Containing and Eradicating Threats

Cyber-attacks are becoming more frequent and sophisticated. That’s why it’s important to plan for how you’ll contain an attack. Containing an attack will buy precious time for your organisation to prepare for the eradication phase.

Below, we’ll suggest the steps you could take to stop the spread of an attack and to prepare for eradication.

Mapping the incident

The first step to containing an attack is finding out where the attack started. Look for alerts from your security monitoring tools. When you’ve found a compromise, check out all related systems. Like following a trail of breadcrumbs, use each piece of data to lead you to the next piece in the chain.

When you have a full picture of the attack, you’ll know what you need to contain.

Why is containment challenging?

Incident response teams have a difficult task because there’s no silver bullet for every situation. The path to containment depends not only on the nature of the compromise.

You also need to consider:

• The experience and skills of your incident response team
• The amount of preparation you’ve performed
• Your organisation’s risk appetite
• The plans in your playbooks that were created in the preparation phase

By considering these things, you’ll have a good understanding of any gaps you need to fill, who you might need to call in for help and the next steps you need to take.

It can be tempting to remediate a threat as soon as you identify it. And certainly, rapid action makes sense in some situations. For example, if you have ransomware spreading through your environment. However, if the threat isn’t time critical, the better approach may be to monitor the threat. Monitoring the threat and allowing it to remain gives you time to plan.

Planning eradication is important given there’s less of a risk that you’ll try to eradicate the attacker too quickly before the threat is contained. Eradicating too quickly will tip the attacker off which may cause for them to escalate the attack. The result could be sabotage, data exfiltration or rapid deployment of ransomware.

Supporting your incident response team

You can support your response team during the containment phase by:

1. Nominating an incident controller:Delegate authority to the controller so they can make faster changes and decisions. For example, quick decisions around purchasing and finances may be needed.
2. A comms plan:If the attacker has control of your environment, they could be reading your emails and instant messages to find out if they’ve been discovered. You’ll need an alternative option ready to roll out if you need to take the incident response team’s comms offline.
3. Keeping focus:Support your incident teams to focus by preventing distractions from other people in the business — people who might try to get information about the attack and want to be involved.

To know if you’re ready for eradication, you need to answer these questions:

• Do you understand the indicators of the compromise, and have you prioritised them?
• Have you mapped the attack and ring fenced the incident?
• Do you have effective monitoring in place?
• Do you have a response plan in the event of an escalation in the attack?

If you can give a confident yes to these questions, it’s a good indication you’re ready to evict the attacker.

If the attacker escalates before you’re ready for eradication, your only option may be to move straight into recovery then rebuild from scratch.

For example, in ransomware attacks where the entire environment has been disabled, the only option is to move straight into recovery and rebuild the environment. After eradication, you’ll need to keep monitoring for any indicators of an attack.

A sign of success can be seeing “cyber-attack tantrums”. A tantrum might look like increased attacks on your perimeter, a sudden spike in distributed denial-of-service (DDoS) attacks, password sprays or phishing attacks. Your attacker is trying to re-enter the environment or just being spiteful for being evicted.

Cyber-attacks are unfortunately going to happen again and again. That’s why you need to look at the lessons learned from the attack. Plug any gaps for next time by building better defences, monitoring and response capabilities to ensure a similar attack won’t succeed in the future.