CISO Perspectives: Responding to a suspected Cyber Security Incident

July 20, 2023 | 4 minute read
Sean Sweeney
Senior Director, Field CISO & Security Advisor Team
Gary Askew
Field CISO
Text Size 100%:

Note: To engage Oracle regarding a security incident, please log a Service Request with Oracle Customer Support, instructions are here.

It's not what happens to you, but how you react to it that matters.” — Epictetus

In our recent blog we gave an update on the recent increase in Crypto-jacking attacks and outlined a number of native security controls that can help reduce vulnerability to such attacks or, at the very least, allow early detection to reduce impact should a bad actor gain access. In this blog I will outline what to do when a control is missing, fails or is bypassed and you are dealing with the feeling of impending doom as you start to suspect you may be experiencing a cyber security incident.

Whilst many organization’s today have detailed Incident Response plans outlining how to manage a suspected cyber incident, not all do, and of those that do, not all contain relevant, accurate and up-to-date procedures for their cloud environments – if this is you....consider updating after you finish reading!

Dealing with a suspected security incident is never pleasant and rarely straightforward. Each event is different in terms of how the issue occurred, the impact of the event, the steps to be taken to minimize further impact, recover and prevent reoccurrence in the future. There are however consistent things you can do in the Incident Response process that will help to deal with the event in a logical manner and reduce the likelihood of making the situation worse. 

PREPARE – In addition to implementing required technical security controls, such as those described in the previous Blog, it is recommended that organizations compile and test Incident Response plans which detail what to do in the event of a cyber attack. Ideally these should cover a multitude of scenarios such as Ransomware, Data Loss, Crypto Jacking, Phishing attacks etc. and be rehearsed regularly to test capabilities and continuously improve processes and ensure stakeholders are identified and aware of roles. A great resource for things to consider in Incident Response planning is the Computer Security Incident Handling Guide published by NIST.

CONFIRM: Complacency is dangerous, ensure staff are ready to verify suspicious activities. All too often response to security incidents is delayed, and therefore the impact is worse, as staff did not fully investigate events as they weren’t sure it may be an issue, or they thought someone else would deal with it. It is vital that diligence is applied to quickly confirm if a cyber event is occurring, what may be impacted and who needs to be involved. A great resource on how to identify attacks against an OCI Tenancy can be found here.

COMMUNICATE: Once you've confirmed the incident, it's essential to communicate the situation to relevant stakeholders, including senior management, IT teams, third-party vendors, and any customers or partners that may be affected. Ensure that the communication is clear, concise, and transparent, including any actions being taken to mitigate the impact of the incident. Communication should continue throughout the incident lifecycle and may involve external parties such as law enforcement or cyber insurers. Ensure your Incident Response plan covers communication with such external agencies and media etc.

OCI Specific NOTE: In the event that your suspected incident relates to Oracle Products and services, open a Support Request either through the Support Portal or by calling 1.800.223.1711 (for customers in North America) or your local support number.

COORDINATE:  Incident response is a team effort, and it's crucial to coordinate the efforts of all relevant stakeholders during the response. This includes ensuring that everyone understands their roles and responsibilities, keeping everyone informed of the situation as it develops, and collaborating to address the incident's impact.

CORDON: Depending on the severity of the incident, it may be necessary to contain and isolate any affected systems or applications to prevent further damage or infection. This may involve disconnecting impacted systems, terminating unauthorized systems, disabling user accounts, restore administrative access for legitimate accounts and/or revoking access privileges for compromised accounts.

CLEAR:  Once the incident has been contained, a next step is to remove any malware or evidence of an attacker’s presence. As part of this process, it may be necessary to restore systems from backup or rebuild systems that have been compromised. It is recommended to retain copies of system audit logs to support further investigation activities.

CHECK: Following remediation ensure that your Incident Response process/team has resolved the issue completely. Regularly monitor the system, and if possible, implement alerts on similar Indicators of Compromise (IoC). Maintain heightened vigilance for a period to ensure no reoccurrence or longer-term effects.

CONTROL: Finally, it's essential to review your incident response process and update any necessary elements to improve the response effort for future incidents. You will also want to analyze the root cause of the incident and implement preventative measures to avoid a similar incident in the future.

Following these steps will help you to ensure a comprehensive and coordinated response to a cyber security incident.

Sean Sweeney

Senior Director, Field CISO & Security Advisor Team

Sean Sweeney leads the Field CISO team for Oracle, North America Cloud and Technology Engineering.  In this role, he is responsible for aligning and mobilizing his team of highly skilled former CISOs, architects, and compliance experts.  He and his team focus on advising customer CISOs on security and compliance issues related to cloud, technical messaging and thought leadership, as well as providing strategic direction on OCI security products, services, and partnerships. 

Sean joined Oracle from Microsoft where he was the Global Chief Security Advisor. Sean is a previous Chief Information Security Officer at the University of Pittsburgh, Chief Technology Officer of a legal technology and eDiscovery firm, Chief Information Officer for a national law firm, and Litigation Support Applications Manager for the U.S. Department of Justice.  Sean is also an Affiliate Practice Scholar in the University of Pittsburgh’s Cyber Institute of Policy, Law, and Security and a graduate of Carnegie Mellon University’s Heinz College CISO Program.

Gary Askew

Field CISO

Gary is a Field CISO and a seasoned cyber security specialist with almost three decades of experience in the field. After starting his career in secure communications systems within the military, he quickly developed a fascination with technology and its potential impact on our daily lives. Since leaving the military in 2001, Gary has held various cyber security roles over the past 20 years including Security Management, Consulting and Security Leadership roles where he oversaw teams of specialists and architects in addition to a security operations center. He has also served as a trusted advisor to numerous public and private sector CISOs, helping to develop and execute strategies, build teams, and ultimately reduce risk. Gary firmly believes that the key to success is to provide a secure-by-design platform, where security is simple, pragmatic, and enables innovation and scalability goals, rather than prohibits them.

Previous Post

Securing Oracle Fusion Cloud Applications with Multi-Factor Authentication (MFA)

Roland Koenn | 13 min read

Next Post

Extending SaaS by AI/ML features - Part 2: Model data preparation using OCI Data Science

Rekha Mathew | 8 min read