Responding to a severe cyberattack decisively and effectively is a huge challenge. Information technology managers and cross-organizational cybersecurity stakeholders must make critical decisions quickly at a time of intense stress. Decisions might include shutting down systems, negotiating and paying a ransom, notifying regulators and stakeholders, activating continuity plans and more.
Speed is vital, yet it does take time, resources and expertise to separate signals from noise, thoroughly assess the situation and make the right judgments. For IT managers, security teams and others involved in organizational breach response processes, this is why one of the immediate challenges upon discovering a cyberattack has to be to avoid panic responses and instead define and prioritize swift investigative efforts that then guide best possible decisions.
There is always a lot of information to discover during an investigation, but experience shows that not all of that voluminous data (typically including alerts, collected cloud and SaaS logs, etc.) offers value in the limited timeframe IT managers have in the wake of a breach. Knowing in advance of an attack exactly what you’ll need to know when one happens, will help you to quickly zero in on what’s relevant.
Based on breach response investigation, recommended practices and incident response experience, here are four intrinsic questions that an investigator must answer when an organization experiences a cyberattack:
- “What is the current state of the attack?”
- “Which data has been compromised?”
- “Who is behind the attack?”
- “How did the attack happen?”
Note: these questions do not necessarily unfold the whole story of the attack, but they do supply the minimal situational awareness that is needed to assess and to act rapidly.
Ariel Parnes is co-founder and COO of Mitiga.
In the subsections that follow, we identify the significance of what we call leading investigative questions in the context of today’s ever-expanding threat surface.
1. What is the current state of the attack?
This information can help the organization ascertain the appropriate response to the attack. For example, if the attack is ongoing, the organization may need to take immediate steps to contain the attack and prevent it from spreading further. On the other hand, if the attack has been stopped, the organization can focus on recovery and restoring affected systems and data. This information can be important for determining the resources that will be needed to respond to the attack and for communications with relevant stakeholders.
2. Which data has been compromised?
Knowing which data has been compromised can help the organization understand the extent of the damage and determine what type of information may have been accessed or stolen. This can be important for assessing the potential financial or reputational impact of the attack. This information is also needed to make decisions such as around the notification of appropriate parties/authorities and regarding any ransom negotiations.
3. Who is behind the attack?
Different attackers have varying motivations and modus operandi. If the attack was perpetrated by a nation-state, the organization may need to consider the possibility of further attacks and take steps to protect against them. On the other hand, if the attack was carried out by a criminal group, the organization may need to consider the possibility of extortion or other financial demands. In addition, understanding who is behind the attack can be important for forensic and legal purposes. If the organization decides to take legal action or work with law enforcement, it will be important to know who is responsible for the attack.
Finally, knowing who is behind the attack can help the organization understand its motivation, which can be important for determining the potential impact of the attack and for developing strategies to prevent similar attacks from happening in the future.
4. How did the attack happen?
It is important to figure out how a cyberattack happened, because this information can help the organization understand the vulnerabilities that were exploited and take steps to prevent similar attacks from happening in the future. Understanding how the attack occurred can also help the organization determine the appropriate response to the attack. For example, if the attack was caused by a software vulnerability for which there is a patch, then the organization may be able to stop the attack by applying the patch to the affected systems. In addition, understanding how the attack happened can be important for forensic and legal purposes, as it can help the organization determine who was responsible for the attack and take appropriate action.
To summarise, when an organisation experiences a cyberattack, stakeholders have a limited amount of time to make critical decisions. To respond decisively and effectively, it is important to prioritise efforts aided by the four leading investigative questions outlined above. Understanding the current state of the attack can help determine the appropriate response, knowing which data has been compromised can help assess the potential impact. Understanding who is behind the attack can help determine motives and legal actions, and figuring out how the attack happened can help prevent future attacks by identifying vulnerabilities that were exploited.
