Preparing for and Responding to Cybersecurity Incidents

What happens when cyber attackers breach corporate systems? There is no question that cybersecurity is crucial in our highly digitalised organisations today. Yet no cyber defence is perfect. With enough time, technical sophistication, and a sufficiently motivated attacker, even the strongest defences may fail.

Enterprises need a robust plan and relevant capabilities that will allow them to respond quickly should attackers ever gain unauthorised access. What are key considerations and how can organisations prepare?

Seeking the truth

While the specifics of every cyberattack will invariably differ, one certainty is incomplete information, especially in the initial hours of a breach. But before organisations can respond, they must first understand the scope of the attack. Answers that defenders want include details such as the route used to gain access, the nature of stolen data, as well as the attackers’ likely identity and ultimate objectives.

This “fog of war” can only be dispelled after key facts are established after a thorough investigation as part of the incident response process. This means knowing which machines are compromised, whether passwords are stolen, and should a wipe and reimage of infected systems be required – if images are clean and safe to use. And this must be done swiftly and potentially across large swathes of the organisation.

Depending on the specifics of each case, the investigation phase might require deep specialisations across multiple fields. For instance, any novel malware that is discovered would have to be examined by specialists to fully assess its capabilities and their likely role. Only when the full extent of the incident is understood can the organisation properly respond to and remediate it.
 

Preparation is key

Preparation is everything in cybersecurity and can make all the difference in a cyberattack. Specifically, having an incident response (IR) retainer with a reputable IR firm can bring in relevant expertise to dramatically bolster the ability to investigate and respond to an incident. It can also ensure support in ancillary areas such as ensuring that PR holding statements or decision trees for crisis communication are in place.

The impact of modern cybersecurity breaches makes it a business problem for organisations, and not a technical issue for the CISO and their cybersecurity team alone. One way to bring this home is through tabletop exercises, an activity where key personnel in the firm participate in a simulated cyberattack. This offers hands-on training to stakeholders and helps them better understand the impact and pressures of a cyberattack as they roleplay their roles and responsibilities.

While cyber defences have evolved significantly and organisations now have layers of defences, attackers have similarly adapted to hold their own. Today’s cyber attackers are formidable opponents who continually hone their tactics, are well-resourced and employ a variety of tactics. The onus is hence on businesses not to underestimate their adversaries by assuming the worst and making extensive preparations ahead of time.
 

Cybersecurity in APAC

According to the Mandiant 2023 M-Trends report, the average dwell time for attackers in the Asia Pacific is 33 days currently. The dwell time is the duration between the failure of preventive measures until the discovery of the intrusion, and denotes the period where attackers are effectively operating invisibly inside the corporate network.

Though there is ample room for improvement here, it is worth noting that this figure is a dramatic improvement over the average dwell time from five years ago – where it stood at more than a year. Detection and response technologies have clearly gained significant traction in the Asia Pacific over the last few years.

Unfortunately, the attack vector tells a more sombre story for the region. While threat actors are predominantly gaining access through the exploitation of vulnerabilities in the Americas and phishing in Europe, the research found them mainly breaking into systems in the Asia Pacific through systems that were already compromised.

This means that past cybersecurity compromises were not properly investigated and remediated. Due to the incomplete remediation and recovery, attackers were never fully removed the first time, allowing them to regain access at another time.
 

Mandiant: Incident response at scale and at speed

Mandiant brings unparalleled threat intelligence capabilities, deep cybersecurity expertise, and a modern SecOps platform to give enterprises the visibility to prepare for, investigate, and remediate cyberattacks. With managed detection and response at scale – and at speed, Mandiant helps organisations get the answers to make informed business decisions.

Generative AI technologies have the potential to augment the capabilities of security professionals. On this front, Mandiant has incorporated various AI capabilities across its entire security suite. For a start, the ability to summarise vast troves of documentation and data can help security professionals quickly access the insights they need.

Moreover, AI can help defenders and even Mandiant Incident Response Teams to conduct their investigations in plain English to quickly establish key facts or analyse obfuscated scripts. Ultimately, analysts are more effective and can work much faster than before.