Recent events indicate what we have long suspected; attackers often target the same organizations again after a successful attack. This exact scenario played out recently for Longs Peak Family Practice in Colorado. Suspicious activity was found on its network on November 5, 2017. Ransomware code encrypted some files, which Longs Peak was about to restore from backups. This initial attack caused minimal disruption, however, the attack was not over.
While handling the first attack, a second attack was identified. This second attack was more widespread and caused significant disruption to the organization. An investigation indicated that the network was access by an unauthorized person on November 5, 9, and 10.
Experts have warned that attacked organizations can be targets more than once; and in some instances an attack may increase the likelihood that you will be targeted again. Whether the attacks on your organization are successful or unsuccessful, it is important that they are handled thoroughly and in a coordinated effort. It is wrong to assume that you dodged a bullet and the threat is over just because one attack was identified and thwarted. Here are some ideas to keep in mind to prevent a subsequent attack from being successful.
Conduct a Risk Assessment: Once you identify an attack has been stopped you want to quickly conduct a risk assessment. This should identify what information was accessed inappropriately, and whether notification to affected individuals and others is necessary. Furthermore, a risk assessment conducted immediately after an attempted attack should pay particular attention to other vulnerabilities that may be exploited by attackers.
Close known vulnerabilities: Your risk assessment, and any forensic investigation after the initial attack, should identify vulnerabilities that have been exploited, or could be in the future. These should be remediated as fast as possible. It is often these outstanding vulnerabilities that hackers exploit in subsequent attacks.
Implement System Monitoring: When you have been attacked once, you should assume you are now on the hackers radar and expect subsequent attacks. After you close all known vulnerabilities, you should step up system monitoring in order to quickly identify and quash subsequent attacks.
Just because you are able to identify and end a cyber attack once, does not mean the threat is over. In many instances, one attack may be a leading indicator of future attacks for which you must prepare. Failing to do so may leave vulnerabilities unmitigated, which can be exploited by hackers.