Developing and Learning From Your Attack

In this video, we’re talking about developing and learning from your attack. Now things are going to happen. And chances are at some point or another, you’re going to experience some sort of attack, whether it’s an insider attack, it’s hardware failure, accidental deletion, external people coming in doing penetration testing, they’re trying to get on your network, they’re trying to do a ransom scam, social engineering, and whatnot. Now the important thing is not to worry, because after all you do have your check list and you do have your backup, including offsite backup, right?

Well, there’s a few things we need to consider once we are compromised or we feel like we may be compromised. Now one of the first things you want to do is a damage assessment. And these are some questions you should be asking yourself. Was anything stolen, whether it be physical, like say a laptop disappeared or files disappeared, or was it data wise? That could be customer data passwords and other information. If there was a theft, how serious was it? Was there physical damage to our hardware? In this case, this generally would be if someone broke in, ripped out some equipment or if we had a fire or flood, serious power outage, whatnot. Is data recovery necessary?

Are we able to recover our own data? And this is important because once we lose our data, obviously, our data is very critical. It has our user accounts, our infrastructure, our files, and whatnot. And we needed to determine pretty quickly if that got affected, can we recover it from our backups or do we need a third party to come in and recover our data? And the data, if it was lost, how serious is the data that we can’t recover? Can we move on without it? Or do we really need it back? Also we want to know, were any user accounts compromised? And if so, who?

This is important because, well, if it’s customer data, for example, we need to notify those customers. If it was our own internal accounts, we need to determine, well what access level do they have, were those accounts used to do anything that the real person wasn’t doing? And depending on the access level, we need to take a look at what other potential damage it may have caused. And obviously we need to change those passwords. Also what is the total projected cost of downtime and recovery? Now this is probably going to be important for, say, the financial department. You’re going to have to go to them potentially and say, well, we need x amount of money to get back up and running.

Or if you’re a publicly traded company, you may need to talk to your investors about, well, our downtime is going to be this and we’re going to be losing x amount of money during this time. Also we want to figure out the overall impact to our company and customers.

Now, in the recovery phase we need to think about, what do we need to do our recovery? Do we need additional hardware? Or do we need to run software? Or do we need to pull certain people in to do a recovery? Do we need additional resources to recover? Again, do we need an outside vendor for this or someone else? How long is recovery going to take? Your bosses and other management and other people waiting to do their work are going to want to know how long recovery is going to take, especially if you’re dealing with customers. Say, you’re a company where customers log into your system.

Obviously, you need to tell them how long it’s going to take before they can start using services or in the very least if the services are being impacted, you need to tell them, well, some customers may experience delays and whatnot. But we’re looking at about x amount of time to be able to get up and running. And we also need to figure out what is non-recoverable, what can we not recover? If it’s certain hardware or a certain data that we absolutely can’t recover, we need to figure out what that is and what we could do to mitigate that.