, expertise and diligence.”
The NIST Cybersecurity Framework includes one final function: Recover. After CISOs apply the lessons learned as part of their response efforts and work to improve future procedures, it’s essential that they help the company adequately recover from the attack.