Our cyber defenses continue to improve due to the awareness created by recent news. The pace of evolution of the cyber threat landscape is increasing day by day, and this often weakens our capabilities to prevent attacks. The question is not whether you will be compromised or your data leaked, but WHEN it will happen.
Attacks that try to make your online services unavailable or hide an actual attack in progress.
The leakage of confidential personal or corporate data, which was previously restricted, is now made public. Threats and tactics like these, which generate anxiety, show the classic signs of a scam to steal money, data, property or services through coercion or financial extortion.
A security incident can be defined as any adverse event, confirmed or suspected, related to the security of information systems leading to the loss of one or more basic principles of Information Security: Confidentiality, Integrity and Availability. For this we must immediately analyze the data and which systems were involved in the attack together with the IT team.
This "stop the bleeding" phase, as its main purpose is to prevent the attacker from getting more information from the compromised system, causing more damage, or spreading to other systems (lateral movement). Containment and mitigation methods may vary based on the attack scenario, systems, and availability requirements of the affected system.
Focusing on the cause and symptoms of the breach will be paramount at this stage to ensure that appropriate action is taken and to prevent the vector of compromise from being reused at a later point in time. Ensuring that malicious code and compromised machines are removed or contained separately from the network. This phase may include other actions by STWBrasil such as:
The goal of this final phase is to get the affected systems back into production safely. It also includes system monitoring for suspicious activity that could indicate the return of the attacker (IDS/IPS/SIEM, etc). Finally, indications about correction and mitigations in the medium and long term are provided to the client and its technical team.
The analysis of information security incidents and the impact caused by them allows the organization to learn from its mistakes, correct its failures and prevent the same problems from recurring in the future. Reports and technical opinions of all phases of the incident response process will be delivered, and can be used in court with the legal team.
Most organizations are still unprepared to adequately respond to cybersecurity incidents, a fact that can jeopardize the future of companies.
For this, it is essential to create an incident response strategy of this nature, which guides the organization on how to deal with an IT security incident – cyber attack, data breach, presence of a malicious application, violation of policies and company security standards, among others.
The creation of the so-called "War Room" to manage incidents aims to minimize the damage caused by the incident, in addition to reducing action time and recovery costs.
In cases of data breaches, cyber investigation experts identify the source of the intrusion and assess the best way to protect your system from future attacks.
Collections and examinations of physical and digital evidence are carried out to discover important information about the incident, to determine where, when and how it occurred.