The 5 W’s of investigating cyber attacks

5th July 2017 Claire Stead News No comments

Increase in Cyber Attacks

CSO magazine estimates that Cyber crime damages costs will hit $6 trillion annually by 2021. The recent WannaCry ransomware attack that affected over 100 countries and organizations in multiple industries was a stark reminder that cyber attacks are a very real threat.

In 2016, there was a 600% increase in the number of ransomware attacks, a trend that seems set to grow without appropriate and rapid action. Now, more than ever, it is vital for organizations to review their cyber security strategies to ensure there are the right systems, people, policies and procedures in place to not only protect against attacks, but to adequately recover from them.

Malware poses a serious threat for organizations, yet many still don’t know how to protect against it or what to do in instances where it has infected. Malware can sit in an organizations’ network for months without being detected, and will often lay dormant spreading the infection before attacking. Being able to detect malware on your network is vital for recovery, and requires a forensic level of investigation to get right. To break it down, we’ve highlighted the 5W’s you need to ask to work through your investigation once a cyber attack has hit.


What is the malware doing? What did it take?

In order to recover from a malware attack, you need to understand what the malware is trying to achieve. Is it trying to steal your data? Is it trying to hold your data to ransom? Is it trying to maliciously take down your systems? The sooner you can understand this, the sooner you can get rid of the infection.


When did the malware infiltrate the network? How long has it gone unnoticed?

Once you understand what the malware is, you will be able to look back for suspicious activity on your network. This will help to create a timeline of events that will identify any shortcomings in your security diagnosis and will allow you to work on the next W…


Where is the malware now? Is it still on the network?

The main action you need to take is locating the threat and eradicating it. With any luck, you will find the malware early, when it hasn’t already caused compound problems to your network or machines.


Who are the attackers?

Often the most difficult question to answer, but one you should make a priority in your investigations. By finding out who the attackers are, this will allow you to understand who your data appeals to or the bad actors that want to damage the reputation  to your brand. This can aid you in building a profile of the kinds of cyber attacks you may be likely to play victim to, and therefore will allow you to understand how to best protect your network.


Why were you targeted?

Do you hold sensitive or confidential data that could be lucrative to a cybercriminal? Or are your systems so weak that it makes you an easy target? The ‘why?’ will be the question asked by your Board and shareholders, and will be the imperative question you will need answering in order to help protect against future attacks.

Using this five step approach will help you to better understand how the cybercriminals work and why they have chosen you as their target. Only once you achieve this level of understanding are you truly able to build systems and procedures to protect you from further cyber attacks, and build a robust security program for the future.

If you would like to speak to Smoothwall about advice on building a multi-layered security system, please contact one of our security specialists today. Contact us for more information.

Picture of Claire Stead

Claire Stead