The first 24 hours after a cyber attack
A simple guide on how to respond to a cyber attack:
by Praise Maukazuva
Computer Security Incident Response Team (CSIRT)
Dealing with cyber attacks is strenuous. There is no guarantee that your security measures will keep your system or data safe.
Ways to respond to these attacks in an effective and comprehensive manner are actively being developed at the highest level in government bodies and International communities. However it is difficult to identify the type of attack you are facing until an investigation has been carried out.
First of all, you need a Computer Security Incident Response Team (CSIRT) to manage the whole process. They should all be assigned to a task each, for example one member will deal with how to notify affected users or IT specialists in case there is a technical fault.
Secondly, notifications are sent to affected users. For example, in a company, employees, investors, and customers should be notified. Most importantly the law enforcement and legal authorities should also be notified. The notification should include key details to show the source of the problem, how it is currently being fixed and assurance that it will not be a problem in the future. E-bay was criticized for not notifying its victims in time after its system was hacked in 2014.
As mentioned earlier, the type of attack is essential to determine the type of response. The network will be slower than normal due to reduced internet speed. This can be a sign of a hacking attempt or that the computer has been infected by a form of malware, or a network worm could be replicating itself. There could also be frequent antivirus software alerts reporting an infection in the computer.
BASIC ATTACKS involve small-time criminals such as individual hacktivists that target other private individuals and non-strategic Government departments for financial gain and publicity. They have limited skills and resources that are publicly known.
SOPHISTICATED ATTACKS are seriously organized crimes that are usually sponsored by the State and advanced tools are used. Their targets are the Government or Major Corporate Organizations for warfare, terrorism, major financial rewards and also to unveil National secrets.
Next step is to prevent the attack from spreading into other systems as well. You can keep all affected systems or devices offline,isolated or suspended to stop incoming traffic from the attacker. Passwords should be changed and strengthened.
Do not delete any files, as they might be useful during the investigation.
Continuously document the whole process. So far, the type of attack, the areas it has affected, how it occurred and how it was detected should have been documented. This will be for future references.
The most important step would be to contact a forensic team or cyber security experts to further investigate the incident. The investigation will include:
- Identifying the attacker or the cause of the attack
- Detecting previously unknown security vulnerabilities
- Identifying areas that need improvement or better security.
- Assist in repairing the damage and re-building a stronger system protection with sophisticated security measures.
The forensic team uses a variety of tools during the investigation process. A simple example is TRIPWIRES, a software that detects critical file changes and intrusions on the network.
In short, a cyber attack response involves:
- Form an incident response team
- Notify victims and law enforcement
- Detect the type of attack
- Assess the scale of the attack
- Prevent further damage
- Document the steps taken and why they were taken
- Contact security specialists for forensic investigation
- Recover system with prevention measures
An effective method of response to a cyber attack is necessary as it minimises loss and data destruction. It shows vulnerabilities that were compromised and methods to avoid or reduce future risks!