A cyber-attack leads to immediate, plural, rapid actions. Mobilized as quickly as possible, the Consulting Analysts and their teams make their first moves with one major objective: to take stock of the ongoing aggression. What kind of attack is it? Who are the attackers? What is their strategy? Above all, how to close as many doors as possible to them in order to avoid them hitting the organization at its heart, causing a massive loss of data from which it will sometimes take several months to recover? So many crucial questions that need to be dealt with as soon as possible.
Contextualize the aggression, pierce the strategy of the aggressor
During this first stage of the response, it is appropriate, if not vital, to establish an overall observation as quickly as possible. Here, it is particularly important to remember the importance of a close and active articulation between the machine and the human being. Because if Artificial Intelligence and Machine Learning have a major interest when parrying an attack, the competition of the human brain is of primary importance. The urgency then consists in contextualizing the aggression, in trying to understand what the objectives and strategy of the attackers are, but also to know who they are, what their motivations are and where they come from. This action must be supported by at least one Consulting Analyst, most of the case by two of them so that the points of view can be confronted and enriched. In certain cases of attacks that are particularly massive and difficult to circumscribe, a team can be mobilized 24 hours a day, 7 days a week. Here is what we could call the submerged part of the iceberg, that is – say all the actions that are undertaken by the technicians.
The relationship with the customer is essential
There is a more emerged part: the link with the customer. In such a context, this is essential. Understanding the attack requires in-depth discussions with the teams who, on the side of the impacted organization, are confronted with the attack, and can sometimes be distraught. Reassure, assist, research, guide… Here are the missions entrusted to certain Consulting Analysts. This is particularly the case of those paid by Martin Baker. His job: to ensure the link with the attacked client when the damage occurs.
“Sometimes the attack is quite classic, without nuance: it’s black or it’s white, and therefore quite easy to counter,” he explains. “As soon as the attack is triggered and the customer reports it to us, we will see it. We do a brief on what the teams think happened. What was discovered? What are the facts ? We therefore seek to collect as much information as possible, at a time when everything is still fresh in everyone’s mind. Because of course we have to act quickly. »
Go to broad investigations
In many cases, the attack is in a classic format, which cyber defense experts have already encountered and for which they have tagged answers. But in other cases, for example when an attack is massive, it is necessary to proceed in a methodical way in order to provide a more personalized response. “We then produce a very precise timeline of the events that have occurred. Which machine was hit? Were there any lateral movements? When ? To what position? Were we attacked by the ‘front door’? By the ‘back door’? »
In some configurations, the customer has a SOC, a Security Operation Center, which allows Martin Baker and his colleagues to have access to clear technical data. In other configurations, you have to start looking for a set of details, investigate, redo the puzzle… “It can take quite a bit of time, sometimes weeks”, details Martin Baker. “The whole scenario needs to be traced: who are the attackers, why do they want to do certain things… Knowing their strategy is essential because we have a very good knowledge of the APT groups that are active and can, once they are identified, find answers. I remember one attack in which credentials were compromised, making identifying the source very tricky. In these cases, especially when the attack is massive, we increase the presence of analysts in the teams. It takes collective intelligence, but it also always takes a second look. »
This diversity allows the teams to carry out an overall assessment, once the attack has been circumscribed and everything is back to normal. What happened ? How did this happen? Is the firewall to blame? Was the authentication breached? Was ransomware used or is the weakness in an application? “By acting in this way, as close as possible to the customer, we try above all to act methodically, remaining very factual and process-based,” concludes Martin Baker. “Above all, we never judge companies. An attack can be very traumatic for her and our role – beyond the technical dimension of the work – is to reassure, to support, to help. Hoping that the assessment carried out at the end of the operations will allow the organization to recover all its data, and to start afresh. »
We would love to give thanks to the author of this post for this amazing content
Companies and cyber-attacks: how to organize? – Widoobiz
Explore our social media profiles and also other related pageshttps://www.ai-magazine.com/related-pages/