Response to Supersonic Cyber ​​Threats

AUTOMATING and digitization are major enablers for small businesses in Asia-Pacific. Small businesses employ the majority of people in Asia-Pacific and also contribute significantly to the Gross Domestic Product (GDP) of countries in this region.

For example, Singapore’s small and medium-sized enterprises (SMEs) contribute 48% of GDP. In Japan, SMEs account for 70% of national employment and 50% of GDP, according to the Organization for Economic Co-operation and Development. In Australia, national employment is predominantly small business, at over 97%, while contributing 32% of Australian GDP.

The government leads

Cybersecurity incidents continue to grow in number and sophistication, which means the need for effective incident response management continues to grow. In October 2021, the number of data compromise incidents caused by ransomware, phishing and other attacks already exceeded the total for all of 2020 by 27%.

As cybersecurity risks and threats increase, especially threats such as ransomware and vulnerabilities, the race between businesses and threat actors is limited by time, or the speed of identification, d isolation and mitigation of threats. This is cyber resilience. In Asia-Pacific, the most effective way to enable both cybersecurity prowess and resilience starts with government.

In Japan, the Cybersecurity Basic Law and Telecommunications Business Law, as well as the Cybersecurity Management Guidelines since November 2017, provide recommendations on threat identification and mitigation, as well as response. to incidents and resilience.

The Australian Government’s Australian Cyber ​​Security Center has guidelines for cybersecurity incident management, including policy setting, detection, incident logging, data leak management, malware and intrusion management, evidence control and incident reporting.

The Singapore government has always been particularly aware of cyber threats, as the small nation is particularly digitized, where residents use digital IDs to log in to government services, banks and other transactions.

The Cyber ​​Security Act 2018 and the previous Computer Misuse Act collectively help any entity in Singapore understand the limits of the cyber arena and what is and is not tolerated. The Cybersecurity Act presents a regulatory framework on critical infrastructure management, incident response and the ecosystem of authorized service providers.

Incident response is key

As we can see, cybersecurity is all about our response. The faster and more comprehensive our response to cyber incidents, the sooner we can get our business back on track.

The Center for Internet Security (CIS), one of the leading international non-profit entities working with global cybersecurity practitioners, has a set of best practices known as CIS Critical Security Controls, currently in release 8. These documents help any business understand how best to manage cyber risks and intrusions.

One of the key controls is CIS Control 17, which addresses incident response with three basic safeguards that every organization should implement. Control 17 also includes half a dozen additional protections for businesses, whether the company is working with sensitive or confidential data.

Plan, communicate, test

The bases of CIS Control 17 are 17.1, 17.2 and 17.3. This is the minimum incident response for any entity to begin with.

17.1: Organizations must designate an incident response manager and a backup person. The CIS Internet of Things (IoT) Companion Guide recommends that organizations also choose a response manager and backup for IoT incidents, as threats to unmanaged devices and appropriate responses differ from computing and managed devices.

17.2: Organizations should compile and continually update their incident reporting contact list. It should include anyone who needs to know, such as law enforcement and regulators, insurers, employees and suppliers. Other relevant stakeholders may include shareholders and investors, patients, students or customers. The list may also include public relations contacts for crisis management and media contacts.

17.3: Employees need a written process they can follow to report incidents, including those involving IoT devices. This process should clearly explain the types of incidents or issues to report, to whom to send the report, when to report the incidents, and how to share the information (for example, by email, telephone, instant messaging or another channel).

In light of privacy laws in Asia Pacific, entities handling sensitive or restricted data should implement steps 17.4 through 17.8.

17.4: Organizations should define all roles, responsibilities, compliance issues, and communication requirements for incident response. Without clear action steps, a team can waste valuable time duplicating efforts and untangling lines of communication during an incident response. Unclear roles and requirements also increase the likelihood of critical response steps being overlooked.

17.5: The right people need to be assigned to the right incident response roles. At the enterprise level, this step requires involving people beyond the IT and security operations center in legal, public relations, human resources, facilities, and other relevant departments.

17.6: Companies should pre-designate approved communication channels for those involved in the response to use during an incident. They should also choose backup channels, in case the primary channels are compromised. For example, the NotPetya attack (cyberattacks using Petya malware) took down the email systems of corporate targets, making it difficult for affected companies to respond.

17.7: Organizations should thoroughly test incident response plans at least once a year using a variety of scenarios, including current cyber threats. This step requires identifying the security testing tools your team will need well in advance of scheduled testing.

17.8: Response teams should follow cybersecurity testing and incident response drills with reviews to see what worked and what needs improvement next time.

CIS Control 17.9 is the ultimate level of protection if particular entities are handling highly sensitive data.

17.9: Organizations should set thresholds for incidents, “including, at a minimum, differentiating between an incident and an event.” Setting thresholds will allow your response team to prioritize their work and allow your security team to automate alerts at those thresholds for more effective responses.

The Pitfalls of Incident Response Failures

When security teams lack comprehensive data about their devices and what those devices are doing, or when that data is scattered among different security solutions, it is nearly impossible to launch a quick and effective response to an incident.

To respond properly, security teams need real-time answers to four key questions:

1) Which devices are affected? For example, is the incident happening on your organization’s connected printers, or is it targeting a wider range of devices that share the same IoT operating system?

2) What do the devices control and what do they communicate with?

Devices that control critical infrastructure operations, patient safety, security monitoring, and other sensitive tasks require a more urgent response than, say, a Rickroll breach (an Internet joke) of connected TVs .

3) What networks are the devices connected to?

When security teams can see which networks and segments devices have access to and whether those limits have been breached, they can more quickly assess risks to other parts of the organization’s environment and operations.

4) Where are the affected devices?

Connected devices are everywhere, from production lines and classrooms to operating theaters and executive suites. Understanding where the compromised devices are can help the team prioritize their response.

Untested or incompletely tested plans can fail during a crisis, complicating and slowing the response. Response delays can escalate the scope of the incident by giving intruders more time in the system. So the longer it takes to identify an attack and isolate the devices and networks involved, the greater the disruption can be.

For example, SolarWinds, an American company that develops software for enterprises, “saw signs of hackers invading their networks as early as January 2019, approximately eight months earlier than the previously publicly disclosed timeline”, but identification delays and response enabled attackers to stay almost two more years in their system.

Late or disorganized responses can also result in hefty compliance penalties. For example, under the General Data Protection Regulation, the European Union requires companies to report known data exposures within 72 hours of discovery. Slow incident response has resulted in costly fines for some organisations, including a travel booking site which was fined US$560,000 (RM2.59m) for reporting a breach 22 days after his discovery.

Miscommunication during incident response can also undermine organizations’ relationships with investors and customers. The resulting brand damage can lead to a drop in inventory value, customer turnover and an increase in the average cost of acquiring new customers.

Leverage intelligence to power your response plan

One of the effective ways to optimize an incident response management system is to look for a solution that manages all assets and integrates their existence and information into a unified platform.

Find tools and information to help you achieve faster, more focused incident response, resolution, and recovery. After any incident, you also need to have the means to enable your team to leverage AI-based anomaly detection to identify abnormal device behavior that may signal an attack. After incident response, security teams can access the logs for review and investigation.

The world we find ourselves in is accelerating just as cyber threats intensify and grow in sophistication. How we respond to all threats can literally make or break our operations.

Matt HubbardDirector, Market Intelligence, Armis, a leading security platform.

Leave a Reply