Cyberattacks are the greatest threat to every company. Every day there is a new headline about a company being hacked and having to deal with the consequences. Everyone from CISOs and CIOs to DevOps practitioners are focused on securing Kubernetes environments, there is no guarantee that attacks can be prevented, and when (not if) one occurs, there’s no guarantee that a company wont suffer downtime or data loss. This is compounded by the fact that many leaders aren’t sure what to do during an attack, especially in the critical 24-hours after an event.
Some companies have a security plan that clearly outlines what to do in the event of an attack, such as ransomware or data breaches.Some companies have one, while others are still working on it. If you are finishing up your cybersecurity plan for your business, here are some steps to help you get ready for the first 24 hours following an attack.
Immediately after an attack
There are several important things to remember when an attack happens, regardless of whether or not the compromised environment is Kubernetes. Practitioners should first alert the appropriate authorities, stakeholders, and leaders to raise awareness about the compromise and ensure that the message is sent to the right people. Sometimes it is as simple as sending a ticket to an IT or security team. Other times it can be a complete escalation to the top. Each company has its own structure and hierarchy, which will affect who should be notified about an attack. However, the most important thing is to ensure that only those who are required to know are notified.
Once the appropriate people have been notified, it is time to assess how serious the compromise was. Although a hacker account may only be affecting one employee, larger-scale attacks could leave the entire organization vulnerable. An organization should always seek out additional resources to ensure that the process of identifying the compromise is as smooth and quick as possible.
Within the First Twelve Hours of an Attack
While some companies may be able to recover lost data and restore capabilities on their own, many will need external help. While you may know what went wrong within the first twelve hours, there is still a chance that you are not fully understanding the extent of the damage. An outside consultant or consultants can help examine different angles and pinpoint compromised areas that you might not have considered during a terrorist attack. These are just a few of the possible ways outside help might manifest:
- Providers of disaster recovery services who are familiar with the solution you use can provide additional resources to help you start a large-scale recovery effort.
- Consultants in Incident Response who can help you plan for remediation to prevent future breaches
- Forensics analysts to investigate the indicators of compromise to better understand the incident’s root cause
Once additional help has been provided, a security team can begin to investigate the root cause and fix the vulnerabilities. Kubernetes means that the compromise was likely to have taken place in a cloud application. There are many ways that a breach could have happened. Security professionals need to identify and correct the compromise. Did an end user receive suspicious or phishing email that they didn’t report? This could indicate credential compromise of a privileged admin accounts. Did platform engineers miss any vulnerabilities in container image? This could be a vulnerability within the CI/CD pipeline.
Teams will be guided towards the containment phase by determining the root cause of the breach. This will stop the spread of incidents before they reach other customers or end users. This could be a temporary restriction or isolation of privileged access, if necessary.
Within the First 24 Hours
Once a containment strategy has been approved by the executives and is in action, it’s important to notify all those affected. It is tempting to ignore the incident in order to lose credibility, customers or trust. You might be tempted to hide a security incident from customers. This could lead to the public becoming aware of the incident and the organization’s narrative.
Inform your internal communications team about the incident immediately. They can help you draft internal and externe communications if necessary. You don’t have to blame anyone or describe the details of the incident. Instead, you should explain how your company is responding quickly with the right resources. Also, explain the steps taken and the ones that are still needed. Your most valuable assets in a security incident are your assurance and calls-to action. This strengthens existing relationships and invites others to help.
A Call to Arms: Ensure that you have a last line for defense
While the The first 24 hours following a security incident are critical. However, there is still work to do to rebuild and prepare Kubernetes systems for future attacks. This includes access, network, containers, and data security.
Nodes can be treated the same as any traditional stack application, with endpoint security and a reduction in unnecessary packages. Secure access By limiting role-based access control, (RBAC), with the least privilege, you can reduce the blast radius in case a credential is compromised. This will ensure that only one service is able to communicate with the other services it requires and minimize the number that runs as root. This will ensure that networks and containers are protected. To complete the process enable Kubernetes audit log (this does not automatically happen) and leverage immutable Backups to combat ransomware. Runtime monitoring is used to capture exfiltration events. Data-at-rest encryption is also used to secure data.
It may be worth considering investing in new technology and software to increase your protection. The best place to start is in detection and response. Monitoring provides visibility. SIEM and SOAR platforms provide a scalable way for the software to filter noise, correlate findings, and escalate only critical security alarms. You can combine this with a cloud native application protection platform. (CNAPP)It often contains many of these resources in one platform.
No matter how much you invest in cyberattack prevention or detection, you must always have a last line defense. Data is the number one target of many adversaries. It is therefore crucial to protect the confidentiality, integrity, and availability of data. A resilient data protection platform provides insurance against attacks via data immutability and allows for rapid recovery. It is almost impossible to prevent ransomware attacks completely, but being prepared and knowing how you can respond are crucial to weathering the storm. The faster your business recovers, especially within the first 24 hours of an attack, the more you can do what you love and get back to work.