The delay in a cyberattack detection can result into serious negative outcomes. The main risk is related to critical data compromise. When an attack happens, an organization faces the risk of data and financial loss; if the attack is detected lately, the list of risks is extended with reputational ones, especially if the compromised data is exposed on third-party resources. What’s more, if a cyberattack is detected lately, there is high probability that intruders will manage to take large part of the organizations’ infrastructure under control, what significantly hinders chances for successful countering attack. Basically, there is relatively high chance that the only solution will be a total blackout and isolation of the network from external resources. Only after, IS officers will be able to proceed to dealing with the existing problems. Delay in a cyberattack detection can lead to the extension of the attack landscape, what hinders tackling attack, reduces chances for successful mitigation of attack’s consequences etc. 

So, the question arises, how to detect a cyberattack just in time and what are the best practices for cyber attack detection?

Cyberattacks may be initiated both from the outside and from inside; they may be performed with the help of social engineering techniques or with the help of some technical methods solely. Basically, any IT infrastructure is a set of nodes, and each node may be attacked. So, it’s required to choose and implement some specific tool for protection of each infrastructure’s node. The choice of the best protective tools also depends on what exactly has to be protected. I mean, that in some specific case the best protective tool is anti-virus; in another situation the best protective solution is firewall; in third case DLP system is required.

Most often cyber attacks are complex, thus it’s impossible to detect attacks basing on data, gathered on some single endpoint, thus, it’s required to collect data from different nodes and analyze it. In other words, it’s required to implement the complex approach to ensuring information security. The complex approach requires:

• Implementation of some protective tools, which are in charge of detection of specific type of threat / ensuring protection of a specific endpoint (the list of such solutions is large and also depends on the specific organization’s IT infrastructure peculiarities and specifics of business processes. The list of some of the most required and widely spread tools includes: Antivirus, XDR, Firewall, DLP-system). In case an attack is performed via some single node, such protective solution respond quickly and efficiently. However, when we proceed from dealing with some routine and monotonous tasks and move to the next level (in other words, if a complex attack is performed), such tools aren’t sufficient.
• The complex approach requires extending the set of protective tools implemented with an advanced tool for revealing complex attacks. And the best solution for detection of complex cyber attacks is a SIEM (the Security Information and Event Management) class system, which gathers data from various infrastructure nodes and analysis it. The system analyzes information security events, generated by various sources (for instance, anti-virus, XDR or other tool). Briefly speaking, SIEM system operates on the higher level of information security protection, gathering events from different sources, analyzing them and revealing incidents among arrays of events, happening within the infrastructure. All in all, it provides the full picture of what’s actually happening within the corporate infrastructure. However, SIEM isn’t the first system to respond to incidents, so it should complement the set of protective systems, which operate on the lower level of organization’s information security protection.

Combination of these techniques, or, in other words, implementation of the complex approach is one of the most crucial issues for detection of a cyberattack just in time.

There is one more issue, crucial to speed up the response to a cyberattack. It is essential that every user understands that a cyberattack sooner or later will affect any organization, and that the volume of its destructivity depends directly on the level of organization’s preparedness to counter a cyberattack. Thus, it’s of crucial importance that: 

• Executives understand the importance of ensuring protection against cybersecurity risks. If executives understand the cyber risks and their consequences, they are ready to allocate appropriate budgets for dealing with information security tasks.
• IT department specialists and IS officers must be ready to adequately and promptly identify and analyze cyber risks, make sure that organization is ready to counter these risks.
• Ordinary employees are acknowledged of cyber threats and are ready not to take actions, which may lead to data compromise (for instance, don’t connect their private USB device to the corporate PC; don’t install programs and games, developed by third parties on their corporate PC).

Besides, in the current circumstances, when cyber threat landscape is permanently and rapidly changing, more and more threats occur and intruders’ techniques become more and more sophisticated, it’s of crucial importance to permanently increase users’ awareness in InfoSec related issues. First of all, IS and IT department employees must stay up to date, however, it’s also very important that they should also permanently help other employees and executives to enhance there is related competencies.  You may refer to the column in our blog to find some recommendations on how to train your employees in InfoSec related issues.