in the picture:
A day in the life of a CSIRT expert
“Stephane Boogaerts helps companies to get started up again following a cyberattack”
Stephane Boogaerts got a taste for cybersecurity during his work experience placement at Nynox, which is part of the IS4U group. Following this internship, he started work as a Security Consultant and progressed from there to the Cyber Security Incident Response Team (CSIRT), where he is now the contact person. He explains what his role as a CSIRT expert entails below.
Cyber incidents have increased dramatically over recent years. Until recently, phishing was at the top of cybercriminals’ lists, but they’ve now created a business model out of even more serious fraud such as ransomware. And conveniently enough for them, they’re using current GDPR legislation, which determines that you must not share sensitive data, to extort organizations. The more sensitive the data that they can steal in an attack, the more severe the consequences may be in the event of a possible leak.
Most cyber incidents can be prevented, however, and are only possible in the first place because of poor security. The rapid growth of remote and hybrid working has made organizations more susceptible to cyberattacks, but many problems can be avoided by requiring remote workers to use multi-factor authentication (MFA) and patching applications in good time. It’s also important to assign your employees the right permissions and build detection into your systems to ensure attacks can be traced and dealt with quickly.
Thorough analysis
Affected organizations often only find out about a leak when it’s too late and their entire environment has already been encrypted. This means CSIRT experts mostly have to deal with environments they have never seen before, and need to start analysing the situation and retrieving data as quickly as possible. We put a team together that represents the organization’s interests to ensure all this is done as efficiently as possible. It includes members of the management team and employees from the IT and legal departments, as well as police or insurance agents sometimes. This team receives daily updates during an incident via a channel of communication of their own choosing. We also sit down with the IT team as soon as possible to find out what they already know, and what can we learn from this.
Then we start with a thorough analysis of the attack, which is different for every organization. In the event of a suspected breach, we always start by looking at the critical infrastructure such as domain controllers and file servers with important data. If threats have been received by email, we look at IP addresses based on indicators of compromise. Then we look at the logs to see if these IPs appear more commonly, and find out everywhere they’ve been.
Forensic evidence
In the event of an attack, it’s important to gather together any evidence, such as forensic items and logs, straight away. This allows to work out which accounts have been compromised so we can disable them and immediately patch or isolate susceptible applications. We also report our findings as soon as possible to help identify potential detection methods that could ward off new attacks in the future.
If the environment has been fully encrypted, we always check whether there is a back-up is available and that it hasn’t been impacted during the attack. Unfortunately, good back-up strategies are still not in place in almost 70% of cases.
When the incident is resolved, we supply organisations with a forensic report. The management summary describes the attack for non-technical readers and explains how we resolved it. We also provide a technical analysis, which organizations can give to their insurer or the police and ensures that everything complies with current laws and regulations.
Interesting environment
Even though we can often rescue part of the infrastructure, sometimes we have to inform organizations that their entire digital environment needs rebuilding from scratch. This is a difficult message to deliver, but I still wouldn’t want to swap my job as a CSIRT expert for anything else. It’s a fascinating environment to work in, where every day is different and brings new challenges.
Have you been hacked or just want to stay ahead of all these cyber criminals?