So we all must have an Incidence response plan, which is only used after a computer security problem:
- Detect problem
- Investigate problem
- What type of the threat to the business?
- Does it rise to level of “Breach”? With significant legal disclosure requirements
- Did the attackers steal information/data?
We know practice makes perfect, but how do we practice responding to a known attack without actually getting a hacker and hacking your systems?
So of course getting a pentester and having your environment tested for problems is a good thing. But we need to also have a method of trying to get our IT staff to not be afraid to follow the crumbs to a potential breach. People tend to get better the more they do something, so a pentest would also be useful for IT staff incident reports.
With or without a pentest it is wise to create a “write-up” report that acts as if the breach or hack happened so the IT personnel computers will be used to working through the “paperwork” process.
So let us do it together?
1. We detected a problem in the logs, they were zeroed out on our windows 2012 server.
2. we do not know why this happened, but the event logs now have a handful of events (going back to yesterday only).
3. Is this a threat to the business? If there are no logs to see how will we know what happened in the last few days before the logs were deleted?
4. Review systems, to see if any new files have been added, you will have to make comparisons to recent backups. Also review any customer data if it resides on the server (is customer data valid?). If you have no way of doing this today, better start working on a process now.
5. The last point is where the most difficult assessment has to be performed. Is this a threat to the business? was data stolen?
And this is exactly where many companies get tripped up. Every day you are running your business and it seems like any other day. Losing event logs does not mean much… but it could be a sign of a serious breach.
Find out if your files have been altered. the problem is that some malware is only here for other purposes, so some files being altered have lower risk and impact. How can we know if there is a high impact high risk alteration?
To have any chance of knowing a breach happened means that you need IT Personnel to do the following:
- Vigilant employees
- Notice unauthorized logins
- See unauthorized usage of computer systems
- Reboots are mysteriously happening on the own, why?
- review administrative account access on actions that are unknown to administrators.
- Notice unusual outbound traffic
- Are files being added to your computer systems without IT department knowledge?
- Logs are being deleted or very few event logs available on critical systems
- Was data stolen?
A lot of these bullet points assume you can see potential breach indicators, so here is an Infographic to help you with this process.
If you are not testing your incident response plans, what will happen when a real attack happens?
Contact us to help you with Oversite or auditing needs.