Surviving a Successful Network Attack

Cyber incidents and data breaches are constantly in the news. Personal data is becoming increasingly protected as existing regulations like PCI-DSS and HIPAA are being supplemented with new, more general privacy protections like the EU’s GDPR and California’s CCPA. These new regulations increase the requirements for protecting sensitive data and impose strict financial and legal penalties (including the possibility for civil and criminal lawsuits) for failure to comply and properly protect sensitive data.

Incidents can also have financial and reputational impacts as well. Organizations may lose consumer trust due to their ability to secure their customer’s personal data. The costs of performing incident response, implementing new security controls, and notifying affected parties can be significant as well.

The barrier to entry in cybercrime is rapidly falling, resulting in an increasing number of highly sophisticated attacks. With the rise of crimeware-as-a-service, the tools and techniques necessary to launch a cyberattack against an enterprise have become available to the general public. By implementing simple solutions, like a data encryption strategy, an organization can easily improve their cybersecurity and reduce the impact and cost of a potential breach.

The State of Incident Response

Security controls are the protections and mitigations that you deploy to help protect your network. They can operate at different levels and are designed to fulfill different purposes. The most common purposes of security controls are:

• Deterrence: Convincing a threat not to attack at all.
• Prevention: Ensuring that an attack is not successful.
• Detection: Identifying that an attack is in progress.
• Correction: Remediation after an attack.

Logically, the further up the list that a control is, the lower the cost to the enterprise if it catches an attack. Attacks that never happen (either due to deterrence or prevention) have minimal cost to an enterprise, while delays in detecting and remediating a successful attack can be significant. The longer that an attacker has unrestricted access to a network, the more computers are compromised and the more resources will be necessary to deal with the incident.

A recent study by Crowdstrike revealed that the average time between an attacker’s initial compromise of a network and their ability to “breakout” and move throughout the network is four hours and thirty-seven minutes. While this may seem like a long time, it’s important to consider that the Internet is global, meaning that attackers rarely operate during business hours (i.e. when your security team is monitoring at peak capacity). Also, the fastest groups can achieve breakout in only 18 minutes, faster than most organizations can detect and respond.

For perspective, the average time attackers are in an organization’s network without detection is over 50 days if the attack is detected internally and over 180 days if not. Most organizations also have poor patching, with even critical vulnerabilities being left unpatched for over a month. Deterring or preventing an intrusion may be impossible under these conditions, so the focus needs to move to ensuring that an attacker doesn’t find or steal anything of value once they’re inside. The key to this is encryption.

How Ghostvolt Can Help

Ghostvolt is designed to be a platform for storing and collaborating on documents in a secure fashion. Data stored within Ghostvolt is encrypted both at rest and in transit, meaning that even an attacker with access to your network can’t steal data without access to user’s passwords.