Part of cybersecurity is preparing your organization to deal with the fallout of an attack.
Implementing top-end cybersecurtiy solutions is a great preventative measure, but a cyberattack is often a matter of “when” not “if.” And in those moments, you will want some form of cyberattack remediation. This article discusses two types, phishing remediation, and malware remediation.
What is Cyberattack Remediation?
Most of the work involved in cybersecurity is trying to prevent data breaches from occurring and protecting your organization’s digital assets.
But the reality is sometimes the security measures will fail (or, in the worst case, not be present at all), and you will find yourself amidst a data breach. A vitally important aspect of cybersecurity is dealing with data breaches; this is what we refer to as cyberattack remediation.
Essentially, the objective of your organization during the remediation phase is to limit or outright stop the effects of a security breach.
The remediation process can vary between incident and organization. Some will take the approach of “kill it till it stops,” shutting down or destroying affected systems to stop the spread of the breach.
In some cases, this might be the appropriate response. However, with a well-defined remediation process, you might still be able to save affected systems without having to use the nuclear option.
And it all starts with an Incident Response Plan (IRP).
Incident Response Planning (IRP)
You will see a common theme among all attack remediations mentioned in this article: incident response planning.
Having an IRP is the first step to a successful remediation process. It will help identify, before a breach, your existing gaps in security, where attacks are likely to come from, and steps to take during a security event.
Be sure to read this blog post to get you up to speed on the basics of incident response planning.
In brief, an IRP will get you prepared for a breach by:
- Identifying current gaps in security and suggesting methods to improve them
- Offering steps to contain and eradicate threats
- Creating a recovery process for affected systems
However, remediation is not limited to just an IRP. Some unique attacks will require unique solutions. In the following sections, we will explore some special attacks and suggest remediation processes for each.
Phishing attacks are on the rise, and according to this report by Verizon, 32% of breaches involved phishing (2019). In the same report, Verizon stated that 94% of Malware was delivered via email, making email phishing one of the most critical types of phishing to guard against.
What Are Phishing Attacks?
The statistics might be frightening, but knowing your enemy is the first step in stopping their attacks. Phishing is a cyberattack that involves baiting the victim into downloading a malicious file or clicking on a malicious link (essentially, getting the victim to take action that favors the attacker).
This description is the basic concept of a phishing attack. However, the delivery of a phishing attack can vary in sophistication and type.
Here are three common types of phishing attacks you can expect to see:
- Email Phishing: as seen in the statistic report above, attackers seem to love delivering malware via email, and one way they get the victims to accept it is through email phishing. Email phishing uses the medium of email to bait the victim; you might have seen one in your email inbox. Often attackers will impersonate a company with authority, for example, PayPal. Attackers employ this tactic to bait victims into giving up sensitive information such as login details. However, there is always something that gives them away; And not all phishing emails are created equal.
- Smishing and Vishing: Like email phishing, attackers are baiting victims, but this time through the medium of text or voice-call (VoIP or telephone). Victims might receive scam calls or texts warning them of some security issues, and they must take action now. A common one seen today is the Amazon refund scam which uses a combination of vishing and smishing. Attackers will keep victims on a voice call pretending to be Amazon customer service, which sometimes starts with an “urgent” text message. During the voice call, the attacker usually gets the victim to download a remote viewing app on the computer which allows them to take control. From there the attacker fakes a bank transaction (after getting the user to log into their bank accounts) and convinces the user to return the overcompensated money.
Social engineering, the umbrella of which phishing falls under, is a complex beast to navigate and should be treated as a threat all on its own.
One of the most infamous cases of phishing was operation “phish phry.” The Federal Bureau of Investigation (FBI) stopped a phishing operation of epic proportions. The FBI quoted that over $1.5 Million was stolen from victims of the attack and funneled to bogus bank accounts worldwide.
The attack targeted US banks and bank account holders, where attackers stole their financial information via email phishing.
It is always best for your organization to have a system in place for your employees to flag potential phishing attacks. With the proper security awareness training, over time, they will become better at discovering phishing attempts that should drastically reduce your organization’s chance of becoming a victim of these types of attacks.
However, there will be moments where more sophisticated attacks will slip through the security net, which is when you should execute the remediation processes.
As discussed in the introduction, an incident response plan is vital here. This plan should include methods to remediate phishing attacks. There is no one solution, and remediation will have to cover a few scenarios, but that’s why planning is essential.
Some processes you will want to include (both before an attack and after):
- Organizational phishing reporting scheme; make it possible for your employees to report suspected phishing attacks. This can help prevent successful attacks while giving your staff a chance to practice their security awareness training.
- Automated spam removal software; there are some technical solutions you can implement to help remediate or even prevent attacks from occurring. One such technical application is automated spam removal. Many organizations will offer some email scanning solutions that will do a pretty good job of detecting and removing spam or phishing emails; however, they are not foolproof. Due diligence is required for the emails that do manage to make it through.
- Virus and malware scanning; in the situation where you have clicked a phishing link or fallen victim to an attack, the first thing you need to do is scan your information system for viruses and malware. The attacker may have loaded the email with malware, and successful attacks will mean your system may be infected. Some anti-virus software will catch viruses before they damage the system, but the more sophisticated attacks might make it through. In these cases, you will need to scan your system to prevent further damage immediately.
- Containment and eradication; if viruses have been found, you must begin the eradication processes as soon as possible. Read our section on malware remediation below for more details.
Malware attacks vary drastically in scope and effectiveness. Malware is short for malicious software created by attackers; the software is designed to infiltrate information systems and install undetected.
Once installed, the attacker can execute the software to fulfill its nefarious purpose, which its creator ultimately decides.
Defining all types of malware would be like naming all the bees in a hive, impractical. However, there are some commonly seen types of malware that you might already be familiar with:
- Spyware: as the name suggests, spyware is a type of malware that infects the user’s computer or network to gather information about data usage. In other cases, the attacker could use it to steal personal information by spying on what you type into your computer (like credentials, another term for this type of software is “keyloggers”). Attackers might also employ spyware for purposes of blackmail by using your browsing data against you.
- Ransomware: another unique type of malware is ransomware. This malware holds your information system hostage by locking you out of its use. Usually, the malware will lock the user out of the system by encrypting all the files. And good encryption is generally impossible to crack unless you have the private keys, which attackers are generous enough to provide, given you pay the ransom (hence the name, see below an example of one of the most infamous ransomware attacks, Wanacry).
- Man-in-the-Browser (MitB) attacks: MitB attacks involve attackers injecting malware into the computer that will install itself onto the browser to gain information about your traffic data. Once the malware has gathered the data it was coded to collect, it relays it back to the attacker.
Wannacry Ransomware attack
The Wannacry ransomware attack is one of the most infamous examples of this type of Malware. If you Google “ransomware,” you will almost certainly come across this image here:
Image Source: Wikipedia, Wannacry Article.
The Malware infected computers, encrypted all files on the system, and requested a Bitcoin payment to unlock the affected system. The virus targeted devices with the Microsoft operating system installed.
Some of the victims of the attack included the National Health Service (NHS), which is the public healthcare organization of the United Kingdom (infecting all sorts of devices from computer systems to MRI Scanners).
The US and UK governments claimed that North Korea was responsible for the attacks. If there was an upside to the attack, many people got a crash course on cryptocurrency and how to buy Bitcoin (thoughtful attackers indeed, who knows they may have inadvertently created millionaires).
Malware remediation can be a tricky path to map. Between the amount and complexity of malware, some organizations are hard-pressed when it comes to malware remediation.
However, malware remediation starts with malware defense. Thankfully, cyber defenders are just as clever as cyberattackers. Whatever an attacker creates, you can bet that a defender has made something to counteract it, and if not now, then soon.
Anti-virus is the first line of defense for any network or computer system, a cybersecurity professional’s best friend. The great thing about anti-virus is that they are pretty decent at combating a wide variety of malware.
Generally, attackers will have to code malware to bypass anti-virus, if they even can. Most malware will infect systems that have no anti-virus or anti-virus that is poorly configured.
In cases where the malware has bypassed security measures, you will need to start the remediation processes immediately.
- Virus scanning: first things first, scan your computer or network to see if a virus is present; most anti-virus software will come with this feature.
- Identify the malware: the second step is to identify the malware. What kind of malware is it? Has it been used in other computer systems? Is it affecting your third-party network? (these kinds of questions are essential for your post-IRP).
- Containment: after you have identified the malware, you will need to contain it. This means ensuring it can not spread to other “neighboring” systems. Containment might require you to shut down certain operations, which may slow down productivity, but this is a necessary evil as further infection could cripple your business even more.
- Eradication: after the malware has been contained, you will want to eradicate the malware so it is no longer present on any devices or networks. You will have to decide with your security team the best course of action, remembering that the affected system might have to shut down permanently. It is always best to consider how these decisions might affect your operation in the long term.
- Clean up: the final step is to clean up the system (delete or recover files) and do a last review to see if any remnants of the malware are present.
Enlist The Help Of A Managed Security Service Provider (MSSP)
Sometimes when you fall, you just need someone to help pick you back up, while you brush yourself off, and get back on the saddle.
Cyberattacks are a reality in the modern business environment. In the best of cases, we can avoid them with best-practice cybersecurity. But even with top-shelf solutions, attackers get creative and find a way into your system.
Those are the moments you need remediation. Whether it be phishing remediation or malware remediation, getting help from an MSSP is always recommended.
Leverage their cybersecurity strengths and experience, partner with RSI Security today, and rest easy knowing your security is being taken care of; schedule a consultation here.
Get A Free Cyber Risk Report
Hackers don’t rest, neither should you. Identify your organization’s cybersecurity weaknesses before hackers do. Upon filling out this brief form you will be contacted by one of our representatives to generate a tailored report.