Dealing with a major cyber attack is a specialist skill and, fortunately, not something that most IT teams need to address on a day-to-day basis. If the worst does happen, it’s a good idea to bring in specialist cyber incident responders to help you neutralize and clean up the attack.
Responding to a critical cyberattack can be incredibly stressful. While nothing can completely alleviate the stress of dealing with an attack, having an effective incident response plan in place is a surefire way to minimize the impact. Knowing in advance who to contact for specialist cyber incident support will speed up your response and reduce the financial and operational costs of the incident.
Our research shows that 90% of organizations have some form of incident response plan. By adding Sophos Rapid Response to yours now, you won’t lose time trying to identify a provider in the middle of the attack.
If you’ve not yet considered using an emergency cyber incident response service, these three recent situations where the Sophos Rapid Response team was brought in to assist may prompt you to keep an expert’s phone number on speed dial.
- Modified IT systems increase risk
Many businesses underwent a significant change to adapt to the COVID-19 pandemic and new remote working models. For one mid-sized, 24/7 media company, moving a network from air-gapped to online changed their level of risk, inadvertently leaving them open to attack.
Attackers released ransomware a few hours later at 4 a.m. local time. For the next four hours, the target’s IT and Sophos’ Rapid Response team were locked in live combat with the human adversaries orchestrating the attack.
The attack ultimately failed, but not before the attackers encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain.
- You are being watched
Many organizations lack the visibility of their network that allows them to recognize an adversary lying in wait, as was the case with the Colonial Pipeline ransomware attack.
Many of today’s ransomware operators prefer to operate in complete stealth until it’s time to release their final payload, often during company downtime. According to Sophos’ Active Adversary Playbook 2021, the observed median attacker dwell time is 11 days, with some companies having attackers in their network for six months or more.
Likewise, in the throes of an attack, a method of communication needs to be established to ensure a quick response. This should take into account the possibility that your normal channels of communication (i.e. corporate email) may be impacted by an incident. You’ll want to talk to people about what’s happening but the attackers may be eavesdropping, so don’t use your normal channels of communication. If the intruders have been in your network for a while, they’ll probably have access to email, for instance.
- User education is key
In the case of an attack on a life sciences research institute involving Ryuk ransomware, students used their personal computers to access the network. This left the institute exposed the moment one of these external university students decided they wanted a personal copy of a data visualization software tool they were already using for work. To avoid buying costly software, they searched for a “cracked” version and instead downloaded a malicious info-stealer which set wheels for the ransomware attack into motion.
In this case, the implementation of robust network authentication and access controls, combined with end user education might have prevented this attack from happening. It serves as a powerful reminder of how important it is to get the security basics right.
Have an effective incident response plan in place and update it as needed. If you don’t feel you have the skills or resources in place to do this – to monitor threats or to respond to emergency incidents – consider turning to external experts for help.
Remember that you may not be able to use your regular channels of communication during an incident. Plan ahead by ensuring key contact (including external experts) are detailed within your response plan and make sure you can access the plan offline.
If you are experiencing an active incident, the Sophos Rapid Response service can help get you out of a cyber incident fast. Our team of expert incident responders are available 24/7/365 to help any organization experiencing an active breach.
Sophos’ regional Rapid Response phone numbers:
- USA: +1 4087461064
- Australia: +61 272084454
- Canada: +1 7785897255
- France: +33 186539880
- Germany: +49 61171186766
- United Kingdom: +44 1235635329