5 ways attackers counter incident response, and how to stop them

IR has become a chess match with attackers who can cleverly spoil responders' efforts and keep a foothold in systems. Here's how they do it and how to kick them out for good.

Strategy  >  Moving chess pieces as abstract data overlays the game
WhyFrameStudio / Getty Images

Last month, the UK's National Cyber Security Centre reported that one organization paid nearly $9 million to attackers for a decryption key after falling victim to a ransomware attack. The organization recovered its files, but it did not identify the root cause of the attack.

Then the same attacker victimized the organization’s network again, using the same mechanism as before to re-deploy its ransomware. "The victim felt they had no other option but to pay the ransom again," said the report’s authors.

Evading detection is a key strategy for attackers of all kinds. Cybercriminals who can survive a company's incident response and stay in its systems after a successful attack can strike again or resell their access to other attackers. Corporate spies or nation-state attackers in particular have the resources and will to linger in corporate systems even after detection and remediation.

Here are some techniques attackers are using to evade incident response teams—and how to counter them.

1. Re-exploit the exploit

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.