The 5 W's of investigating a cyber attack
The National Cyber Security Centre reported in 2017 that nearly half of UK firms have been hit by a cyber breach or attack in the last year. Unfortunately for UK businesses, the threat of a cyber attack is becoming more likely as cybercrime continues to grow exponentially.
More than 50% of crimes in the UK are cyber related, and it’s not surprising when 1 million malware or viruses are launched every day. The recent WannaCry ransomware attack that affected over 100 countries and organisations in multiple industries was a stark reminder that the cyber threat is very real, and the £1.9 billion investment pledged by the UK Government is not being deployed fast enough to see results.
In 2016, there was a 600% increase in the number of ransomware attacks, a trend that seems set to grow without appropriate and rapid action.
Now, more than ever, it is vital for organisations to review their cyber security strategies to ensure there are the right systems, people, policies and procedures in place to not only protect against attacks, but to adequately recover from them.
Malware poses a serious threat for organisations, yet many still don’t know how to protect against it or what to do in instances where it has infected.
Malware can sit in an organisations’ network for months without being detected, and will often lay dormant spreading the infection before attacking. Being able to detect malware on your network is vital for recovery, and requires a forensic level of investigation to get right.
To break it down, we’ve highlighted the 5W’s you need to ask to work through your investigation once a cyber attack has hit.
What is the malware doing? What did it take? In order to recover from a malware attack, you need to understand what the malware is trying to achieve. I
s it trying to steal your data? Is it trying to hold your data to ransom? Is it trying to maliciously take down your systems? The sooner you can understand this, the sooner you can get rid of the infection.
When did the malware infiltrate the network? How long has it gone unnoticed?
Once you understand what the malware is, you will be able to look back for suspicious activity on your network. This will help to create a timeline of events that will identify any shortcomings in your security diagnosis and will allow you to work on the next W…
Where is the malware now? Is it still on the network?
With any luck, you will find the malware before it’s too late; whilst it’s still in it’s infancy and hasn’t had time to cause a great threat. The main action you need to take is finding where it is, and eradicating it.
Who are the attackers? Often the most difficult question to answer, but one you should make a priority in your investigations.
By finding out who the attackers are, this will allow you to understand who your data appeals to or the bad actors that want to cause reputational damage to your brand.
This can aid you in building a profile of the kind of attacks you may be likely to play victim to, and therefore will allow you to understand how to best protect your network.
Why were you targeted? Do you hold sensitive or confidential data that could be lucrative to a cybercriminal? Or are your systems so weak that it makes you an easy target?
The ‘why?’ will be the question asked by your Board and shareholders, and will be the imperative question you will need answering in order to help protect against future attacks.
Using this five step approach will help you to better understand how the cybercriminals work and why they have chosen you as their target.
Only once you achieve this level of understanding are you truly able to build systems and procedures to protect you from further attacks, and build a robust security programme for the future.
If you would like to speak to Smoothwall about advice on building a multi-layered security system, please contact one of our security specialists today. Contact us for more information.