In the past few months, NTT Security has seen a great increase in the number of clients taking advantage of our incident response support. Mitigating an active attack is certainly enough to keep organizations entertained for quite a bit of time but, when the attacks are over, is it time to relax?
If you are doing this correctly, your answer should be “no”.
Preparing for and mitigating attacks when they materialize is just the start. Many organizations fail to realize that, after the attacks are over, a lot more work is still required. As an example, let’s say your organization identified a successful SQL injection attack allowing attackers to steal your data. You’ve found the vulnerability, patched it, and are ready to move on with your day-to-day organizational agenda, right? Wrong.
I can immediately think of several post-attack tasks needing to be performed and several things to check for:
- Notifying your Board of Directors on the impact of the attack
- Potentially notifying your clients you’ve been compromised
- Identifying any back door access left by the attacker
- Modifying of operating system and application files
- Checking for the addition of new user accounts to the system, application and supporting database
- Checking on privilege escalation for current legitimate users
- Determining if known good application code needs to be deployed to replace attacker modified files
- Identifying suspicious computer or network services that do not belong
- Identifying malicious communication channels (Command & Control traffic)
- Conducting security assessments to determine if other vulnerabilities exits
- Creating and maintaining forensics images
- The list goes on…
Let’s address our earlier question again. When the attacks are over, is it time to relax? No.
In fact, post mitigation can often cost as much as, or more than, the actual incident itself! However, it is a vital part of the process.
But why should we do these things?
You were vulnerable once before and the attacker knows this. Do you think they will try again? I do. Worse yet, if other attackers know you have been compromised, do you think that might encourage them to attack as well? That answer is, unfortunately, also “yes”.
In closing, it is vital to ensure that you perform proper post-incident analysis. It will help your organization prepare for future attacks and significantly increase your organization’s knowledge of what you’re up against.