Incident Response: how leaders can prepare for cyberattacks

Being prepared makes dealing with cyberattack incidents less stressful. Despite our best effort to prevent cyberattacks, there is still a possibility that an incident will occur. Do we have a plan for when that happened? …

Being prepared makes dealing with cyberattack incidents less stressful.

Despite our best effort to prevent cyberattacks, there is still a possibility that an incident will occur. Do we have a plan for when that happened? Do your staff know what to do and when? When the adrenaline runs high, that’s not the best time to make decisions.

How fast you can recover directly reflect your preparation.

The Health Industry Cybersecurity Practices (HICP) document contains incident response practices that help organizations prepare.

This article is the eighth in a series. Previously, we discussed email protection, endpoint protection, identity and access management, data protection, IT asset management, network management, and vulnerability management. The idea is to make cybersecurity practices accessible for small-medium organizations.

Looking at HICP practice requirements

For small organizations, HICP calls for the following practices:

  • Having an incident response plan for malware (by rebuilding the computer) and phishing attacks (by identifying, blocking, and removing the malware)
  • Participation in an organization that does incident sharing and analysis

For medium organizations, HICP adds:

  • Building a Security Operation Center (SOC)

For large organizations, HICP has the following additions:

  • Having incident response orchestration
  • Establish a baseline for network traffic
  • Leverage user behavior analytics
  • Utilize advanced honeypots as deception technologies

This article will describe the tools that small and medium organizations can use to adopt incident response practices. Specifically, we will look at backup and anti-phishing tools for small organizations. Then we will look at SIEM & SOAR tools for medium organizations.

Backup and Recovery Tool

Recovering from a malware or ransomware attack means restoring the computer to its previously known good state.

One way to fix this is by rebuilding the computer from a known good backup. Rather than file-by-file, restoring the whole computer from an image (bare-metal recovery) is a faster way of doing this.

Veeam Agent for Microsoft Windows [1] is a tool for backing up the entire computer and bare-metal recovery.

The agent can create an image backup for the entire Windows workstation and store it in a file share on Azure File storage. When not doing backup, please disconnect this network share to avoid exposure to ransomware attacks. If not, a ransomware attack can find and encrypt this backup. When that happens, you can no longer perform recovery.

Besides doing backup, the agent also allows you to create a bootable USB/DVD to assist with recovery. When a ransomware attack occurs, this bootable media enables you to boot the computer and retrieve the image from a cloud-based network share to recover the entire computer.

Anti Phishing Tool

To defend against phishing attacks that come through emails, we will have to harden the email server.

We have selected Microsoft Exchange Online as our email server from the earlier article. Furthermore, the Microsoft 365 Business Premium Plan we chose earlier comes with Defender for Office 365 features [2].

For example, besides a typical phishing attack protection, it has policies to prevent impersonation [3]. This feature is essential as the attacker would likely impersonate the CEO to send money transfer instructions to staff.

In addition, it also comes with mailbox intelligence (AI) and spoofs intelligence to provide anti-phishing protection.

SIEM & SOAR Tool

The HICP document includes a Security Operation Center (SOC) and Security Incident and Event Management (SIEM) tool for medium organizations as part of incident response practice.

Microsoft Sentinel is a cloud-based SIEM and Security Orchestration Automation and Response (SOAR) service [4].

Being provided as a service, Microsoft performs the tasks of maintaining the SIEM system and infrastructure. This task is significant because it takes skillsets and resources to get a functional SIEM system.

With system maintenance tasks handled by Microsoft, our SOC analysts can then focus their time and effort on dealing with security incidents.

Microsoft also provides playbook automation to respond to alerts and incidents. Microsoft does this through Azure Logic Apps, which allows us to create automated workflows. In addition, it comes with multiple connectors with other applications and data sources.

For example, the automated workflow could create a service ticket when an alert is received. This automation further optimizes our SOC analysts to focus on dealing with incidents.

Looking at the cost

The cost for anti-phishing features (Microsoft Defender for Office 365) is already included in Microsoft 365 Business Premium subscription.

With our backup and restore tool, two cost components are involved — first, the cost of the software agent, second, file storage to keep the backup images.

Veeam offers a Community Edition for their Veeam Agent for Microsoft Windows. This free version is good enough for the job. We would want to consider the premium version when we have a lot of endpoints and require centralized management.

To store the image backup, Azure File charges based on usage. For example, assuming that the backup images for four computers are 1 TB (250 GB each computer), Azure charges $108/month as calculated by Azure Pricing Calculator.

The labor required is to install backup agents on all four computers (1 physician and three support staff), set up Azure file share, and schedule regular backup. A knowledgeable IT contractor should be able to do this in 3 hours. Assuming that the backup jobs can be completed within 3 hours and the contractor charges $200/hour, we are looking at $600 to get this backup system setup.

Similarly, Microsoft Sentinels charges based on the usage. Microsoft charges for the data stored in Sentinel and Log Analytics. For ease of estimation and forecasting to actual usage, let’s assume that we ingest 1 GB/day of logs from our tools. Using Azure Pricing Calculator, the Pay-As-You-Go, per GB/day, commitment tier (East US region) is $147.50/month.

Projected cost for adopting HICP practices so far for small organization: 1 FTE Physician + 3 support staff: $ 7,792 (1st year) & $ 4,168 (subsequent years)

Note: Small clinics are unlikely to own and operate a SIEM/SOAR, so the cost for SIEM/SOAR is not included.

Conclusion

Having a plan in place helps to recover quickly when an incident occurs.

Microsoft Exchange Online and Defender for Office 365 provides anti-phishing capabilities against malware and phishing attacks.

If a ransomware incident still occurs, we could recover quickly by using the bare-metal recovery feature of Veeam Agent for Microsoft Windows.

The tools described above are affordable and accessible by small organizations. Coupled with strategic planning, small organizations can adopt incident response practices defined by HICP.

References

[1] https://www.veeam.com/windows-endpoint-server-backup-free.html

[2] https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/protect-against-threats?view=o365-worldwide#part-2—anti-phishing-protection-in-eop-and-defender-for-office-365

[3] https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365

[4] https://azure.microsoft.com/en-us/services/microsoft-sentinel/