With the ever-increasing risks of cyber-attacks, companies need to make cyber security a priority. Today, it is not a question of “if” a company will suffer a cyber-attack, but “when” it will fall victim. Therefore, organisations need to implement measures to prevent and manage cyber incidents. This article discusses the challenges of managing cyber incidents in large organisations. We live in a digital age where all corporate assets and resources are connected and accessible regardless of geographic location. The benefits of this hyper-connectivity are significant. However, there is a major drawback. This information and systems connected to the Internet can be easily accessed and damaged by any malicious third party. Consequently, reducing the risks generated by computer attacks has become a key issue for any company. Cyber-attacks are constantly on the rise. Moreover, their complexity and sophistication are rapidly evolving. Organisations need to recognise that cyber-attacks are no longer just a technological problem but a daily threat that can directly affect their core business. Depending on the type of cyber-attack and the motivation of the perpetrators, the impact suffered varies, but can have dramatic consequences. Cyber-attacks can result in reputational damage, financial losses and legal action, or the destruction of IT infrastructure and even the complete disruption of business operations. Therefore, it is imperative that companies put in place strategic, operational and technical measures to protect the confidentiality, integrity and availability of their information systems and thus limit the risks. Particularly with the emergence of sophisticated and persistent cyber-attacks, better known by the acronym APT (Advanced Persistence Threat), it is impossible to prevent all cyber-attacks. However, with an up-to-date asset inventory, identification of sensitive information and risk management tailored to today’s cyber threats, appropriate security measures can be adopted to prevent the majority of cyber attacks. Since a residual risk remains, it is essential to develop an IT incident management plan to best respond to cyber-attacks that have bypassed prevention systems. By combining preventive and reactive measures, organisations can reduce the number of attacks and, in the event of an incident, reduce recovery time, costs and damage. The IT incident management cycle consists of seven phases: Preparedness, Detection, Identification, Isolation, Eradication, Recovery and Post-Incident Activities. It is important to differentiate between the Detection and Identification phases. The first phase consists of discovering the presence of a cyber-attack, while the second phase consists of all the forensic investigations and analyses to determine the type and extent of the attack, to identify all infected systems and accounts, and to prepare an action plan to actively respond to the cyber-attack (Isolation, Eradication and Restoration). There are countless technological challenges in the process of managing cyber-attacks. However, Detection remains one of the most important challenges, as it is impossible to respond to a cyber-attack if it is not detected in the first place. It is therefore crucial to increase detection capabilities and reduce the time to detection. To this end, cyber threat intelligence, deception methods and proactive intrusion detection (threat hunting) can be implemented. Incident management standards (NIST 800-6 and ISO/IEC 27035) recommend isolating infected systems immediately after detection. However, in the context of an APT, it must be assumed that many computer systems have been compromised using different infection methods. Thus, too early containment without concrete analysis of the cyber-intrusion will only result in the cyber-criminal being informed that his cyber-attack, or part of it, has been discovered, even though he still controls computers in the network of the attacked party. The cyber-attacker will therefore be able to react and take countermeasures such as installing new malware, destroying the digital traces related to his attack (anti-forensic methods) or damaging the environment. Therefore, it is imperative to fully identify the cyber threat before isolating the infected systems and eradicating the threat. In addition to the many technological challenges, IT incident management is made more difficult by the structure, size and complexity of large organisations. The four points outlined below are factors that make managing cyber-attacks within large organisations more complex. However, if they are taken into consideration, the process of managing cyber attacks can be significantly improved.

A lack of security strategy

Cyber security is no longer just a technological issue, it is also an issue for the entire business. Therefore, top management must be aware of this risk and be involved in the security strategy. Because of the size of large companies, it is difficult, if not impossible, to integrate and align cyber security measures with the company’s strategy without the support of top management.

Rapid and continuous adaptation

Cyber criminals are constantly and rapidly evolving. Moreover, they improve the methods they use on a daily basis. Therefore, cyber security should be constantly evolving to evolve at least as fast as the cyber threats. If business dynamics and risk management are not constantly updated, organisations will fall behind cyber criminals in the cyber security race. In large organisations, change and technological development are slow, partly because of the many procedures, segregated teams and the number of employees involved in security management. In order to enable rapid evolution of IT security, the development of the above-mentioned security culture and effective collaboration between all parties involved are indispensable.

Lack of communication and collaboration

Given the complexity of organisational structures where cyber security is managed by hundreds of employees, divided into dozens of teams, silos are created, stifling inter-team cooperation and communication. Moreover, no single group, including the Cyber Security Incident Response Team, has full access rights. Therefore, no incident can be fully managed by a single team. This segregation of access rights has advantages, such as avoiding the problems associated with the concentration of powers. At the same time, it considerably slows down the response time to incidents, as the management of a cyber-attack requires the support of several teams. Therefore, the responsibilities of the teams must be clearly determined, and channels of communication must be established in order to allow better collaboration between the teams and, consequently, to improve the time of detection, as well as the processes of investigation and response to cyber-attacks. These measures will help to overcome the difficulties resulting from the complexity of organisational structures.

Lack of visibility

The inventory of assets (e.g. information, systems, user accounts, etc.), as well as the classification of these assets according to their sensitivity, is crucial in the implementation of effective and appropriate protection and monitoring measures. This phase, often neglected, creates a lack of visibility and transparency in relation to the Detection and Identification stages, as it is not possible to ensure security or detect a cyber-attack on an unknown system. Therefore, it is essential to have an up-to-date asset inventory. Cyber criminals are exploiting increasingly sophisticated technologies and methods that are difficult to counter. No organisation can prevent or stop all cyber-attacks. However, it can anticipate the risks by planning strategic, operational and technical procedures to reduce the likelihood of success and the impact of cyber-attacks. It is essential to remember that the capabilities of cyber criminals are constantly increasing. Consequently, the proactive and reactive procedures implemented must also continually evolve.

References

1. Brewer, R., 2014. Advanced persistent threats: minimising the damage. Network Security 2014, 5-9.
2. Brown, R., Roberts, S.J., 2017. Intelligence-Driven Incident Response. O’Reilly
3. Cichonski (NIST), A.P., Millar (DHS), A.T., Grance (NIST), A.T., (Cybersecurity), A.K.S. (Scarfone), 2008. SP 800-61 Rev. 2, Computer Security Incident Handling Guide
4. Ghernaouti-Helie, S., 2013. Cyber Power: Crime, Conflict and Security in Cyberspace, 1 edition. ed. EPFL Press, Lausanne. ENISA, 2017. ENISA Threat Landscape Report 2017 – ENISA
5. Hirsch S., 2018, The value of digital traces in the cyberattack response process and cyberthreat intelligence, University of Lausanne
6. Hendrick J., 2019, Security Visibility in the Enterprise, SANS Institute Information Security Reading Room
7. KrzysztofC et al, 2018, Cybersecurity: trends, issues, and challenges, EURASIP Journal on Information Security