The Good, The Bad and the Ugly? Lessons from Incident Responses

Perfect security is a myth. No matter how well your security is, it’s never complete. There’s always a chance of being attacked and breached. Our first priority is of course making sure we up our defense and reduce these chances. But in addition to that, it’s also important to prepare ourselves for when things go wrong. Incident Response is a process of handling a cyberattack or a breach. It includes identifying an attack and its effects and restricting the damage. Having an incident response plan will help you efficiently and securely handle incidents. And what better way than to learn from real-life examples? In this post, we’ll go through some real-life examples of incidents and learn from them. But before that, let’s understand why an incident response plan is important.

Why Do You Need an Incident Response Plan?

There have been many instances where a bad incident response plan has led to the spread of an attack or repeated breaches and has turned out to be very expensive for organizations. It’s proof that along with performing incident response, it’s crucial how well you do it. Let’s look into some aspects to understand why you need an incident response plan.

Early Response Limits the Attack

Incident response starts as soon as you detect an attack or breach. Not all breaches start with a server or database being hit first. A good number of attacks also start at employees’ workstations, and then move towards high-valued assets. With an incident response plan, you can respond efficiently when you detect an attack.

Different actions of incident response help limit the spread of the attack. For example, an IPS might block an attacker, an EDR system might stop a malicious process execution. Having a SIEM notify the security expert on call, the expert can take the system offline or quarantine an infected system from the organization’s network and the internet, as it would help prevent the spread of the malware to other systems.

Compliant With Regulations

Various regulatory bodies put in a lot of effort to build and provide guidelines for organizations’ security. Based on the nature of your business, you may be required to comply with these regulations by the law. An incident response plan helps you in being compliant with such regulations. As this plan has defined processes and strategies, it makes compliance a bit more painless.

Business and Financial Losses

Cyber incidents affect your reputation, revenues, and operations. Most organizations deal with some kind of sensitive data or provide services for business operations. When either of these takes a hit, vendors, shareholders, business partners, and customers won’t like it. This will impact the revenue and investment opportunities of your organization.

In addition to this, handling and recovering from a cyber incident is not cheap. The average cost of a data breach is somewhere around $4.3 million. A good incident plan will help you minimize, if not eliminate, these costs.

Improve Security

A good incident response plan provides useful insights about where you’re lacking in security. You might have implemented all guidelines from various frameworks, and might have mitigated vulnerabilities, but still might be lacking somewhere. Incident response plan will help you fill in any gaps left out in security.

These are some of the major reasons why you need an incident response plan. Now it’s time to look at some learnings from real-life breaches.

Good and Bad Incident Response Plan Lessons from Cybersecurity Breaches

The Good: Cloudflare

In August 2022, Cloudflare was targeted by a phishing attack. Several Cloudflare employees and their family members received a phishing SMS on their phones. This SMS contained an official-looking (but not) domain which was registered just 40 minutes before the phishing SMS were sent out. Although authentication required a TOTP, attackers had set up a real-time relay to beat this mechanism.

One of the main reasons why Cloudflare wasn’t breached even if some of their employees fell for phishing was because they used FIDO2-compliant security key. These keys are tied to users and implement origin binding and attackers didn’t have a way to beat this.

Post attack identification, Cloudflare blocked the phishing domains on their gateway and worked with the providers to get the domain down. Then investigated further to identify any other indicators of compromise and reset the compromised credentials so that these credentials can’t be used again. To identify such attacks faster, they updated their detection to identify such this type of attacks.

The Bad: LifeLabs

LifeLabs, in November 2019, had one of the largest breaches in Canada. Information of around 15 million customers was compromised. This information included details such as name, email, date of birth, card numbers, and customer login IDs and passwords. Lifelabs had to pay the attackers to regain stolen information. This breach also led to a $1.2 billion USD class-action lawsuit against the organization.

One of the main reasons that made this breach a success was that LifeLabs hadn’t taken enough security precautions to protect data. An investigation revealed that LifeLabs lacked necessary security policies and were not compliant with the health privacy laws of the country. The organization later implemented security policies and detection mechanisms but they were already too late. This is a good example of why regulations and compliance are important and how neglecting it can lead to breaches.

The Ugly: Equifax

In 2017, Equifax suffered a breach leading to a compromise of details of around 143 million customers. The breach began when attackers were able to exploit a vulnerability (CVE-2017-5638) that was left unpatched by the organization. Due to insufficient security mechanisms, attackers were able to move to other servers. The attackers were then able to extract data undetected which was because Equifax failed to renew an encryption certificate. Attackers found jackpot after jackpot.

Equifax didn’t do well on the security aspect to prevent this breach. They didn’t even do well after the breach. Firstly, they didn’t make a public announcement soon enough. There are also accusations of insider trading as a result of restricted knowledge of this breach. Equifax created a new domain (equifaxsecurity2017.com) for consumers to check if their information was compromised. This was not appreciated by security experts as attackers could create similar-looking phishing websites for further attacks. The website was also flagged as a phishing website by several security vendors. The Equifax Twitter account accidentally tweeted a link to a spoofed site causing further risks. It was a series of disasters for Equifax.

The above examples teach us how to, and how not to handle cyber incidents. So let’s summarize it.

Lessons Learned

Have Good Detection Systems

Having good detection systems helps you identify attacks sooner and act upon them. By doing so, you can restrict the attack and limit the breach.

Basic Security is not enough

There are baselines for security. But it’s important to remember that they’re just baselines. Attackers commonly prepare themselves to defeat basic security mechanisms. Basic security is a good place to start but there’s a long road ahead. For example, in the Cloudflare example above, if authentication just required credentials and TOTP, attackers would have been successful.

Regulations and Security Frameworks

Regulation and security frameworks act as a guideline for security. Complying with these not just saves you from fines but also reduces the chances of a breach.

Vulnerability Management

This is one of the most simple and regrettable aspects of security. Vulnerability management and patching are crucial. One of the core steps attackers follow is checking for existing vulnerabilities as it would save them from creating custom attacks. And if you’re breached due to a known unpatched vulnerability, you’ll surely regret it because you had everything out there but failed to act upon it.

Security Awareness and Training

Humans are one of the weakest links in security. Therefore it’s important to educate employees on security practices and what to do when they come across something suspicious. Security awareness and training reduce the chances of being a victim of social engineering attacks among others.

Now that we’ve gathered some insights from the above examples, let’s go through what a good security plan should look like.

Your Incident Response Plan

Here are some points to consider to build a good incident response process and plan:

• Build a plan to address various situations but don’t complicate things, keep it simple.
• Test your security and backups.
• Investigate incidents thoroughly and remediate the issues before bringing systems back online and connecting them to the network.
• Test your plan, run drills to identify any gaps in the plan, and enhance it.
• Establish common ground for communication and collaboration.
• Build well-trained and well-managed teams.

Conclusion

Cybersecurity is not all about preventing attacks. It’s also about how you respond to attacks and breaches. Incident response is one of those aspects of cybersecurity where almost every scenario is different and unique in itself. Therefore it’s important to have a good incident response plan.

We started by understanding the need for an incident response plan and then looked into some examples to extract learnings from them. The lessons learned from these examples are something every organization should focus on. Because hacks are inevitable, the company’s response to those hacks is what makes all the difference.