Your security team identifies a breach. It’s been 8 days, 5 hours, and 39 minutes since a threat actor made it past your network firewall. Once in the system, the team of three cyber criminals:
- Enumerated your assets + valuable information
- Retained access to your proprietary files and network containers
- Established persistence on an office printer, quietly siphoning invoices, employee lists, maps of the production floor, and other proprietary materials
- Exfiltrated the information over the web connection
- Monetized that material + their access to your network
- Communicated the breach with your team, encrypted your network, and left a note on a company device with the ransom set to expire in 48 hours, at which point (without the ransom paid) they will make the information they captured public.
So now what?
If you’re the hacked security team, it’s easy to imagine the nightmare situation that ensues and the questions swirling in your CISO’s mind. Did the threat actors get a hold of customer information? How did they get in? What employee information was affected? When (and how) should we disclose the breach to the board? Do investors need to know? What are the legal ramifications for paying a cyber ransom?
The infosec industry often follows a five-step approach to incident response: identify, mitigate, respond, recover, and remediate. I’d like to add three anecdotal guidelines to consider in conjunction with this process.
1: Don’t light your hair on fire.
Once you’ve been notified of a breach and your business is (literally) losing thousands by the hour, it’s easy to panic. But in a crisis situation, that’s the last thing security teams have time for. Slow down, appoint an incident commander, perhaps from an outside firm, and pull out your incident response plan.
I conducted an exercise once at the Marine’s Weapons School, MAWTS-1, where I asked the students to stop a simulated virus I had uploaded to exercise computers. I made the tabletop particularly realistic. Lights flashed and red script scrolled across screens.
All the students needed to do was identify why the hack had occurred, but the situation progressed to the point where all devices in the lab were infected. If one student had taken charge, turned off the monitors, and directed the group to focus on the uncorrupted radio channel, the group might have succeeded. But no one did. Glaring distractions won the day.
Bad decision making happens during panic. Avoid panicking or spreading panic to others.
2: The first report is always wrong.
Every breach must be assessed and reported to security leadership for the first time. That doesn’t mean the first report is an accurate picture of the situation. Whether or not your report uncovers less threat actor involvement than you thought or more, do not stake legally binding decisions on fresh data.
Ever watched an incident commander in action? Our police and firefighters follow a commander who develops a plan, makes urgent decisions, and delegates tasks to the command team at the scene of the emergency.
The value of the incident commander’s professional distance from your environment and the emotional elements of a cyber breach cannot be overstated or replaced, no matter how skilled the employees on your bench. Ask the incident commander to handle the response process and let the commander’s team gather their own assessment of the breach, comparing their data to your own first report.
3: Keep the information you do know tight.
Since the first report usually contains errors, make sure you don’t publicize (or even share within the company) that information pre-emptively. When (and if) you share privately and publicly, let the incident commander working with an outside legal counsel make that decision.
Before a breach happens, work with your legal team to prepare disclosure templates and plan out who needs to know about a breach first. Too often, organizations make PR blunders worthy of litigation because the CISO either hides the extent of the breach or overshares incorrect information before it has been verified.
Modern SecOps and Incident Response
At Ascent Solutions, our team embraces Modern Security Operations in all aspects of protecting our customers and our own environment—including an incident response. Watch for the next blog in this series covering the value of cyber threat intelligence to an incident response plan.
If you have been breached or you do not have a tight incident response plan, let our experts assist you. Reach out to email@example.com for more information.