CISO Perspectives: Responding to a suspected Cyber Security Incident

Note: To engage Oracle regarding a security incident, please log a Service Request with Oracle Customer Support, instructions are here.

“It’s not what happens to you, but how you react to it that matters.” — Epictetus

In our recent blog we gave an update on the recent increase in Crypto-jacking attacks and outlined a number of native security controls that can help reduce vulnerability to such attacks or, at the very least, allow early detection to reduce impact should a bad actor gain access. In this blog I will outline what to do when a control is missing, fails or is bypassed and you are dealing with the feeling of impending doom as you start to suspect you may be experiencing a cyber security incident.

Whilst many organization’s today have detailed Incident Response plans outlining how to manage a suspected cyber incident, not all do, and of those that do, not all contain relevant, accurate and up-to-date procedures for their cloud environments – if this is you….consider updating after you finish reading!

Dealing with a suspected security incident is never pleasant and rarely straightforward. Each event is different in terms of how the issue occurred, the impact of the event, the steps to be taken to minimize further impact, recover and prevent reoccurrence in the future. There are however consistent things you can do in the Incident Response process that will help to deal with the event in a logical manner and reduce the likelihood of making the situation worse. 

PREPARE – In addition to implementing required technical security controls, such as those described in the previous Blog, it is recommended that organizations compile and test Incident Response plans which detail what to do in the event of a cyber attack. Ideally these should cover a multitude of scenarios such as Ransomware, Data Loss, Crypto Jacking, Phishing attacks etc. and be rehearsed regularly to test capabilities and continuously improve processes and ensure stakeholders are identified and aware of roles. A great resource for things to consider in Incident Response planning is the Computer Security Incident Handling Guide published by NIST.

CONFIRM: Complacency is dangerous, ensure staff are ready to verify suspicious activities. All too often response to security incidents is delayed, and therefore the impact is worse, as staff did not fully investigate events as they weren’t sure it may be an issue, or they thought someone else would deal with it. It is vital that diligence is applied to quickly confirm if a cyber event is occurring, what may be impacted and who needs to be involved. A great resource on how to identify attacks against an OCI Tenancy can be found here.

COMMUNICATE: Once you’ve confirmed the incident, it’s essential to communicate the situation to relevant stakeholders, including senior management, IT teams, third-party vendors, and any customers or partners that may be affected. Ensure that the communication is clear, concise, and transparent, including any actions being taken to mitigate the impact of the incident. Communication should continue throughout the incident lifecycle and may involve external parties such as law enforcement or cyber insurers. Ensure your Incident Response plan covers communication with such external agencies and media etc.

OCI Specific NOTE: In the event that your suspected incident relates to Oracle Products and services, open a Support Request either through the Support Portal or by calling 1.800.223.1711 (for customers in North America) or your local support number.

COORDINATE:  Incident response is a team effort, and it’s crucial to coordinate the efforts of all relevant stakeholders during the response. This includes ensuring that everyone understands their roles and responsibilities, keeping everyone informed of the situation as it develops, and collaborating to address the incident’s impact.

CORDON: Depending on the severity of the incident, it may be necessary to contain and isolate any affected systems or applications to prevent further damage or infection. This may involve disconnecting impacted systems, terminating unauthorized systems, disabling user accounts, restore administrative access for legitimate accounts and/or revoking access privileges for compromised accounts.

CLEAR:  Once the incident has been contained, a next step is to remove any malware or evidence of an attacker’s presence. As part of this process, it may be necessary to restore systems from backup or rebuild systems that have been compromised. It is recommended to retain copies of system audit logs to support further investigation activities.

CHECK: Following remediation ensure that your Incident Response process/team has resolved the issue completely. Regularly monitor the system, and if possible, implement alerts on similar Indicators of Compromise (IoC). Maintain heightened vigilance for a period to ensure no reoccurrence or longer-term effects.

CONTROL: Finally, it’s essential to review your incident response process and update any necessary elements to improve the response effort for future incidents. You will also want to analyze the root cause of the incident and implement preventative measures to avoid a similar incident in the future.

Following these steps will help you to ensure a comprehensive and coordinated response to a cyber security incident.