Decoding the Tariff Impact on Your IT Upgrades 3 Apr 2025, 8:00 am

Are you worried about your tech cost ballooning? New tariffs are something to consider. In early 2025, the U.S. government announced tariffs on imports from Canada, Mexico and China. The tariffs include a 25% levy on goods from Canada and Mexico and a new 10% charge on Chinese products. These tariffs are expected to increase the prices of technology products, such as computers, network equipment and servers, potentially leading to higher costs for businesses looking to upgrade their IT infrastructure. There are three key predicted effects:

• Increased Costs: Tariffs act as an additional tax on imported goods, often leading to higher prices for consumers. Businesses may face increased expenses when purchasing new IT equipment as manufacturers pass on the added costs.
• Supply Chain Disruptions: Tariffs can cause shifts in global supply chains, leading to potential delays and reduced availability of certain products. Companies might experience longer lead times for acquiring necessary hardware.
• Inflationary Pressures: As the cost of technology products rises, businesses may need to adjust their budgets, potentially leading to increased prices for their own goods and services.

Why Upgrading Now Beats Paying Later

Given the potential for rising costs and supply chain uncertainties, it’s prudent for businesses to consider upgrading their IT infrastructure sooner rather than later. Proactive upgrades offer several advantages, as detailed in this article. The benefits include:

• Enhanced Performance and Efficiency: Modern hardware and software solutions can significantly improve operational efficiency, leading to increased productivity and reduced downtime.
• Improved Security: Up-to-date systems are better equipped to handle emerging cyber threats, protecting sensitive data and maintaining customer trust.
• Cost Savings: Addressing potential issues before they escalate can save businesses from costly emergency repairs and operational disruptions.

Making IT Budgeting Predictable in a Volatile Market

To mitigate the impact of unforeseen events, such as tariffs or equipment failures, businesses should adopt a strategic approach to IT budgeting:

• Scheduled Upgrades: Implementing a regular tech refresh cycle ensures that equipment remains current, reliable, and efficient.
• Predictable Expenditures: Planning for periodic upgrades allows for more accurate budgeting, reducing the financial strain of unexpected large-scale replacements.
• Resource Allocation: Regular assessments of technology needs enable businesses to allocate resources effectively, ensuring that critical areas receive necessary upgrades promptly.

Now is the Time for an Infrastructure Review

In light of the newly imposed tariffs and their potential impact on IT equipment costs and availability, businesses are encouraged to evaluate and proactively upgrade their IT infrastructure. By doing so, companies can maintain operational efficiency, enhance security, and manage budgets effectively, ensuring resilience in an evolving economic landscape. Contact us for an assessment of your current system and your ongoing needs. We can determine the best way for you to protect your business from the tariff carousel.

The post Decoding the Tariff Impact on Your IT Upgrades appeared first on Fairdinkum.

Laura Dominguez: Field Systems Engineer 31 Mar 2025, 4:57 pm

Laura Dominguez is one of our dynamic Field Systems Engineers whose journey in the IT world, though only five years in the making, is already marked by exceptional dedication and unwavering principles. Her contributions have solidified her as an invaluable and dependable member of our team. And, as a bonus, her passion for baseball, ignited in her native Dominican Republic watching her brothers play, makes her a perfect fit for our team’s spirit!

Laura grew up in the Dominican Republic and then lived in Japan for two years before moving to the United States for college. The technology world has always interested her and she was excited by the many different career opportunities to explore. While she has found working as an engineer is more overwhelming at times than she expected, she finds the work challenging and fun. One of her professional goals this year is to earn another Microsoft certification.

Laura’s loyalties outside of work belong to family and music. If she’s not singing “I Want it That Way” (seriously, just add her to our growing group of talented karaoke performers), she is playing the guitar, which she picked up at age 10 after seeing Shakira play. She also hopes to step away from work and hobbies to have to time visit her brother in Japan later this year.

When asked what else people should know about her, Laura emphasizes her drive for a better future for herself. She also strives to be the kind of person who always has your back, echoing the support she receives from those around her.

And as Laura would say in her sign-off: Have a nice day!

The post Laura Dominguez: Field Systems Engineer appeared first on Fairdinkum.

How North Korea Pulled Off a $1.5 Billion Cryptocurrency Heist and Why Cold Wallets Didn’t Stop It 19 Mar 2025, 6:26 pm

In February 2025, North Korean hackers executed one of the largest cryptocurrency thefts in history, stealing approximately $1.5 billion from the Dubai-based exchange Bybit. The attack, attributed to the infamous Lazarus Group, sent shockwaves through the crypto industry, raising urgent concerns about digital asset security.

This incident also shattered the belief that cold wallets—previously considered the gold standard for protecting crypto—are completely secure. In this article, we’ll break down how this attack happened, the difference between hot and cold wallets, and why even the most secure storage methods weren’t enough to stop this breach.

How Did North Korea Steal $1.5 Billion in Crypto?

The FBI confirmed that North Korean hackers successfully breached Bybit’s security and transferred Ethereum-based assets to an unknown address. While the exact details of the attack remain undisclosed, cybersecurity analysts speculate that the hackers likely exploited a combination of human error, social engineering and insider threats to gain access to supposedly secure wallets.

Hot Wallets vs. Cold Wallets: What’s the Difference?

To understand how this attack happened, it’s important to break down the differences between hot and cold wallets and their respective vulnerabilities.

Hot Wallets – Convenient but Risky

Hot wallets are digital wallets connected to the internet. They allow for quick transactions and easy accessibility but are more vulnerable to hacks.

Pros:

• Instant access for trading and transactions
• Convenient for frequent crypto use

Cons:

• Higher risk of cyberattacks, phishing and malware
• Always online, making them easier targets

Cold Wallets – Secure but Not Impenetrable

Cold wallets store cryptocurrency offline, disconnected from the internet. They are considered the safest option for long-term storage.

Pros:

• Immune to online attacks, phishing and malware
• Provides strong security for long-term holdings

Cons:

• Can still be compromised if private keys are stolen
• Vulnerable to insider threats and physical theft
• More difficult to access for quick transactions

How Did Hackers Bypass the Stronger Cold Wallet Security?

The Bybit attack proves that cold wallets are not invincible when human factors or operational weaknesses come into play.

Here’s how hackers can still compromise them:

1. Social Engineering Attacks – If an employee with access to cold storage falls victim to phishing or bribery, hackers can steal private keys or gain entry.
2. Insider Threats – Employees or contractors with inside knowledge can deliberately or accidentally expose secure assets.
3. Poor Key Management – If private keys are stored in easily accessible locations or shared insecurely, they can be stolen.
4. Compromised Multi-Signature Protocols – If multiple security signers are hacked or coerced, even multi-signature wallets can be drained.
5. Bridge Exploits – If Bybit was using crypto bridges to move assets between blockchains, vulnerabilities in those bridges could have been exploited to siphon funds.
6. Physical Security Breaches – If cold wallets are stored in insecure locations, attackers can physically steal and extract the assets.

These factors show why a layered security approach—not just cold wallets—is essential for crypto security.

How Businesses and Investors Can Protect Their Crypto

With North Korean hackers continuing to target crypto exchanges, businesses and individual investors must strengthen their security measures. Here’s how:

• Use Multi-Signature Wallets: Require multiple approvals for transactions to prevent single points of failure.
• Implement Air-Gapped Security: Store cold wallets in offline environments with no digital access.
• Strict Access Controls: Limit employee access to private keys and enforce strong authentication measures.
• Regular Security Audits: Conduct frequent security reviews to identify potential weaknesses.
• Diversify Storage: Use a combination of hot and cold wallets to balance security and accessibility.

Heed the Warning

North Korea’s latest crypto heist is a wake-up call for the entire industry. While cold wallets remain one of the best ways to secure digital assets, they are not invincible. Human error, insider threats and advanced hacking techniques can still lead to catastrophic losses.

For businesses and investors, the key takeaway is clear: Crypto security must go beyond just hardware wallets. A multi-layered defense strategy, strict access controls, and continuous security audits are essential to stay ahead of cyber threats.

The post How North Korea Pulled Off a $1.5 Billion Cryptocurrency Heist and Why Cold Wallets Didn’t Stop It appeared first on Fairdinkum.

The Return of the BYOD Threat 12 Mar 2025, 2:55 pm

Fifteen or so years ago, one of the biggest cybersecurity threats was the employee who used a personal device in the workplace. Even though workers used their home computers to log in to their business accounts, the Bring Your Own Device (BYOD) movement and the security concerns hit its stride with the introduction of smartphones and tablets. The threat came with the unknown—IT and security teams didn’t know what devices were connecting to the network or what, if any, security measures were used on these personal devices.

When Covid sent millions of people from the office to the living room, BYOD shifted in scope. Even though there were more personal devices than ever being used for work, IT and security teams had more control. Many organizations required workers to use VPN connections whenever connecting to the corporate network. Managed security service providers (MSSP) were contracted to help monitor security across disparate workstations. If there was one good thing that came from the pandemic, it was that organizations finally figured out how to safely implement BYOD and decrease the risks of using personal devices.

What’s Old Is New Again

Now, as workers are told to return to the office full-time, there are new reports about threats targeting BYOD machines. According to research from Cyberint, 70 percent of infected devices on corporate networks are non-corporate machines. The primary danger posed by unmanaged devices, as identified in the research, is the theft of login credentials, which allows hackers to secretly infiltrate a system.

Just as BYOD risks have returned, so has the reason the devices were a risk in the first place: BYOD is, once again, either using very basic security protection or not protected at all.

Social media is a common source of BYOD-related threats , which isn’t surprising with the volume of links, articles and emails sent through these platforms. However, unsecured software and gaming also poses a significant risk on someone’s device. Users who utilize software from less than legitimate sources or play games that tend to allow downloads from miscellaneous creators potentially leave the gates of security wide open. Downloading torrents and software also allow a device to have the potential of malicious installs. If the user of the computer then uses that device to connect to the network, they’ve just opened a huge risk for the company.

So once again, cybersecurity researchers are seeing how BYOD has become the Holy Grail for threat actors, who are not only stealing credentials to get into networks but also selling them on the dark web for financial gain.

You Have the Power to Protect Your Systems

Workers may have become more lax about the security of their personal devices because they have been under corporate security controls for the past four years. It is also possible that security teams have bigger problems to worry about. However, as shadow AI is on the rise and regulatory compliances are constantly shifting, the chances are unfortunately good that most employees are violating whatever BYOD policies were once in place. It’s time to dust off those policies and take a closer look at who and what are connecting to your network. If you need help analyzing your security systems or upgrading your protections, we can help.

The post The Return of the BYOD Threat appeared first on Fairdinkum.

How to Protect and Improve Your IT Systems During a Move 26 Feb 2025, 11:09 pm

At some point, almost every company needs to relocate. Moving furniture and updating addresses is cumbersome enough, but the modern organization also needs to move its entire IT structure.

Yes, relying on cloud computing and SaaS architecture through an MSP will make access to corporate data a seamless process, but you still have the hardware, the infrastructure, network connection, new security plans and server migration to plan for and protect.

Like so many things in IT, you need a plan in place long before the move begins to make sure that the entire process goes smoothly.

IT Should be Involved from Start to Finish

The IT team should be included in the moving plans from the beginning because their role will need to start immediately.

After designating a point person on the IT team, that person will work with other departments to develop a relocation plan. This plan should include:

• A timeline of the moving process. It’s recommended to start planning at least 2-3 months before the anticipated move.
• A complete inventory of the current infrastructure, hardware and software systems.
• Visits to the new location to investigate things like electrical outlets, ports, the existing infrastructure situation and even ventilation in the IT data room.
• Confirmation of whether the new location is set up well for the current wireless equipment or if more/newer models need to be purchased.
• Creating a checklist of equipment needs, i.e., how many ethernet cables will be necessary, whether power strips will be needed to set up desks in the desired locations, or if there is adequate space available in the designated server room.
• Working with the facilities manager to best design the IT setup for each department and/or individual employees.
• Pulling the list of Internet providers available to the building and making sure the Internet is installed before the move date to ensure all is working on day one.
• Informing your technology partners about the impending move.
• Planning for cancelation of any services at the old location

Take the Opportunity to Audit Your Equipment

This is an ideal time to take a complete inventory of the company’s IT equipment. Not everything will need to be relocated. An equipment audit will discover what pieces of equipment should be replaced or updated, what hardware is no longer used and can be retired, and evaluate how employees are using technology. For example, an audit of the telecommunications system will provide insight into how employees use the phone system, who needs to have a phone on their desk versus mobile devices and what the right type of phone network will be most efficient in the new location.

Data Protection is Imperative

A move can put your data at risk, even if most of it is stored in offsite servers. Accidents and theft can happen during a move, resulting in data being lost, stolen or compromised. The IT relocation plan needs to include a checklist of everything that should be backed up so nothing critical is forgotten. And then create multiple backups. If there is a problem, having multiple backup options should get the company up and running quickly.

Avoid Down Time through Strategic Planning

The worst-case scenario for any organization is down time. A poorly planned relocation could take the business operations offline for an extended period of time. The IT plan should have a strategy that makes disruptions minimal for customers and employees. Laying out a timeline of the packup, move, and unpack, as well as troubleshooting in the new location, will help identify flaws. Moves can take time so be mindful of how long people are in the office. Plan for breaks or allow them to only arrive at needed times to reduce mistakes, improve morale and avoid too many people crowding up useful working and moving space.

Test—Test Again—and Provide Support

Whoever is managing the IT move, whether internal IT or a managed service provider, should conduct thorough testing of the new setup to make sure everything is working properly. That includes phone systems, email and internet connection strength.

No matter how well you plan and test for the move, there likely will be some confusion or hiccups. Be prepared to be available for the first week in the new office space to answer questions or help employees during the transition—hopefully there is nothing more serious than getting a computer to communicate with the printer.

The post How to Protect and Improve Your IT Systems During a Move appeared first on Fairdinkum.

The Post-Analysis of the Cyber Incident: Why You Should Review the Lessons Learned 25 Feb 2025, 6:39 pm

Phase 6: Lessons Learned

A successful Incident Response Plan (IRP) will be your guide through any type of disaster that impacts your business, from a ransomware attack that locks up your data to a hurricane that destroys a data center to a power outage that makes your systems unavailable. The plan will take you from those first stressful moments of discovering the threat to your business operations through identification and prioritization of the problem, containment, eradication and finally the recovery phase. (Be sure to read our blogs on Why You Need an IPR and Phases 1-5. Links below!)

Before taking the pats on the back for a job well done, it’s time to dig into the final phase of your IRP: a post-incident analysis of the lessons you’ve learned and how to incorporate that information back into your IRP.

IRP as a Living Document

According to the National Institutes of Standards and Technology (NIST) Computer Security Incident Handling Guide, taking the time to review the entire scope of the incident and how you reached a successful recovery is often overlooked or forgotten. It’s understandable. Work duties and processes don’t stop, and new problems are always coming up. In 2023, there were nearly 8 trillion intrusion attempts worldwide, and more than 5 billion cyberattacks. With a constant onslaught of potentially malicious cyber incidents, incident response teams need to constantly look forward and be ready for the next problem.

However, holding a lessons-learned meeting immediately after a major attack or in regularly scheduled sessions to discuss the smaller and ongoing incidents is important to keep the IRP up to date. Threats are constantly evolving and new tools and solutions are introduced into the network. Taking the time to understand what happened to cause the incident and how you reached recovery provides the background information that will improve overall security within the organization and offers suggestions on how to better address the next incident.

Questions to Ask About Your Incident Response

The success of the post-incident analysis depends on the agenda. NIST offers a list of questions that will get the conversation started and ensure that important topics aren’t forgotten:

• Exactly what happened, and at what times?
• How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
• What information was needed sooner?
• Were any steps or actions taken that might have inhibited the recovery?
• What would the staff and management do differently the next time a similar incident occurs?
• How could information sharing with other organizations have been improved?
• What corrective actions can prevent similar incidents in the future?
• What precursors or indicators should be watched for in the future to detect similar incidents?
• What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

From the information gathered, the team should then create a report for each incident that can be used for reference during future, similar incidents. Detailed recording will also be valuable for evidence in legal proceedings or to prove compliance regulations have been met.

Using Feedback to Improve Overall Corporate Security

The results of the lessons learned in an incident aren’t meant to be hidden away until they are needed again. Instead, they can be used to improve the overall security posture in your company. Use the results of lessons learned to:

• Update your security awareness training.
• Train new members of the incident response team.
• Set rules around devices, new technologies and data access.
• Review security tools.
• Determine the need for an outside partnership with a managed service provider to improve overall security approach.

Nobody wants to be the victim of an incident that takes business operations offline or compromises data, but the reality is, at some point, every organization will face a serious incident, whether it is a cyber attack or a natural disaster. Preparing for that day with an IRP is key to ensuring your organization is ready to manage that event.

Download our IRP Planning Document: Create Your Incident Response Plan

Catch up on our IRP Blog Series

How – and Why – to Create a Strong Incident Response Plan – Fairdinkum

Phase 1: You’ve Been Breached! Build an Incident Response Plan to Prepare for the Worst-Case Scenario – Fairdinkum

Phase 2: Are Your IT Systems Slow or Under Attack? – Fairdinkum

Phase 3: The Best Way to Contain a Cyber Incident Depends on the Type of Attack – Fairdinkum

Phase 4: You Found the Cyber Attack, Now Get Rid of It – Fairdinkum

Phase 5:  Restoring Normalcy to Your Compromised Network – Fairdinkum

The post The Post-Analysis of the Cyber Incident: Why You Should Review the Lessons Learned appeared first on Fairdinkum.

Restoring Normalcy to Your Compromised Network 19 Feb 2025, 4:39 pm

Phase 5: Recovery

In your Incident Response Plan (IRP), Phase 4 (eradication) goes hand-in-hand with Phase 5 (recovery). In fact, in the National Institutes of Standards and Technology (NIST) Computer Security Incident Handling Guide, eradication and recovery are grouped together in one section, stating “eradication and recovery should be done in a phased approach so that remediation steps are prioritized.”

Recovery is the third actionable step of incident management. After containment and eradication of the intrusion that caused the incident, recovery is the process to restore your systems to a clean configuration that is as close as possible to the pre-incident environment. In this phase, the incident response team will take steps to ensure the systems are working normally and that any lingering vulnerabilities are remediated. According to NIST, during the recovery phase you will take basic actions that include:

• Restoring systems from clean backups
• Rebuilding systems from scratch
• Replacing compromised files with clean versions
• Installing patches
• Changing passwords
• Tightening network perimeter security (e.g., firewall rulesets, boundary router access control lists).

Data Integrity Analysis

Getting your systems back to normal operational standards is the first step in recovery. The second is to verify data integrity. Data compromised during a cyber incident could be corrupted or modified. Even backup data could have been impacted by the incident, so that, too, must be analyzed.

Verifying data integrity involves running checks and audits to see if the data has been altered or tampered with at any time during the cyber incident’s activity. All data should be checked for anomalies, missing pieces, skewed information and unauthorized modifications. The data can be validated using audit trails, logs and older, clean backups to verify any changes or deletions.

If data is found to be compromised, the incident response team will need to isolate the impacted files and systems as quickly as possible. Legal and public relations members of the team will work in tandem to notify affected stakeholders and assess liability concerns, while other team members begin the remediation and recovery process.

The  National Cybersecurity and Communications Integration Center (NCCIC) recommends the following action if data is compromised:

• Don’t turn off the system or disconnect from the network because this could result in a loss of forensics.
• Don’t install any new tools except to run programs necessary to image the system.
• Do memory captures and hard drive imaging because this can present important incident timeline information.  

Ongoing Recovery to Stop Repeat Attacks

The recovery phase doesn’t end once the system appears to be back to normal and all data is recovered and secured. “Higher levels of system logging or network monitoring are often part of the recovery process,” said NIST. This is because once threat actors have figured out how to get into one part of the system, they will surely continue to try the same or similar tactics to get into other areas of the network.

 Recovery is an ongoing process that will require a number of procedures and tools, including:

• Continuous monitoring of restored systems to confirm there are no lingering threats
• Vulnerability assessments to catch potentially exploitable holes in the system
• Regular penetration tests
• Tabletop exercises to make sure the security systems are working as designed

Once recovery is done, there is just one more phase to complete your IRP and help improve your IRP for future situations.

Phase 6—the post-incident evaluation to document the lessons learned.

The post Restoring Normalcy to Your Compromised Network appeared first on Fairdinkum.

You Found the Cyber Attack, Now Get Rid of It 7 Feb 2025, 8:00 am

If your organization’s Incident Response Plan (IRP) is going as projected in the aftermath of a cyber incident, the attack has been identified and contained. Now it is time for phase 4, eradication.

Containment of the attack should keep it from spreading throughout the system. The goal of eradication is to completely remove threats from the affected network and allow for the next step of recovery.

As the National Institutes of Standards and Technology (NIST) stated in the Computer Security Incident Handling Guide, eradication and recovery are very closely linked. Eradication is the step required to delete malware, to disable any infected user account and to identify and mitigate exploited vulnerabilities, but there will be incidents where eradication is not necessary or will happen as part of the recovery phase.

However, when eradication is necessary, NIST said “it is important to identify all affected

hosts within the organization so that they can be remediated.”

Eviction and Mitigation

Eradication is about confidence. The incident response team must be confident that their actions will completely eradicate the threat before the team can move on to the recovery phase. Any remnants left of the attack can continue to do stealth damage, which can not only force the incident response team to go back to phase 2 but could also result in serious reputational damage if more sensitive data is compromised.

To ensure full eradication, incident response teams want to look at two goals, eviction and mitigation. Eviction is wiping the system clean of the threat, with no trace of the threat actor to be found in the network or on devices. Mitigation fixes the vulnerabilities that were exploited, closing the doors for the threat actor to return.

Best Practices for Eradication

The incident response team’s role in eradication is to provide detailed coordination and documentation throughout the process. For the IRP, the Cybersecurity and Infrastructure Security Agency (CISA) recommends putting together a list of best practices activities and a vulnerability response playbook to address the threat. These activities include:

• Remediating all infected areas of the network, including cloud and hybrid systems
• Rebuilding systems and hardware
• Replacing infected files with clean files
• Patching vulnerabilities
• Resetting passwords or creating new credentials if necessary
• Monitoring for any sign of the threat in the containment phase

“Threat actors often have multiple persistent backdoor accesses into systems and networks and can hop back into ‘clean’ areas if eradication is not well orchestrated and/or not stringent enough,” according to CISA’s Cybersecurity Incident and Vulnerability Response Playbooks. “Therefore, eradication plans should be well formulated and coordinated before execution.”

When complete, eradication will lead into recovery, Phase 5 of your IRP.

The post You Found the Cyber Attack, Now Get Rid of It appeared first on Fairdinkum.

Paul Stenson: Systems Engineer 6 Feb 2025, 8:00 am

Paul Stenson, our talented Systems Engineer, brings a unique blend of skills and experience to FDI. With 7 years in the IT/Tech space and a background as a camp counselor, Paul demonstrates a strong work ethic, adaptability and a knack for connecting with people. A true sports aficionado, Paul’s loyalties lie with the New York Yankees and the New York Giants – a legacy passed down from his father during childhood in White Plains, NY – even though “these teams currently stink.”

Outside of work, Paul’s life revolves around his beloved cat, Charlie, and his trusty Steam Deck. He enjoys gaming, spending quality time with friends and family and squeezing in workouts whenever possible. One of his most cherished memories from the past year was attending his best friend’s wedding in California, where he enjoyed a fantastic vacation with close friends.

Reflecting on his IT journey, Paul shares, “I always had an interest in computers growing up. I did summer tech internships during the summer in college in my hometown which got me into the field.”

Although not his favorite song, Paul confidently declares “Gives You Hell” by The All American Rejects as his go-to karaoke anthem.

Looking ahead, Paul has big goals, including tackling larger projects, streamlining Project Estimate processes through comprehensive documentation and continuing to grow both personally and professionally. We’re glad we get to tag along on the journey!

The post Paul Stenson: Systems Engineer appeared first on Fairdinkum.

The Best Way to Contain a Cyber Incident Depends on the Type of Attack 4 Feb 2025, 2:02 pm

The Best Way to Contain a Cyber Incident Depends on the Type of Attack

After noticing that your network was experiencing unusual glitches, you turned to your Incident Response Plan (IRP) and instituted Phase 2—identifying the cause of the network problem. Unfortunately, it is a worst-case scenario. The network has been breached, and data appears to be compromised.

As per the directives in Phase 2, the cyber incident is scored and prioritized. Once that is complete, the incident response team is ready to move on to Phase 3—containing the attack with both short-term and long-term strategies to limit its spread.

The goal is to minimize the impact of the cyber incident as much as possible while addressing any disruptions by isolating the attack area. As the National Institute of Standards and Technology (NIST) points out in its Computer Security Incident Handling Guide, “containment provides time for developing a tailored remediation strategy.”

Determining the Most Effective Containment Strategy

Just as each incident needs to be classified and prioritized based on the overall impact of the attack, the containment strategy will be unique depending on the type of cyberattack. A DDoS attack, for example, will require a different containment strategy than a ransomware attack.

The incident response team should already have baseline containment strategies for a variety of different attack vectors and incident types outlined in the organization’s IRP. NIST recommends using the following criteria to determine the correct response for containment:

• Potential damage to and theft of resources
• Need for evidence preservation
• Service availability (e.g., network connectivity, services provided to external parties)
• Time and resources needed to implement the strategy
• Effectiveness of the strategy (e.g., partial containment, full containment)
• Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).

Short-term Containment

The bad news is that by the time a cyber incident is discovered, it has likely already been embedded in your network for a long period of time. IBM’s Cost of a Data Breach Report 2024 found that it takes, on average, 258 days to identify and contain a breach—longer if that breach involves stolen credentials. By the time the incident is identified, there could be considerable damage already done.

So, the important thing is to stop any more disruption or data compromise as quickly as possible. Short-term containment to get a fast handle on the attack can involve some seemingly simplistic, but effective, actions, such as:

• Disconnecting all compromised devices from the network.
• Shutting down infected servers.
• Isolating impacted network segments.
• Using firewalls.
• Re-routing internet and network traffic.
• Connecting to non-compromised backup systems until the attack is contained on the main network.

Long-term Containment

Once the impacted area has been isolated from the rest of the network, the incident response team can then begin implementing long-term containment solutions until they are restored to normal operations. Long-term containment strategies include:

• Network segmentation. By dividing the network into isolated zones to limit the spread of the attack, unaffected critical systems can keep running.
• Monitoring enhancements. Increasing the levels of monitoring and logging of both the isolated areas and the network as a whole allows suspicious behaviors and activity to be tracked better.
• Access restrictions. Limiting access controls in any affected area of the system to just the highest need levels reduces the number of people working within the system.
• Threat-hunting tools. Deploying threat-hunting tools is important to search for more malicious activity that might have been missed in earlier identification rounds.

Again, containment strategies will depend on the type of cyberattack that has occurred and how long the attack has been live on your system. The incident response team will determine those strategies based on identification scoring.

Once containment is achieved, the incident response team will move on to Phase 4, eradication.

The post The Best Way to Contain a Cyber Incident Depends on the Type of Attack appeared first on Fairdinkum.