Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

// // //
6/17/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv

Mission Critical: What Really Matters in a Cybersecurity Incident

The things you do before and during a cybersecurity incident can make or break the success of your response.

As a lawyer who figuratively parachutes into dozens of catastrophic cybersecurity incidents a year, I've learned what is truly mission critical during a cybersecurity incident. In leading cyber-emergency responses across industries, enterprise platforms, and threat vectors, there are common themes that arise no matter whether an organization is small or large. Here is what I've learned:

Related Content:

How to Create an Incident Response Plan From the Ground Up

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

1. The Incident Response Plan Is Important as a Discussion Point Pre-Incident but Rarely Consulted During an Event
Incident response plans are important tools to drive an organization's strategy before an incident. Tabletop exercises, where hypothetical breaches are discussed, assist in helping an organization get past the novelty of navigating a cyber catastrophe. But in the midst of a truly catastrophic cyber event, I have never seen anyone consult an incident response plan. Sometimes this is simply because the incident response plan — like the rest of the network — is encrypted and locked away as part of the spoils of the ransom. Often, though, this is just the nature of the emergency: there is no time to review the plan or convene the alleged response team.

My advice is to make certain that — no matter what incident response plan is in place — your organization knows who it will call first in an incident. The incident response plan cannot reflect the fantasy but rather the reality of your organization. Do you have a CEO who is hands-on? In that case, the incident response plan needs to reflect that they will be part of the incident response team. A hands-on CEO is not going to stand down when her organization is under extreme threat.

What is most important is that the team knows that the chain of command is altered during an event and knows to follow the new command lines. Lawyers are in the room to take command and guide the organization through the murky pre-liability space. If anyone other than in-house or outside counsel leads the incident response, the entirety of the investigation could be exposed. This is because the attorney-client privilege is the only true means of confidentiality in an incident. Often, sophisticated technology counsel needs to lead the investigation because having a Luddite lawyer attempt to learn the meaning of acronyms like SIEM or VM on the fly is not conducive to a quick response time.

2. Logging Is Never Where It Needs to Be
Some of the first words out of my mouth during a cyber incident are to ask whether there are logs. This is not idle curiosity. This is because I have learned the hard way that unless log preservation is the primary focus in the first few minutes of an incident, those logs can be lost.

Not only that, but the decision to skimp on log aggregators in the budget often leads to massive headaches during an incident. Why? Because as a lawyer, I rely on technical forensic experts to utilize logging to lay out where a threat actor may have been and where that threat actor may have acquired personal identifying information to sell on the Dark Web or to use for their own malicious purposes.

3. Network Maps and IT Asset Inventories Can Make or Break a Recovery
Up-to-date network maps and IT asset inventories are among the most critical pieces of information during a ransomware response. In the middle of an incident, your organization is inviting in what are essentially strangers in the form of forensics teams and sometimes law enforcement. These experts are attempting to rapidly respond to your event to "clear" the scene of the crime to say that it is safe to remediate and come back online. If you have a complicated IT landscape across multiple locations, having an immediate understanding of the lay of the land is critical. Understanding where threats could be living and what needs to be restored comes down to understanding the assets in play at any given time.

In the calm before an incident, focus on what matters most: (1) developing up-to-date maps and inventories; (2) developing logging strategies that can capture lateral movement across your environment; and (3) worrying less about the incident response plan and more about having a team that understands the chain of command.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...