ISA, a Toronto-based cyber security firm with over 20 years of experience helping organizations of all sizes solve complex challenges relating to IT security, launched its new standalone Incident Response Readiness Service designed to help Canadian organizations respond to cyberattacks in hours rather than days*. The expanded service is the result of positive customer feedback from ISA’s years of experience providing incident response as well as the need for this type of offering due to the evolving cyberattack landscape. It takes a proactive approach to cyber security and helps customers cope with ever more sophisticated attacks.
“Many Canadian organizations have no plan in place to deal with a cyber incident,” said Bryan Pollitt, Vice-President, Professional Services at ISA. “The Incident Response Readiness Service was created as a result of positive customer feedback and the necessity of having to deal with increasingly sophisticated attacks. The service gives customers a step-by-step solution to deal with the complex threats they face today.”
ISA Incident Response Readiness Service allows organizations to establish the terms and conditions for incident response services before a cyber security attack is suspected. The service enables customers to quickly engage with the ISA incident response team when a suspected security incident occurs. Customers can customize the offering to include proactive steps that minimize their cyber security risks and improve their overall security posture.
A proactive approach is key because attacks are becoming more sophisticated. For example, cybercriminals are increasingly using file-sharing to distribute their malware payloads, according to recent data from ISA’s Cybersecurity Intelligence and Operations Centre (CIOC).
It’s easier to carry out an attack by moving within an organization rather than relying on e-mail attachments, Pollitt explained. According to customer network data gathered from the ISA CIOC, there was a 500 per cent increase in a file sharing exploit known as Samba, between Q2 and Q4 2017.
Learning the Samba (exploit)
A good example of the Samba exploit is “EternalBlue” because it was the underlying vulnerability in Windows that was exploited by the WannaCry ransomware to spread from network to network. Samba is an open source implementation of the Server Message Block networking protocol, which allows Linux systems to share file and print services with Windows machines. There were other separate flaws in Samba’s implementation of SMB not related to EternalBlue that could potentially lead to attacks as well.
Ransomware attacks that spread through exploits like Samba are, by their nature, extremely difficult to defend against and require a proactive security approach. The main reason is that in order for any business to go about its day-to-day activities, people need to share files. It would be unrealistic and ultimately detrimental to an organization’s survival to shut that file-sharing capability down.
“Realistically, you have to be aware of how to protect file shares but it’s not necessarily something you can do on your servers,” Pollitt said.
Better to be prepared than sorry
It’s no secret that cyberattacks are on the rise. Recently an organization contacted ISA to help with a malware incident. The organization’s servers had gone offline and were rebooting. There was no patch management and the internal team was unprepared to deal with the threat.
ISA’s security team was able to identify a complex, multi-stage, zero-day threat for which there was no protection available and contain it before the malware reached its second stage. If the malware had deployed fully, it would have used the organization’s servers to mine virtual currency.
“We were able to help the client before any major damage was done, but it’s a perfect example of why Canadian organizations need to be prepared,” Pollitt said. “There’s no way to know when you might be targeted.”
Taking action with Incident Response
ISA’s Incident Response Readiness Service provides an initial triage within 30 minutes of an attack, 24 hours a day, seven days a week through access to ISA’s CIOC. Without the Incident Response service, recovering after an attack can take days compared with hours*.
ISA recommends implementing a documented Incident Response Plan based on a six-stage approach that ensures readiness throughout the Incident Response lifecycle.
1-Preparation – Review of existing security infrastructure, preparing identification and response plans, and implementation of incident response tools and processes.
2-Identification and Assessment – Timely detection of security incidents and determination of their nature and potential impact.
3-Containment – Immediate action, using documented processes, to limit damage and prevent any further loss or impairment.
4-Eradication – Evaluation of systems to ensure the security incident is fully remediated.
5-Recovery – Restoration of data and network availability, as well as confidentiality and ongoing integrity.
6-Lessons Learned – Review and assessment of the events and processes that have taken place, and application of improvements to the plan.