FAQs on how to prepare for, prevent or detect a hack

On 30 July 2020, NCC Group Australia held a webinar on Cyber incident Response Planning, explaining how to prepare for, prevent or detect a hack. Our three hosts were Joss Howard, Cyber Security Senior Advisor at NCC Group, Tim Dillon, Director of Technical Security Consulting at NCC Group, and John Moran, Legal Partner at Clyde & Co. They shared their expertise on the most common questions they face in their roles, including how to create a cyber-incident response plan, responding to a breach, how threat actors typically gain access to a businesses’ systems, and the current cyber threats that are being seen in APAC.

In addition to this, they’ve also provided responses below to the Q&A questions asked by attendees during the webinar. We hope you find them helpful as you seek to prepare a cyber incident response plan for your business. If you require any further assistance, please reach out to our Sydney team on +61 (0) 2 9552 4451.

What is the best approach when conducting an incident simulation or testing your response plan?

The aim of the test or simulation is to challenge the procedural and technical response plan that you’ve created to see how your incident response team reacts. When we conduct tabletop exercises with our clients, we bring in our technical and risk consultants to challenge our client’s plan, playbooks and technical countermeasures. We recommend using a defined incident response framework when doing this, such as those created by NIST, SANS or the International Standards Organisation (ISO), to ensure you have a consistent approach.

As well as key stakeholders and your response team, you should also have an incident controller and deputy present who will act as the coordinators of the incident response plan. They have a key role in capturing events during the test, which is critical for understanding what worked and what needs to be improved. In a real scenario, the information they record may also be needed for forensic analysis or criminal proceedings.

Lastly, to simulate a real scenario, we also recommend setting a time limit on the test so that participants are working to deadlines - a speedy response can reduce the risk to business and customers in a real attack.

Who should be included in a cyber security incident response test or simulation?

In short, everyone! As part of your plan, you should have identified the key stakeholders who will form your incident response team, including relevant technical teams and business departments. The test is also an opportunity to include senior management in the process (as they would be in a real scenario), as well as department managers, vendors and key partners.

When we’ve conducted these exercises with clients, we’ve found that people always need to speak to other teams, not just the CIRT. They’ll need to talk to someone in communications to develop a press release, or someone in the legal team about the ramifications of an attack. Bringing everyone on board right from the beginning is fundamental for a successful response. For most larger organisations, we also recommend having a designated company spokesperson, who attends every test.

Comprehensive simulations such as these should be conducted annually. Simplified tests can be conducted more regularly, focusing on a certain process in the response plan, such as the IT function. Where the process leads to another party that is not in the scope of the test, this is recorded but no further action is taken. These simplified simulations are shorter in duration and involve less people, making them more suited to being conducted multiple times a year in between comprehensive annual tests.

Should you pay ransoms?

There is evidence that paying ransoms can sometimes be a cheaper option, especially when the organisation has cyber insurance. However, at NCC Group, we almost never recommend paying a ransom. This is for a couple of reasons.

Firstly, there is no guarantee that you’ll get the decryption keys when you pay the ransom. There is also no guarantee that the threat actors won’t attack you again at a later date. While you will hopefully have fixed the entry point used in the initial breach, with the information they gained during the first attack, they can create a believable social engineering attack and potentially exploit other vulnerabilities.

This is why it is still important for companies to wipe and reimage all computers after a ransomware attack, even if the decryption key has been paid for - you never know what the attackers may have changed while they had access.

Secondly, depending on your location, there could be an additional legal risk in paying the ransom. For example, paying a ransom to a criminal group listed on a US sanctions list could expose your company to hefty fines from the government.

Lastly, if you do pay a ransom, you may become a bigger target. Other criminal groups will see that you’ve paid once and will likely assume that you’ll pay again.

What is the best way to deal with Business Email Compromise (BEC) threats?

One of the major methods that threat actors use to access business emails is through phishing emails that ask employees to enter their credentials. Cyber security training is therefore critical for teaching workers to recognise these false emails and to question any request for their login details or other high value information.

Aside from phishing, poor password practices are another vulnerability that hackers often exploit to gain access to emails. One example we know of involved a CFO who was targeted. During a 2012 LinkedIn data breach that was made public, this CFO’s work email and Linkedin password had been disclosed. The criminals had access to this information and sometime later, when targeting the CFO’s business email, they ran through various iterations of his old LinkedIn password to guess his current corporate password. Unfortunately, the CFO was using a variation of the same password, which the hackers cracked and his email was compromised.

Obviously, good password management is critical, and password reuse and variations are never recommended. Organisations should provide a secure password manager to enable staff to store unique, long and complex passwords for each service they use. Where password managers are not an option, staff should be taught to use a passphrase instead of a password, as these are more secure.

Enabling multi-factor authentication (MFA) on your mail service is another line of defence and should prevent an attacker that has stolen your password from accessing your email. However, this is only the case if it is configured correctly. For example, if legacy authentication is still enabled, a hacker could bypass your MFA. For this reason, you should conduct penetration testing to ensure MFA is implemented correctly.

One of the other things to consider is how long you maintain your emails. If your business email is compromised and you have 10 years’ worth of undeleted emails, this will have a different impact to if you only have one year of data. You can minimise the risk by limiting the information stored in your inbox or mail archive by destroying it at regular intervals.

Which job roles and departments are usually the target of Business Email Compromise?

There are definitely some common targets that we see in BEC attacks, such as HR, Finance, C-Suite and Executive Assistants. It also depends on the industry and business, though. For example, in banking, the threat actors may go after the employees responsible for various payment systems. When it comes down to it, anyone who has access to valuable data, or the power to misdirect funds or send a payment request to another individual, could be a target.

It’s also worth noting that we generally see hackers work in two ways when it comes to BEC. Either they target one or two individuals, doing their homework and using social media to hone their attack, or they send it to scores of people and hope someone bites, so they can get a foothold in the company. We often find that ransomware begins as a behind-the-scenes BEC.

How much cyber security insurance coverage is adequate for a business?

A lot of companies don’t have insurance for cyber incidents. But in today’s threat environment, you really can’t afford to be without insurance, even if it’s just a low limit as a starting point.

The cost of recovering after a breach will depend on many factors - the extent of the compromise, damage to systems, reputational impact and cost of regulatory fines, to name a few. This makes it difficult to say what adequate coverage is for a business.

What we do advise is that businesses talk regularly with their insurers to continually update their policy and coverage. The cyber threat landscape is rapidly changing. Last year, we witnessed criminal groups demanding $2 million to decrypt their ransomware. More recently, there have been cases of $10 million ransoms being demanded. So talking to your insurer regularly allows you to keep your policy relevant to the current threat landscape.

Do you have experience with insurance companies paying the claim?

Our experience with insurers is good. We’ve had cases where there’s been confirmation of cover on the same day as the incident, and the insurer has come along on the incident response journey with the client.

Where you sometimes hear of cases in the media of insurers not paying, it is generally for policies which aren’t specifically for cyber security and where cyber coverage is a grey area in the policy. But for specific cyber incident policies, broadly speaking, we see claims covered.

To understand how NCC Group can help you prepare a cyber incident response plan or manage a breach, get in touch by emailing apac@nccgroup.com. If you’d like to watch the entire webinar, where Joss, Tim and John take a deeper dive on the topic, you can access a recording of the webinar here.