How to Prepare for a Cyberattack
Preventing cyberattacks isn’t easy. If it were, there wouldn’t be a continuous stream of ransomware attacks dominating news feeds, nor would the president of the United States feel compelled to issue executive orders on cybersecurity or to declare that ransomware attacks should be treated like terrorism.
While preventing cyberattacks isn’t easy, avoiding one is a matter of luck, proper planning or a combination of both. It is, after all, important to remember that attackers play by their own rules, and increasingly they’re looking to hit a proverbial home run with a large payout, like the one Colonial Pipeline made following their ransomware attack.
When it comes to defending against a cyberattack, I’d much prefer to be prepared and have a little bit of luck on my side than to pick up the pieces after a cybersecurity incident. With that in mind, here is a blueprint you can use to help prepare for a cyberattack and, ideally, avoid becoming a victim of one altogether.
Have an Incident Response Plan
Following any cybersecurity incident, your teams are going to have to recover from the event while simultaneously dealing with customer concerns and possibly regulatory ones, too. That isn’t the time to be creating a plan, or to be winging it.”
A good incident response plan will outline which teams are responsible for which tasks and how leadership communication will occur. The plan should address everything from the mundane issues of log retention for forensic analysis to public and regulatory communications. Eventually, someone important will start asking hard questions about what went wrong, and the last thing you want to tell them is that you don’t know because someone forgot to save critical data.
Create a Comprehensive Threat Model
Threat models are arguably the hardest part of your preparedness plan. They force teams to think about gaps in their processes and honestly review how those gaps might be exploited in an attack.
Basic threat models tend to focus on protecting an asset—say, a database—from external threats. Such models promote perimeter defenses like firewalls while ignoring internal threats like compromised administrator credentials or successful social engineering. If an attacker can access that database from inside the firewall, then that firewall is only protecting against one type of threat.
Comprehensive threat models understand that most successful attacks have multiple steps. Those steps form an attack pattern that an attacker might use to compromise your business. While it’s not always feasible to prevent every step in the attack pattern, it is possible to assign a risk metric to each step, remediate the riskiest steps and monitor for indications of compromise with others. Without investing in a comprehensive threat model, any investment in threat mitigation isn’t all that different from a guess, and you never want to be in a situation where an attacker knows more about your weaknesses than you do.
Know all the Software Powering Your Business
All businesses have some form of patch management policy, but few can provide a comprehensive inventory of all software powering their business. Fewer still can identify the origin point of that software. This lack of awareness creates exploitable blind spots that could lead to a cyberattack, but how is it possible for a business not to know what software it uses?
The problem stems from procurement practices. If someone buys packaged software, they clearly know they need to manage that software. But if they are buying a security camera, for example, they are, in reality, buying much more than that. There’s a piece of hardware (the camera), some software to run the camera, likely some additional software to view images from the camera and, potentially, a cloud service that is itself powered by software. Each of those pieces of software has its own update process, and the security standards used to create each piece could be quite different.
Things get much more complex when you look at open source software, and I can all but guarantee that you have open source software powering some part of your business. Where a purchasing relationship at least offers the potential for the supplier to know their customers, something freely downloadable and usable from the internet doesn’t.
If your patch policy doesn’t include all software assets, independent of origin but with full knowledge of origin, then you likely have unpatched software running your business. And, obviously, any time there is unpatched software, there is a weakness that could be exploited.
Building a Foundation
There are many more elements that form a successful cybersecurity blueprint, like limiting access to data, but these three are part of the foundation. If you don’t know the software powering your business, you can’t possibly patch it. If you don’t know the threats your processes and software use pose to your business, you can’t reliably defend against attacks on them. If you don’t have an incident response plan in place prior to an incident, you’ll be slow to react and could damage information that would be helpful to recover quickly.
Cybersecurity is all about preparedness. You can’t protect against all cyberattacks, but you can defend against most. Knowing your software, why you have it, and how it works is a great first step in that process.