Triskele Labs Blog

Responding to a cyber-attack is a game of minutes

Written by Nick Morgan | Oct 6, 2021 8:38:23 PM

Watch the full Cybeers episode here

Imagine you roll into the office at 9am, logon to your computer, and discover something’s not right.

Everything’s been locked, you can’t get access to anything, you’ve fallen victim to a ransomware attack and the threat actor is demanding an enormous sum of money to give you the keys to your own system.

What do you do?

Time is of the essence.

From an incident response perspective, the most important thing is to make sure nobody panics. The reality is that something bad has happened, it’s going to impact you and be potentially devastating for the business, but panicking isn’t going to help.

So, you trigger your incident response plan.

This, we’ve found, tends to be the first hurdle that many businesses face. Often, incident response plans are written, stuck on a shelf (or worse, in a folder on the ransomed network) and never reviewed or tested.

Ensuring your incident response plan is up to date, tried, tested, and understood by all the relevant people is critical to making sure you minimise the damage to your business as much as possible.

Where cyber-attacks are concerned, time is of the essence, so your next step should be to contact your cyber incident response provider, a business like ours, which can act quickly and relentlessly on your behalf to mitigate the threat.

Ideally, you should either have internal capability, or have an incident responder on retainer. Now, you’d expect us to say that, but the reality is that not having an established relationship with a cyber incident responder can cause huge delays, which can have disastrous consequences for your business.

If you don’t have a retainer in place, you’d first need to find the right provider for you, then work through terms and conditions, rates, and legal review, which can take days. Recent research from CrowdStrike shows that the Russian threat actor group can smash and grab your network in 18 minutes. That means they can get into your network, retrieve the data they want, and get out again very quickly. (https://www.crowdstrike.com/blog/first-ever-adversary-ranking-in-2019-global-threat-report-highlights-the-importance-of-speed/)

So, if you’re not following the 1/10/60 rule – one minute to detect, 10 minutes to triage, 60 minutes to respond – you’re already behind the game. And if it’s taking you a full day to go through terms and conditions and agree rates with your incident response company, the threat’s already gone, they’ve already taken all your data, and they’re out the door.

The attacker’s next step is generally to ransom your data, demanding a fee in the millions of dollars, usually in cryptocurrency, before they’ll give you the encrypted keys to unlock your systems. If you refuse to pay, they’ll most likely post your data online, which depending on your business could expose the data of all your customers and suppliers to the internet. Not ideal.

If, as part of your incident response plan, you already have an incident responder either internally or on retainer, we can get to work immediately and start investigating.

The reality is that if a malicious threat actor wants to get access to your network, they will. The key to minimising the damage is making sure you’ve got the defensive controls in place to catch them early and stop them before they do too much damage.

That means either having internal capability, or an existing relationship with a business like ours, that will allow you to detect the threat almost immediately, triage it quickly and act fast, is the best way to defend against a potentially catastrophic cyber-attack.