09:00 AM
Connect Directly

5 Big Incident Response Mistakes

Failing to have a formal incident response plan is just one of the mistakes organizations make.

Organizations that suffer major security incidents can end up spending tens and even hundreds of millions of dollars in remediation costs, fines, damages, and other expenses. Many suffer considerable brand damage as well.

While the initial breach itself tends to draw the most attention, how an organization responds to the incident shapes the eventual scope and damage of the attack. This is where being prepared for a breach can help, according to security analysts. Organizations with a formal incident response plan and process in place generally are better able to contain resulting costs and damage.

A Ponemon report last year showed that companies worldwide that had an incident response team spent about $12.60 less per record on average on response and mitigation costs compared to those that did not have one.

Not having a formal plan and being unprepared are just two of the mistakes that organizations make. Here are some of the others:

1. Responding before understanding the full scope of the breach.

Modern attacks are not quite as noisy and random in nature as attacks of the past. They are a lot more targeted, stealthy, and persistent. Companies sometimes may be more deeply compromised than an initial analysis might suggest, says Wade Woolwine, director of global services at Rapid7.

“Victims often think that once they’ve found a backdoor, they’ve identified all ingress methods used by the attackers,” he says. The reality in many cases is that organizations fail to effectively investigate endpoints and other systems to derive reliable indicators of compromise and to use those IOCs to properly scope the incident across the enterprise, Woolwine says.

Not properly understanding scope is a huge problem, Ben Johnson, chief security strategist at Bit9+carbon Black, says. “An organization may have found patient 0, or maybe it has actually found patient 20,” Johnson says. “If it’s patient 20, there will be a lot machines to clean up. Understanding how big or small an incident is will be critical to proper response and recovery. “

2. Not communicating effectively.

The manner in which an organization communicates breach details to stakeholders is vital. Disclosing too many details without proper vetting is almost as bad as releasing nothing at all especially in incidents involving loss of personal data. Organizations need to have a formal post-breach communication plan beforehand, and not scramble to figure what to say publicly in the middle of a breach situation.

“Putting out a claim that only X number of records were accessed or saying that everything has been cleaned up when, in reality, you don’t know the full scope of the impact, or the incident is still being eradicated,” is inadvisable, Johnson says. “It is a dangerous path to navigate and puts a bigger target on the company’s back. “

If the information released turns out to be incomplete or incorrect, it also suggests a sloppy investigation, or that your organization does not have a proper handle on the situation.

3. Not getting legal involved early.

Data breaches can have legal consequences. Many organizations that have suffered data breaches in recent times have been hit with big lawsuits from victims claiming a lack of due diligence in protecting their data, loss of privacy, financial losses, and other issues. So it’s vital to get your legal team involved, or to get legal help, as soon as possible once you’ve discovered a breach.

“Legal does not often move at the speed of security and definitely not at the speed of attackers,” concedes Johnson.

But that’s no reason for not getting them involved quickly anyway, he says. “Legal should be responsible for coordinating with outside parties to avoid information leakage or disclosure to other parties."

Disclose information only under legal advice, and only when there are enough relevant facts around what happened, how, and whom it affected, he says.

4. Tipping your hand.

Playing “whack-a-mole” with an attacker is the best way to drive them deeper into your network, says Woolwine. When investigating a data breach, it is vital not to tip your hand to the attacker.

A knee-jerk reaction to an attack in many cases, for instance, is to immediately shut down affected systems. “For an attacker, this is an immediate indication that they’ve been made,” Woolwine says. “[This] usually results in the attacker establishing other methods of ingress and disappearing off the victim’s detection radar,” entirely, he says.

It’s only when you have fully scoped the breach and have a clear idea of the ingress points, the nature of the intrusion, attack tools, and tactics, that you should start shutting it down.

5. Using an improperly staffed response team.

Not all breaches are the same. A denial of service attack, for instance, is very different from a malware infection. A network intrusion by an external threat actor is different from one carried out by a trusted insider with privileged access to enterprise systems and data. So it is important to assemble the right team and have the right skills and resources in place when initiating an incident response.

Using the wrong people to investigate the breach is a mistake that organizations can often make, Woolwine says.

“Identifying the right technical expertise to investigate the breach is critical,” he says. Having inexperienced IT specialists who dabble in incident investigation or selecting a third party without the credentials to respond to an enterprise breach, can have major consequences, he says.

In addition to the right technical staff, an IR team should ideally also include representatives from legal, communications, HR, and other enterprise functions.

Ultimately though, the key to mounting a good response is planning and preparation, Woolwine says.

“Making sure that you have the technology, processes, and expertise at the ready to help your organization deal with the breach will help streamline the various breach response processes,” he says. It should “remove some of the firefighting stigma associated with responding to breaches.”

Interop 2016 Las VegasFind out more about attacks and breaches at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/19/2016 | 4:27:08 AM
2016 should be the year of Incident Response
During last months, I have read a lot of articles about Incident Response and it seems it would be the buzz word during this year.

For sure, these 5 tips are a great start point to advance from a protect and detection view to the protect/detection/response view. FMPOV, this is the only way to fight properly against cyberattacks.
User Rank: Apprentice
2/14/2016 | 9:12:34 AM
Great tips
Great tips to reduce the possibility of an inneficient incident response plan.


I just want to add that have a good response protocol against incidents, categorizing and identyfing possible response process by information assets is very effective.




8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.