My team recently received a call from a company in Europe that had received warnings from law enforcement that it might be targeted by hackers. We found evidence through our data forensics that an attacker had entered the company's network, taken credentials, and then left. From what we found, the attacker had just as much access and knowledge as the CISO — maybe even more.
And this was likely not the end of the story; attackers usually spend weeks or months inside networks (known as dwell time) before actually doing anything. There was a good chance the attacker would come back. That should be top of mind for any company that's dealing with the aftermath of an attack or intrusion, and the response requires a holistic, active approach even if an incident appears to be over. Often referred to as the "recovery" period, the hours, days, and weeks after a detected intrusion or attack are anything but passive. This period demands action; in fact, it should be called "post-incident response," not "recovery." Not only is this a crucial period of every cyber incident, but it can also be an important growth opportunity for cybersecurity posture and the company in general.
Attackers Return, So Victims Should Study Their Enemies
Often when we see an intrusion like the one at this European company, organizations aren't focused enough or don't spend the required budget to make recommended changes, and the attacker comes back with something worse, such as a ransomware attack that can cause great financial and reputational harm. Many companies also fail to see the unique opportunity that is hidden in the fact that attackers often come back: The post-attack or post-intrusion phase can serve as a valuable time to learn about the enemy — where they came from, how they entered, which assets they spent the most time checking out.
Although much time is spent trying to determine who the enemy could be when preparing for possible attacks, the post-attack period offers actual evidence on who the enemy is. This improved understanding of current and possible future enemies allows for a better allocation of resources in order to protect the assets that not only matter most to business value and continuity but are also most likely to be targeted. Knowing from which geographic area an attacker originates and if there is a chance they're connected to state-backed efforts also allows companies to hire cybersecurity teams that bring the necessary talent to deal with the sorts of threats an organization is facing.
Stopping an Attack Is Only the Beginning
Just because an attack path was blocked, or attackers may have left all the data accessible (declining to put ransomware on it, for example), they still could have obtained intellectual property and proprietary or personal data. And this could then be leaked for purposes of sabotaging a business, obtaining intelligence, or for making money on the Dark Web. Attacks with multiple stages or objectives are growing; what may initially manifest as a ransomware attack to extract money from victim organization could turn into a smear campaign when that information is leaked or used to influence public opinion. Just because one organization is able to detect or stop an attack with little obvious damage, the attacker could later target other organizations that are connected, either directly through the software supply chain or through phishing campaigns aimed at email addresses taken from the original, relatively unscathed, target. Even though an incident appears over, it probably isn't; more victims are likely to emerge.
Deal With the Last Mile of an Attack on a Managerial Level
After an attack or signs of a security breach, companies must make sure they meet a checklist of demands, including informing the right parties, such as government and regulatory bodies, customers, clients, and business partners. All of these obligations should be an integral part of the post-incident response and involve multiple departments.
But the involvement of multiple departments and the entire C-suite should not end with these obligations. The post-incident period is one of the most important times for a holistic managerial approach; after all, if an attacker decides to leak sensitive corporate information to the public, or sell it on the Dark Web, that is not just the CISO's problem; it is also something that executives across departments must deal with. This includes public relations; in today's world, where everyone, everywhere is vulnerable to cyberattacks, an organization's reaction to an attack and how it handles it is paramount to preserving its brand integrity.
Post-incident activity is, and should be, intense. But it should not — as it unfortunately often is — be left to the CISO. We often see that while an attack or security breach is in progress, most of the company's leadership is involved, including the CEO, COO, and human resources and legal teams. It is essential that these executives and teams continue to lead the post-attack phase.
The entire company should also be involved in reviewing not just what went wrong technically, leading to a cyberattack, but how it was handled, pinpointing lessons for the future, and updating its cybersecurity response plan. Now more than ever, cybersecurity can make or break a company; this reality requires a full-fledged team effort at every stage of an attack, even when some may mistake it for being over.
If done well, a response to an attack will not only close vulnerabilities but protect the brand's reputation, operations, and customers and leave a company better prepared to ward off the next attack.