There’s a breach in the supply chain. What do you do?
What to do in case of a breach.
Let’s say you’ve established government-level cybersecurity in your organization. You’ve assessed your risks. You’ve aligned with stringent compliance standards such as STIG, CIS or CMMC. Your systems are continually updated with security measures. And, you have started implementing Zero Trust. You may be a vendor in the supply chain, and your own security is as tight as the guys who protect the most sensitive data in the world.
Guess what? You can still be breached. People in your supply chain can be breached, or your customer can be breached. It may be less likely to impact people with world-class security, but there is always a risk. And if it happens, things will move so rapidly and the pressure will be so great you won’t be able to think straight. So you will need an incident response plan in place to help steer you through the crisis.
Create a plan.
An incident response plan is a roadmap of the questions to ask, the steps to follow and the actions to take to contain damage and quickly recover from a breach. NIST has developed a comprehensive framework to follow to guide you on your way. Incident response can be broken down into four steps.
The first step is preparation. You have already done much of that or are planning to do it as part of your federal supply chain expectations. Preparation includes securing your systems, creating a baseline of activity and monitoring that baseline for changes. It also includes having an overall plan in place in case of a breach, including:
- Which types of events should be investigated?
- What is our response plan for each of those scenarios?
- How do we respond if a breach happens to someone else in the supply chain?
Determine incident severity.
Once a breach has occurred, you need to get to the bottom of it. Collect data from your systems, security tools and people, then analyze it to find the breach and determine its impact. In a supply chain attack, you’ll need to look at third-party tools and the remote access granted to suppliers as well.
You’ll also want to ask questions like:
- Was the breach caught immediately or has it gone undetected for some time?
- Was the breach solely internal, or has it extended outside the organization? Alternately, was it solely external and what are the risks of it extending to your system?
- Are there signs that this could repeat in the future or grow beyond where it is now?
Develop your response.
Now you have a clear idea of what has happened, it’s time to stop the bleeding. This phase includes incident containment, threat eradication and system recovery. Here are some questions to ponder:
- Who is the attacker and what is their IP? Determining this will allow you to block them from further harm.
- How can we secure the breach? Do we need to keep critical services live while we eradicate the issue?
- What do we need to share with customers and affected teams? And when? How will this information be disseminated? Who will be the communication point person?
Don’t skip the postmortem.
Once the incident is contained and everything is recovered, it’s critical to examine what happened and find the lessons learned. Key questions to ask and document at this time include:
- What information could we have benefitted from knowing sooner?
- What could we do differently next time in the same situation?
- Did we look for and find indicators of similar incidents to watch for in the future?
- What additional tools or resources are needed to prevent breaches and mitigate damage in the future?
Be prepared.
Many will say a cyberattack in your supply chain is not a question of “if”, but of “when”. As experts in the cybersecurity field, we agree it’s more likely than not. Our tip is always going to be to use automation where you can, because the demands on your cybersecurity team are so great that they can’t do it alone. And they can’t plan well-considered approaches if they are living every day trying to catch up with their workload. Automation never sleeps. It never wonders what to do. And it never makes mistakes.
In a breach, reestablishing security is the top priority. SteelCloud’s ConfigOS automates baseline security and helps you reestablish it during and after an attack. It’s always running in the background to keep you secure. And you can tailor it to your lessons learned so similar incidents never happen again. (It’s also what your DoD customers use to secure and constantly re-secure their systems on a daily basis.) Request a demo to see it in action.