Dave (the chief marketing officer) communicated normally, juggling multiple threads and handling a dozen conversations. But most importantly, he handled sensitive information about the company’s upcoming product launch.
***
Phantomeye629 pinged the remote computer. He was testing whether the computer was open and vulnerable. The ping response from the system finally came, and he knew that remote desktop protocol was accessible. After a few more seconds, he had hijacked another user’s session and was in.
Phantomeye soon discovered that Dave had been given administrator system privileges, and he installed a keylogger to capture Dave’s keystrokes. For a few more days, he just observed what was happening.
***
Ray’s employer was a five-year-old, medium-sized CPA, which hired him as the new cybersecurity expert on the small IT team, but he hadn’t had the time to write up and rehearse an incident response plan before the data breach.
The National Institute of Standards and Technology defines an incident response plan as “The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information system(s).”
A written incident response plan details how an organization will respond to a cyberattack or data breach. How will an organization manage the consequences of an attack or breach? Without a calm, repeatable response plan, organizations will not be able to identify, contain, eradicate, recover, and learn from the event (Cengage).
***
Phantomeye could now move to the system with the intellectual property. For the next couple of weeks, Phantomeye moved the data out of the network.
***
Ray was breathing shallowly as he skimmed the security logs. He hadn’t slept in twenty-four hours and was out of energy. But somewhere in here were the signs of the data breach.
Ray had asked for a company-wide access privilege audit. No one should have permissions that they do not need.
But Phantomeye had finished his exfiltration of the company data a few months before. By the time Ray had first discovered the suspicious activity in the log files (after 203 days), the damage had been done. (On average, cybercriminals will hide in a system for 212 days before the attack is detected, and the longer detection takes, the higher the overall cost to the attacked organization (Venture Beat).
***
As Ray was calling his training to mind, he was pacing the CMO’s office. Dave swiped down on his tablet and put it down. Tim, the CTO, was already there.
“Before Jon gets here, Ray, can you clear up what happened?” asked Tim.
This was not a good start right out of college for Ray. How could he talk about the incident confidently?
“A threat actor accessed the company’s network. We’re still reviewing the logs, but-“
What is the difference between a security event, a security incident, and a data breach?
Ray stopped himself. Don’t want to be too technical, do I? he thought.
But he also had to appear competent. He remembered five types of computer events:
“-We had a data breach. I’ll explain. An event is anything that happens on your computer, while a security event is an event that affects security, things like changing a password or permission or scanning a network.
“But this event was escalated to a security incident when it violated our policies (Sybex) and compromised the confidentiality (CIA) of Dave’s computer” (Verizon).
“Oh s*%$, did this involve any FTC safeguards or IRS violations?” asked Dave.
“Unfortunately, yes. The intruder moved from your computer to a billing department computer,” said Tim. “When the hacker exfiltrated protected health information (PHI) and put it up on the dark web, the event became a data breach (Yubico).” (Unintentional information disclosure, data leak, information leakage, and data spill are all other names for a data breach (Wikipedia).)
“
“Does it even matter what it’s called? I’m in deep trouble,” Dave asked.
“I didn’t want to be too technical, but we have to label events like this because we need to notify regulatory agencies, the media, law enforcement, and our clients as to what occurred, especially if those contacts are affected” (IAPP), said Ray.
Just then, the CEO walked in.
“What the hell happened?” asked Jon. “Do you have any idea what’s going to happen to us? The law enforcement? The media?”
Ray froze. Panic.
“We’re trying to triage everything affected,” said Tim.
Detect, respond, limit consequences, thought Ray. He then laid out to Dave, Jon, and Tim how they would respond through six steps:
***
What are the steps in incident response?
(1) Preparation: Employees should be equipped to handle security incidents with effective operating procedures and training. Information assets should be cataloged. Who and what are mission critical for business continuity (the continuation of business after a security incident or disaster) should be decided?
Cybersecurity policy should ensure an organization’s compliance with legal and regulatory requirements (like HIPAA). Vulnerabilities, threats, and response activities should be identified through a risk assessment. Network and user identities need to be monitored. Firewalls, virtual private networking, and file monitoring software are controls that should be used. Unauthorized changes should be detected and rolled back if needed.
2) Identification: 24/7 monitoring for intrusion detection and prevention systems, security information and event management, file integrity checking, third-party monitoring services and malware logs, operating systems, services, applications, network devices and flows, and alert reviews all involve the identification of events when they happen. An in-house contact should monitor publicly available information about vulnerabilities, exploits, people, and reports regarding security events or activity.
3) Containment: in case of a successful attack, the company needs to limit the damage and isolate affected systems. Containment, along with 4) eradication and 5) recovery, prevents the spread of a breach and halts criminals from moving into other systems.
4) Eradicate: the organization should eradicate the infection by finding and removing the compromised or responsible system.
5) Recover: organizations then clean the affected systems so they can return to regular business as soon as possible. This process should be documented for the future. Business continuity is the critical goal.
6) Lessons Learned: in addition to the postmortem communications by PR, all staff should understand what they must do the help the organization promote business continuity after the incident. The organization should follow NIST’s recommendations for recovery: continued monitoring, revisiting security measures, and taking proactive steps to evaluate and detect events of any type using log review.
***
“Preparation will help prevent this next time. We’re up against resourceful cybercriminals,” said Tim. “Attacks will happen again.”
“So in keeping with that, I’m writing up a new incident response policy that will guide us at high level. We’ll assign duties to each member of IT and authority for those in leadership” (Sybex), said Ray.
“Everyone in the company needs to be in on prevention. The plan will say we’re ready, able, and responsible to respond to security incidents appropriately.”
Some Other Concrete Steps For Incident Response
“We can take some concrete steps to recover after a security incident or cyber attack,” said Ray:
1. Contact your insurance company if there is a claim to be filed; insurance will recommend a breach coach, who works with organizations to isolate affected data, notify customers, retain forensics professionals, and manage crisis communications when a breach occurs (Travelers).
2. Your state will have notification requirements as well (California’s requirements).
3. Stop using affected devices.
4. Change passwords on all systems.
5. Perform an updated malware scan for all systems.
6. Begin a forensics exam if the affected system is considered a crime scene.
7. Determine credit monitoring needs for victims if ID theft is suspected.
8. Notify relevant employees, clients, law enforcement, and federal agencies. Remain in communication with affected businesses. IT should update them on their progress.
***
Over the next few weeks, Ray analyzed and documented the event to aid future prevention. He reflected upon the lessons learned review.
For him, it was about improving and learning, so the next attack would be less impactful. Ray’s concern for his company’s reputation was also on his mind. Following the written cybersecurity incident response plan would help his organization express its cybersecurity readiness and risk management decisions to the public.
About Incident Response: Ask Yourself
– When should a security event be escalated to a security incident?
– What are the reporting requirements for the incident?
– Who will lead the critical incident response team in recovery efforts, and who else is on the critical incident response team?
– What are their duties? (In case law enforcement must be involved, the critical incident response team will preserve chain of custody and oversee the transport of data and computer equipment, secure the environment around the compromised systems, document and record what they discover, and create a report for the event.)
– Who is the executive-level sponsor who will help prioritize breach preparedness at the leadership level? (This is who will coordinate and report to the board and relevant parties.)
– Who is the human resources contact?
– Who is the internal or external general counsel?
– Who are the public relations and marketing team who will communicate with the outside world? (If an incident is revealed to be a data breach and of a specific size, your organization may be required to disclose the breach to the media or notify individuals.)
– When will incident response exercises occur, and who is required to participate in them?
Business Continuity In Case Of Disaster
As Ray actively participated in the company’s recovery, he also implemented a disaster recovery plan in case of a more severe attack or disaster that could take out the company’s systems entirely. What would happen if a worst-case scenario hit the company, an environmental disaster, military, terrorist, or cyberattack?
His plan provided contingencies for restoring the company’s IT functionality with the least disruption possible, e.g., computers, power, telephone systems, and physical assets like its printed documents.
Disaster Recovery Restoration Site Types
If a disaster occurs, the organization could need to move operations to a recovery facility until the regular business place is restored. Recovery facilities fall into one of three types:
Cold site – Computers and infrastructure are available but not configured, connected, or updated. Recovery could take weeks.
Warm site – Computers and infrastructure are available but only partly configured, connected, and updated. Some recovery systems at that location may only receive updates monthly. Recovery could take hours or days.
Hot site – Computers and infrastructure are kept as exact duplicates of the regular systems and network.
The cost of upkeep and level of maintenance both increase from cold being least expensive and least time-consuming to hot being most expensive and most time-consuming.
Cloud site – Alternate to traditional disaster recovery (above three types), cloud disaster recovery combines strategies and services intended to back up data, applications and other resources to a public cloud or to a dedicated managed service provider. When a disaster occurs, your data, applications and other resources can be restored to your premises or cloud provider and resume business for your organization (Tech Target).
Your organization’s recovery needs will dictate which site type you maintain. Ray’s company chose a warm site so that their business recovery would take less time than a cold site and less cost than a hot facility.
About Disaster Recovery: Ask Yourself
– Who will be the individuals who will be charged with the recovery, and what are their phone numbers and contact information?
– Where are your data backups (helpful with ransomware attacks, for example), what are the backup schedules, and how can you fully recover your data?
– How will you communicate with local or national service carriers in a disaster?
– Who will participate in and test disaster recovery?
– With which employees (cross-departmental) and customers will you regularly communicate in a disaster?
Conclusion: Plan for the Worst, Recover The Best
Having processes for recovery from a cybersecurity incident can save you a lot of headaches when it comes—and it will come. Preparing for a crisis takes detailed planning and will ensure faster recovery, handle messaging within and outside of the organization, and aid in preserving your organization’s reputation.
Similarly, preparing for a disaster can help you preserve business continuity when a more significant incident or disaster occurs.
Both are indispensable in today’s modern marketplace.
1 comment