Published on: 26 July 2023
In the digital era, while digitisation has become an inseparable and indispensable part for all organisations regardless of the sizes and sectors, the dependency on information technology increases the vulnerability of organisations to cyber threats and challenges. The ramification of a successful cyber attack can be very severe with negative consequences including financial losses and reputational damage. Although preventative measures and perimeter defence system are essential components of a comprehensive security program, there is a pressing need for organisations to enhance their cyber resilience. Cyber resilience refers to an organisation’s overall capability to monitor, detect and respond to cyber attacks so as to minimise the adverse impact on it. The hostile and interconnected cyberspace nowadays require a transition from a passive defence approach to an active one by adopting an “assume-breach” model.
“Assume-breach” is a practice that presumes a cyber attack has already happened where organisations should actively look into the environment for any suspicious activity which may lead to a security breach. To this end, organisations should strategically deploy appropriate detection tools at endpoints and across networks for timely identification of unusual activity and anomalous behaviours. When selecting detection tools, organisations should consider tools with behavioural analytical capability rather than those relying solely on patterns or signatures. Behaviour-based detection tool is considered more effective than signature-based detection tool because it can evaluate behavioural traits of system activity and network traffic for abnormalities. At present, most of the security solutions, such as endpoint detection and response (EDR) and endpoint protection platform (EPP), are capable of analysing real-time system behaviours for threat detections.
A comprehensive logging mechanism is also a must to understand and trace system and security events, as well as helping to set a foundation for continuous monitoring of potential cyber threats. To put in place effective logging practices, organisations should first work out which logging configuration can help determine whether and to what extent a system has been compromised. Possible events to be logged might include changes in system configuration, external communications, authentication and access, alarms raised by security tools, and activation status of security tools. To facilitate threat hunting and incident analysis, organisations should ensure log records are retained for a sufficient length of time and avoided to be rolled over. As a rule of thumb, at least 6 months of logs should be kept. Sufficient measures should also be implemented to protect the logs from being tampered by attackers.
Cyber attacks nowadays tend to circumvent detection and hide in your system environment or network infrastructure to collect information as much as possible before the onset of an actual attack. A robust security monitoring system involving the active and continuous analysis of log information to look for unusual system behaviours and known attack patterns could allow prompt reactions to early signs of compromise and minimise possible impacts. While there is no one-size-fits-all approach, it should be subject to the threats that your organisation faces and available resources. Whatever the approach to be implemented, it is always a good idea to start security monitoring via automated tools, such as security information and event management (SIEM) which could centrally collects, aggregates and correlates logs across multiple systems in order to facilitate instant alert of security issues for swift response. To counter the constantly shifting threat landscape, security monitoring, including the alert rules built into the SIEM, should be enhanced from time to time to incorporate the latest indicators of compromise shared by threat intelligence and security reports.
With visibility into activities across your environment, the next step is to prepare against security incidents and resume interrupted services in an organised, efficient and effective manner. It involves assigning appropriate personnel and responsibilities, reserving sufficient resources, formulating incident handling procedures, and even creating incident response playbooks. Building incident response playbooks is a critical first step in paving the way for a structured and automated response to security incidents. While a playbook can take many forms depending on an organisation’s size and type, it normally consists of step-by-step workflows and operating procedures to orchestrate the response in the scenario. To further expedite the overall response, organisations should also take into consideration fully or semi-automated actions (e.g. terminate the malicious process, isolate endpoint with suspicious outbound network traffic or disable abnormal user accounts) provided by security tools in addition to manual processes or procedures. Furthermore, staff preparedness to defend against cyber threats is of equal importance. Organisations should conduct regular cyber security drills to familiarise every support personnel and management with the incident handling procedures and also at the same time provide the opportunity to streamline the incident response process.
Improving cyber resilience is a continuous process that requires ongoing vigilance and investment to keep in pace with the latest attack techniques and to enhance the detection and response mechanisms that have already been established. However, it may be difficult for organisations to cope with the fast-changing cyber threats alone. To stay ahead of the ever-evolving threat landscape, organisations are encouraged to share and exchange information about the latest attack techniques and indicators of compromise and take early precautions. This collaborative approach can ultimately reduce the overall impact of cyber attacks by providing an additional layer of protection against cyber threats.