Recent cyber wars have changed the current threat landscape significantly in several ways.
One of the most significant changes is the increasing sophistication and frequency of cyberattacks, as well as the rise of nation-state threat actors, like state-sponsored hackers, and their use of cyber weapons.
We have all read news about 2016 U.S. election interference, the major supply chain attack of SolarWinds, disruptive Colonial Pipeline ransomware attack, RansomHouse’s attack on IPCA Laboratories — the largest pharmaceutical group in India, and many more cases. These attacks have demonstrated the disruption of critical infrastructure, loss of sensitive data, and influence on social and political events.
Disruption in critical infrastructures
Critical infrastructures, such as power grids, water supply systems, transportation networks, and financial institutions, are essential for the functioning of our society, and disruption in these can have catastrophic consequences. Physical attacks, natural disasters, and human errors pose high risks to critical infrastructures. And now, with increasing dependence on technology and interconnected systems, cyberattacks are a considerable risk too.
The ongoing conflict between Russia and Ukraine has also had a significant impact on the critical infrastructure, particularly in the region of Eastern Europe. The conflict has been characterized as use of hybrid warfare, which involves a combination of military, political, economic, and cyber tactics. Both, Russia and Ukraine have been accused of launching cyberattacks against each other’s critical infrastructure, government agencies, and even media outlets. The conflict has led to increased investment in cybersecurity by both governments and private organizations in the region. This includes the establishment of cybersecurity agencies and the development of new cybersecurity technologies.
The conflict has had an impact beyond the region, with cyberattacks and disinformation campaigns launched against organizations in other parts of the world.
The NotPetya ransomware attack, which is believed to have originated in Russia, affected companies in over 60 countries, causing billions of dollars in damages. The Russia-Ukraine conflict has highlighted the growing importance of cybersecurity in modern warfare and the need for organizations to be prepared to respond to cybersecurity incidents.
The following are some nation-state cyber gangs known to target Critical Infrastructure and Key Resources (CIKR):
- APT33 (Iranian state-sponsored hacking group)
- APT10 (Chinese state-sponsored)
- Sandworm (Russian, known for high-profile cyber-attacks, including the 2015 attack on the Ukrainian power grid)
- Lazarous (Korean, famous for the 2014 Sony Pictures hack)
To mitigate these threats, it is essential for organizations to implement robust cybersecurity measures; and it is crucial for organizations to have incident response plans in place to minimize the impact of a cyberattack and quickly restore operations.
Contain. Prevent. Restore.
An Incident Response (IR) plan has become even more critical for organizations to activate their Digital Forensics and Incident Response (DFIR) capabilities and teams.
Here are top five reasons to focus on IR:
1. Reduced response time
In the event of a cyber-attack, time is of the essence. An IR plan provides a clear set of procedures that help teams respond quickly and effectively, reducing the time it takes to contain and mitigate the damage caused by an attack.
2. Minimized damage
An IR plan outlines the steps that need to be taken to contain the attack, prevent further damage, and restore systems to normal operations. Having a plan in place enables organizations to minimize the damage caused by the attack and reduce the overall impact on the business.
3. Clear communication
During a cyberattack, it is essential to have clear communication between all stakeholders involved in the incident response process. An IR plan outlines the communication channels and procedures to ensure all stakeholders are updated on the situation.
4. Learning and development
An IR plan provides an opportunity for organizations to learn from past incidents and improve their security posture. By reviewing and updating the plan after each incident, organizations can identify areas for improvement and update their security practices to better protect against future attacks.
5. Compliance requirements
Many regulatory frameworks, such as HIPAA, PCI-DSS, and GDPR, require organizations to have an IR plan in place. With a plan that meets regulatory requirements, organizations can avoid penalties and demonstrate compliance to auditors and regulators.
An IR plan is a crucial component of an organization’s cybersecurity strategy. With a robust plan in place, organizations can respond quickly and effectively to cyberattacks, minimize the damage caused by an incident, and improve their overall security posture.
About the author
Head of Threat Management Practice
Harman is Head of Threat Management Practice – North America.
Harman is a digital security professional with more than 15 years of experience in cybersecurity and fraud risk management. His specialties include managed detection and response, SOC, Incident Response, solution architecting, banking fraud risk management, security compliance and audits. He is co-author of Cyber Security in a Cashless Economy and is a regular speaker on the Cyber Tales podcast discussing cyber-risks and exchange of ideas on risk mitigation
Discover DFIR Services by Eviden >>
Eviden Digital Forensics and Incident Response (DFIR) services help clients investigate, contain and recover business operations from a cyber-attack.
Our certified experts identify external or internal malicious threat actors across endpoints, networks, applications, cloud, operational technology, and the Internet of Things.