CISO’s Thoughts: 1 Hour into a Cyberattack

  • Post author:
  • Reading time:4 mins read

“Why are my hands sweaty? Why is my head spinning? Why is this happening?”

It wasn’t the first cyberattack I had experienced in my life, but I wasn’t used to the feeling. The first hour felt strangely calm, but it was just the calmness before the chaos. Alerts kept coming, my boss wanted to know what was happening, and every move my team and I made was tracked, timestamped, and double-checked.

I’m the CISO. My team is steady, experienced, and moving with purpose. But this cyberattack should have never happened!

The Attack and Its Impact

The cyberattack was unexpected, but with plenty of years under my belt, my team and I were ready. But even readiness has its limits, and all we could do was contain the attack and minimize the risk.

We contained the initial exploited subnet and slowed lateral movement, but the impact was real.

  • The entire company was on pause, and the service for our customers was disrupted. We just couldn’t take the risk without confirming the complete removal of access for the hackers. The business loss, you ask? I’m not really sure. That’s a problem for tomorrow.
  • Beyond the disruption was the potential loss of our customer data. We hadn’t confirmed it yet, but the infected subnet did have a database that stored some customer information.

The fallout of the cyberattack was not here yet. We were answerable to a lot of people. My bosses, the upper management, auditors, customers, and shareholders. It’s going to be a rough week ahead.

But Why Did the Attack Happen?

Figuring out how and why the attack happened was embarrassingly quick. I wasn’t sure why that particular risk wasn’t flagged before, either. Adding salt to this cyberattack wound was it exposed flaws in my team’s security process itself.

  • Patching was just not good enough! We scanned and patched on a monthly basis, thinking it was enough. But, it wasn’t.
  • Exclusions shot us in the foot! We excluded legacy systems and “low-risk” scanners to protect dashboards. The silence hid real issues.
  • Risk scoring gave a false sense of security! A buried “high” outranked a medium risk that was exposed and internet-facing. The hackers chose the medium risk while we focused our efforts on fixing the high risk.

Why I didn’t Lean Harder on Prevention

Throughout my 10+ years of managing security, I used to depend on my EDRs to secure the organization. But this attack made me question my entire approach. Was reacting to cyberattacks with EDR the right way?

Scanning vulnerabilities, prioritizing, and patching them was a cumbersome process, especially with the number of risks in the network. But trying to reduce the attack surface is the right way. It’d probably have helped me prevent this cyberattack!

  • Asset Inventory Needed to be Bulletproof: There was always a mismatch between the number of assets discovered by us and the IT teams. “Did we really have all of our bases covered?” was a question we kept asking.
  • Risk Scanning Needed to be Bigger in Scope: Our vulnerability scanners just scanned for CVEs alone. But the attackers exploited a misconfiguration in our workstation. We needed scanners that could scan beyond just CVEs and cover misconfigurations, exposures, and other risks, too.
  • Risk Assessment needed to be Continuous: Beyond the scope of scanning, our frequency of scans was not enough to. Instead of monthly scans, we have to switch to always-on continuous scanning and instantly detect potential risks.
  • Risk Prioritization needed Better Context: Our risk prioritization process was too one-dimensional, with just vulnerabilities being sorted based on criticality. Without exploit-intelligence, business impact, or likelihood of lateral movement. This would have given us a better idea of what a hacker might exploit.
  • Patching Risk needed to be Round-the-Clock: Like scanning, our patching and overall remediation process had to be faster, and more targeted. Beyond just patching risks, we needed to look at misconfigurations, anomalies, and ensure they are fixed on time.

Had we done this, our first hour would have looked different. We wouldn’t have missed the exploit in our network. We wouldn’t have been breached.

Conclusion

For far too long, the cybersecurity world has been reacting to cyberattacks. But with the number of cyberattacks that happen every day, I don’t think a reaction is the right way forward.

Preventing cyberattacks might not be easy, but it’s worth a try!