Leveraging Offensive Security for Effective Post-Attack Recovery

TL;DR: Bishop Fox's CISO Christie Terrill and former VP of Consulting Tom Eston discuss leveraging offensive security strategies for effective post-attack recovery, providing practical steps for remediation and building long-term cyber resilience. Their insights, based on extensive real-life experience, include restoring systems, maintaining customer trust, and the importance of continuous testing and monitoring to stay ahead of emerging threats.

Amid the rising tide of sophisticated cyberattacks, including a surge in ransomware, there is increasing recognition of the critical role offensive security plays in both preventing and responding to these threats.

In a recent webcast, Bishop Fox’s CISO Christie Terrill and former VP of Consulting & Cosmos Tom Eston discussed how organizations can leverage offensive security strategies for post-attack recovery, drawing on their extensive real-life experience of helping clients recover from breaches. This includes practical steps and tactics for effective remediation, restoring customer trust, and building long-term cyber resilience.

Here’s a summary of their insights, and you can catch the full discussion on demand.

Understanding Offensive Security During a Live Attack

Traditionally, offensive security is associated with preemptive measures like penetration testing and red teaming, while incident response (IR) teams are your first port of call during a live attack. However, offensive security can also play an important role during a live attack to help understand the attack surface and identify attack vectors during incidents like ransomware breaches. Offensive security teams collaborate with IR and IT teams to trace the origins of breaches, whether through missing patches, social engineering, or third-party vulnerabilities.

For example, during the notorious 2013 Target breach — one of the largest credit card breaches in U.S. history — attackers exploited a third-party vendor’s credentials. This highlights the need for offensive security teams to continuously monitor and test third-party connections and applications.

Immediate Priorities Post-Attack

Once an attack has been neutralized, the immediate priority is restoring systems. Making sure reconfigured or rebuilt systems are free of malware and back doors is vital. This involves thorough testing and validation by offensive security teams to ensure the integrity and security of the new systems before resuming business operations.

During the recent healthcare breaches restoring critical systems like pharmacies and associated networks was paramount, requiring offensive security teams to validate and secure new configurations. Whatever the cause of the attack, offensive security teams help IR and IT teams in getting systems back up and running securely.

Restoring Customer Trust Post-Attack

Building and maintaining customer trust post-attack is a challenging yet critical task, given that for many organizations — Bishop Fox included — your reputation is your business. Restoring customer trust is a major post-attack concern for organizations, as highlighted in the recent Ponemon State of Offensive Security Report and Verizon Data Breach Investigation Report. Even when an incident is a low-impact mistake rather than a full-on breach, it’s important to be sensitive to customers’ concerns and proactively manage the conversation about it.

It’s not only your customers whose trust may need shoring up. Internal stakeholders (from your sales team and internal auditors to the executive team) might also need assurances about what happened and why, and how you will prevent similar incidents happening again.

Demonstrating transparency and taking ownership are essential ingredients to restoring trust. Key steps organizations must take are:

1. Communicate openly about the incident. Explain what happened and the impact on customers. Never blame users for a breach — ultimately, it is the organization’s responsibility to ensure robust security practices are followed.
2. Identify and fix vulnerabilities which caused the attack. Third-party validation of your remediation efforts plays a crucial role here. External offensive security assessments reassure customers and stakeholders that the organization is secure.
3. Demonstrate your commitment to preventing future breaches. Be clear about the proactive monitoring, iterative testing, or other services you have introduced to prevent similar future incidents.

The Importance of Continuous Testing and Monitoring

The traditional model of annual penetration testing is no longer sufficient in today’s rapidly evolving threat landscape, where a report on an organization’s security posture can become out-of-date within minutes. To counter the speed at which new vulnerabilities and exploits occur, offensive security has shifted from point-in-time assessment towards continuous testing and monitoring. This approach ensures that vulnerabilities are identified and addressed in real time, significantly reducing the window of opportunity for attackers.

The rapid response to vulnerabilities in the MOVEit file transfer software and Palo Alto network OS highlights how continuous monitoring helps organizations respond to threats efficiently. Tools like Bishop Fox’s Cosmos platform facilitate continuous attack surface management, providing organizations with ongoing insights and updates about their security posture and emerging threats. In several instances, organizations weren’t even aware MOVEit was on their network until Bishop Fox, or another third-party partner flagged it when the breach occurred.

Strategic Post-Breach Actions

After a security breach, organizations must undertake a series of strategic actions to prevent recurrence. This involves detailed root cause analysis, not just to fix the immediate issue but to resolve any underlying systemic vulnerabilities.

Bishop Fox recommends a phased approach, which can be thought of as concentric circles:

• Start with immediate remediation
• Expand to related vulnerabilities
• Finally, implement broader programmatic changes in processes, policies, and staffing

For example, after addressing the immediate vulnerabilities exploited in a breach, organizations should assess other areas with similar risks, such as other third-party integrations, to prevent future incidents. Then consider what policy or process changes might be needed to e.g. the development life cycle or third-party vendor assessment. Throughout, the focus should always be on identifying and fixing gaps and weaknesses, not assigning blame.

Challenges for Small to Medium-Sized Businesses

Small to medium-sized businesses (SMBs) often face unique challenges due to limited resources. While post-attack recovery can be costly, the bottom line is that investing in expert help is essential for the business to survive. While larger organizations might have in-house capabilities, SMBs often must rely on external experts for both immediate response and long-term remediation.

However, our experts are keen to emphasize that while breaches can be expensive to remediate, they don’t necessarily mean the end of a business. With the right support and strategy, recovery is achievable — as shown by companies who have experienced large, high-profile breaches, such as Target and Equifax.

For SMBs without an in-house security team or incident response and recovery plan, we recommend at least creating a basic plan that outlines who to contact if an incident occurs. Identify the appropriate contacts and source a quote valid for 1-2 years to avoid scrambling to find someone during a live attack.

Practical Steps and Best Practices

To recap, here are the recommended steps for effective post-attack recovery:

1. Immediate response: Engage IR teams straight away to triage the incident.
2. System restoration: Ensure all restored systems are thoroughly tested and free of any malicious elements.
3. Transparency: Communicate openly with customers and stakeholders about the incident and remediation efforts.
4. Third-party validation: Use external assessments to validate security measures and build trust.
5. Continuous monitoring: Implement continuous testing and monitoring to stay ahead of emerging threats.
6. Programmatic changes: Review and update processes, policies, and training to address any gaps revealed by the breach.

Offensive security is not only about preventing attacks but also about effectively responding to and recovering from them. By integrating offensive security strategies into their post-attack recovery plans, organizations can enhance their resilience, maintain customer trust, and strengthen their overall security posture. As cyber threats continue to evolve, the importance of continuous testing, real-time monitoring, and strategic planning cannot be overstated. Organizations must stay vigilant and proactive to safeguard their assets and reputation in an increasingly hostile digital landscape.

For more insights into offensive security and post-attack recovery, explore these further resources:

• SANS Institute Report: Inside the Mind of Modern Adversaries
• Blog: Validating Incident Response Plans with Red Team Tabletop Exercises
• Video: How Zero-Day Disclosures Alter Attacker Strategy

And don’t forget to access the detailed conversation including audience Q&A in the on-demand webcast.