You have been breached
To succeed you need to have very good visibility on the endpoint level as well as on network level. This helps security teams successfully manage:
- network traffic (e.g. traffic logs, NetFlow, full packet captures)
- endpoint usage statistics, such as process trees network traffic, memory contents etc.
Automation and predefined rules can help you detect indicators of compromise, also more modern artificial intelligence or machine learning solutions can be used to detect behaviour-based alerts. This is especially needed when the attacker is not directly utilising previously known methods. In fact, skilled attackers are able to carefully cover their tracks, and do not need to apply much brute force. This helps them avoid detection, for example by increased traffic volumes.
Use a structured approach to perform what is commonly known as ‘Red Team’ testing. Essentially, working with a trusted partner, preferably a skilled and trusted security company, to attempt to break into your environment. This will help you test your security controls and uncover any issues or shortcomings in your protection systems.
Risk management perspective
From a risk management perspective, cyber risk scenarios need to be included in both Disaster Recovery planning as well as in other company crisis exercises. Once you have completed a major cyber incident crisis exercise, you are better prepared for such an attack if it were to occur in reality.
It is worth noting that larger cyber incidents often happen by surprise and are executed in a way that you were not expecting. The truth is that you cannot train for every possible scenario, however a good practice is to prepare for various situations, practicing how to handle these, and testing for attacks regularly. This will increase confidence in your system for when an actual cyber incident happens.
“Prevent Breach” mindset
In closing, it is important to note that the “Prevent Breach” mindset remains vital, as this is most definitely still needed. Companies must have good preventive security controls in place, e.g. security patching, malware protection and firewalling. These are fundamental requirements that have not gone away, they are still mandatory.
By applying both of these approaches, companies can increase their preparedness for a cyber attack and capabilities to reduce the impacts of an incident when it occurs.
Note that it is an essential and valuable practice to regularly test and verify that your existing prevention systems are in working order. This will help to evaluate how detection and response is working in practice, if you were attacked today.