Remediating Cyberattacks Requires a Team Effort

Activate a prepared response plan and look to support organizations to aid recovery efforts.

February 28, 2020

This is the third of a three-part NACS Daily series. Today: Remediation.

By Jerry Soverinsky

ALEXANDRIA, Va.—There is of course no way to prevent cybercriminals from launching attacks. The focus, as we discussed in our prevention article, is preventing those attacks from executing on endpoints.

But until legacy antivirus applications have been replaced with advanced threat detection and response capabilities, human error will continue to create system vulnerabilities, a weakness that cybercriminals rely on to inflict damage. And when that happens, all efforts must turn toward remediation to prevent further widespread damage from lateral attacks in the environment.

The first step in the process is activating an incident response plan, a prepared course of action for disasters (we wrote about such a plan in NACS Daily here and in NACS Magazine here). “Reach out to your first responders; they are responsible for activating your plan,” said Jim Shepard, director of Data Protection and Reg Compliance for Phillips 66.

But even if you manage a robust, internal IT staff, remediation must tap third-party professionals who specialize in addressing breach scenarios. “Work with an incident response team. If you don’t have one, bring in somebody who understands the specific tactics, tools and methods of sophisticated attack groups,” said Mark Carl, chief executive officer of ControlScan.

Next comes containment mode. “That means disconnecting from your network. Not powering off your systems, because that could be problematic, but going offline to reduce your exposure,” Shepard said.

Carl and his team deploy endpoint security, “identifying where the attacker is and extracting them from the environment, including cloud-based systems like Office365 that may be commonly overlooked.”

Finally, there is the post-recovery phase. “Figure out what that entails for your organization,” Shepard said. “You’ll want to preserve your logs and other evidence that could explain what happened. This will go a long way toward helping you remediate and prevent future occurrences.”

Backups are critical for restoring operations, and Carl said operators should adopt a robust backup protocol. “It won’t stop a ransomware attack, but it will reduce its impact, and you might not have to pay to decrypt critical data,” he said.

In case you missed it, read the first installment, “Under Siege: Cybercriminals Target C-Stores,” of the NACS Daily three-part series here and the second installment, “To Prevent Cyberattacks, Minimize IT Vulnerabilities,” here.

Look for more coverage on data security in the April issue of NACS Magazine.

Conexxus will offer a data security educational session for convenience and fuel retailers at the Conexxus 2020 Annual Conference, April 26-30, in Tucson, Arizona. Data security experts from the petroleum industry will discuss how to bolster network security amid ongoing sophisticated attacks and share insights on what steps to take to contain and limit the scope of a potential data breach attack.

Jerry Soverinsky is a Chicago-based freelance writer and NACS Magazine contributing writer.