Carolina Cyber Center logo

Developing cybersecurity professionals of character
forging a more secure North Carolina

Generic Header Blue Background image

It’s Not If, but When: Incident Response and Data Retrieval

By Adam Bricker, Executive Director of the Carolina Cyber Center

Three days ago, the Swiss Government Computer Emergency response team blazed a warning regarding a zero-day exploit: Log4j. It is hard to overstate just how critical this exploit is – arguably the most significant cybersecurity threat ever. On a criticality scale of 1-10, Log4j is a ten.[i] In fact, it likely was already being exploited nine days before its discovery.[ii]

“Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Microsoft has observed activities including installing coin miners, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data from compromised systems.”[iii]

Log4j is a threat. But even though cyber incidents happen with disheartening, breathtaking frequency, it’s important to realize we are not entirely at the mercy of malicious actors. We need to be disciplined and vigilant if we are to successfully understand, prepare for, and respond to cybersecurity incidents. This is the specific focus of Measure 5 in our Reasonable and Prudent Guide.

What is an incident, really? Not every security threat results in a security incident. There are cyber events and cyber incidents. Incidents generally require disciplined, but no immediate, elevated action besides proper recognition and triage – like a phishing email. Flag it, isolate it, then move on as a due course of business. An incident occurs when that phishing email is swallowed, hook, line, and sinker resulting in compromised credentials. Now your data and systems may be at risk and thus warrant an elevated response.

How do you prepare for these incidents? We’ve outlined a much longer version, taking you step-by-step through the process in our Reasonable and Prudent Guide, but we advocate the CISA Tabletop exercise guide and have tailored it specifically for small business needs. Here are the basics of a Tabletop Exercise:

First, recognize that a Tabletop Exercise will be your fire drill to simulate your response to probable cyber incidents (e.g., ransomware, DDOS, account compromise). By running through the various exercises, your team fine-tunes the incident response plan and run books to increase the probability of an effective and efficient response.

Second, completing a Tabletop Exercise aids in business resumption, minimizing data loss, improving data recovery efficacy, and minimizing overall business disruption. If your company is negatively affected by Log4j, for example, what are your recovery steps? Like I noted in an earlier post, it took one hospital system weeks to re-start operations. Your small business likely can’t wait that long.

Don’t wait until your company is hit by a cyber threat like Log4j. Create your incident response plans (good templates are available for a jump start), start running through your incident response run books (respond, recover, PR, etc.) and recognize the value tabletop exercises can bring in terms of good communications, preparations, and role clarity (e.g., your MSP, internal IT, legal rep., insurance agent, etc.). Remember, human error accounts for 85% of breaches[iv], so invest in your human capital now. Prevention is a lot less expensive than response and recovery.

Finally, let us know how we can help you; our commitment is to help small businesses flourish with reasonable and prudent cybersecurity measures, tools, and services. Contact us to request our extended guide where we lay out full steps for the tabletop exercise, and many other resources we’ve created for your small business.

 

 

 

 

[i] Government Computer Emergency Response Team (2021, December 12). Zero-Day Exploit Targeting Popular Java Library Log4j. Govcert. Retrieved on 15 December 2021 from Zero-Day Exploit Targeting Popular Java Library Log4j (govcert.ch)
[ii] Lakshmanan, R. (2021, December 12). Apache Log4j Vulnerability—Log4Shell—Widely Under Active Attack. The Hacker News. Retrieved on 15 December 2021 from Apache Log4j Vulnerability — Log4Shell — Widely Under Active Attack (thehackernews.com)
[iii] Microsoft 365 Defender Threat Intelligence Team (2021, December 11). Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation. Microsoft Threat Intelligence Center (MSTIC). Retrieved on 14 December 2021 from Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation – Microsoft Security Blog
[iv] As reported by Verizon’s 2021 Data Breach Investigation Report

Get in contact with
Carolina Cyber Center