CYE Insights

6 Important Lessons Learned from an Incident Response

February 8, 2023

6 Important Lessons Learned from an Incident Response

A true story of how a prominent international tech company was attacked by ransomware—and what it took for the company to recover.  

The cyber incident occurred right before Christmas, which is not unusual. Often, malicious actors plan to attack right before or during a holiday, or weekends when many employees are on vacation. Consequently, it takes longer for the company to detect the problem and take action—which is exactly what happened here.  

What Went Wrong 

The problems started with notifications about failed backup processes and antivirus alerts. Within hours, the servers stopped working and all data was encrypted. In time, it became clear that a known ransomware group was behind the attack, and they had succeeded in stealing sensitive data and encrypting most of the company’s computers and systems. Customers could not pay bills or check their account status online, and employees were completely shut out of systems.  

Later, it was discovered that malicious actors infiltrated the systems by exploiting an undisclosed weakness in the phone system and then planting a backdoor on the network. In the meantime, the company discovered the gap and patched it, but it was too late: The group remained quietly on the company’s network for five months, waiting for the opportune time to strike.  

In addition, the CISO was not aware of the practices of the professional teams and cyber teams. For example, phone systems, printers, and cameras—which can significantly increase an attack surface—were not adequately secured. 

What Really Went Wrong 

The incident was exacerbated by the company’s poor cyber hygiene: An Excel file existed that contained hundreds of credentials for systems and servers, and the company failed to have logs of their client systems. In addition, employees were able to download freely, which increased the risk of introducing malware to end points, including laptops connected to the network on daily basis.  

Yet the main problem was that the company, as well as their IT partner, had no clear idea how to effectively respond. This meant that the first hours—which are the most crucial for incident response—were spent determining what had happened, who were the major players, and what needed to be done to recover and to start searching for artifacts to allow an IR investigation. Precious time was wasted, and thus it took nearly ten days to get the systems functioning again.  

What can be learned from this incident response? Here are 6 important takeaways. 

1. Prepare your plan. 

When it comes to incident response, companies must adopt the attitude of “not if, but when.” Although we would prefer to think otherwise, it’s quite possible that your company will be a victim of a cyberattack, and so it’s important to be prepared.  This means having SIEM systems and logs in place that backtrack as far back as possible and having an incident response playbook that specifies TTPs (techniques, technologies, and people). The playbook should be checked regularly and there should be internal certification of the process. It also means conducting IR engagement readiness and crisis management readiness. Being prepared means that in the event of a cyber incident, your company will be able to respond swiftly.  

2. Establish communications and responsibilities. 

The speed at which an incident response takes place can make a vast difference in terms of limiting damage. The first hours are critical, but they can be chaotic, as they involve law enforcement, public relations and legal teams, your cyber insurance provider, and IT and forensics teams. Clearly, this should not be the first time that these teams are meeting. It helps the process greatly if there is already a plan in place that establishes clear lines of communications and responsibilities.  

3. Perform regular backups. 

It may seem obvious, but so many companies fail to understand the importance of backing up systems on a frequent basis. Having available backups can make the difference between a quick or lengthy recovery.

4. Practice cyber hygiene.

In addition to backups, organizations can significantly strengthen their security posture by maintaining good cyber hygiene. This includes, for example, enabling multi-factor authentication and using password managers, limiting user permissions with access control, patching regularly, encrypting sensitive data, and having secure remote access. It’s also a good idea to regularly perform cyber risk assessments to uncover cyber gaps and plan mitigation. These are all examples of best practices that can minimize the risk of operational interruptions, compromised data, and data loss.   

5. Separate your networks where possible. 

Network segregation can significantly help organizations limit the damage from cyberattacks from most actors by making it harder for threat actors to make their way through your systems. It restricts how far an attack can travel within the network and isolates vulnerable endpoints, thus limiting the risk of exposure. The trick, however, is to make sure that the networks are separated before a cyber incident takes place so that damage can be controlled.   

6. Train your employees. 

Security awareness training can help reduce the risk of a cyber incident by educating employees about the threats they face and how to respond to them. For example, they should be instructed to avoid downloading malware and suspicious websites, and to recognize and not respond to phishing attempts. This can have a significant impact on keeping your company safe.   

How CYE Can Help 

CYE’s Critical Cyber Operations group provide organizations with Cyber Threat Intelligence (CTI) assessments that identify potential attackers and their motivations, possible targets within an organization, and the potential exposure resulting from such attacks. Critical Cyber Operations also provides incident response and crisis management services to assist companies with recovering from a cyberattack.  

To prevent such incidents, CYE’s cybersecurity optimization platform, Hyver, combines technology with red team activity to deliver the most comprehensive organizational security assessments and contextual risk analysis and insights. Using Hyver, businesses can assess, quantify, and mitigate cyber risk so that they can make better security decisions and invest in effective remediation.  

Elad Leon

By Elad Leon

Senior CTI expert at CYE