theDocumentId => 1341255 Mission Critical: What Really Matters in a ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/17/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mission Critical: What Really Matters in a Cybersecurity Incident

The things you do before and during a cybersecurity incident can make or break the success of your response.

As a lawyer who figuratively parachutes into dozens of catastrophic cybersecurity incidents a year, I've learned what is truly mission critical during a cybersecurity incident. In leading cyber-emergency responses across industries, enterprise platforms, and threat vectors, there are common themes that arise no matter whether an organization is small or large. Here is what I've learned:

Related Content:

How to Create an Incident Response Plan From the Ground Up

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

1. The Incident Response Plan Is Important as a Discussion Point Pre-Incident but Rarely Consulted During an Event
Incident response plans are important tools to drive an organization's strategy before an incident. Tabletop exercises, where hypothetical breaches are discussed, assist in helping an organization get past the novelty of navigating a cyber catastrophe. But in the midst of a truly catastrophic cyber event, I have never seen anyone consult an incident response plan. Sometimes this is simply because the incident response plan — like the rest of the network — is encrypted and locked away as part of the spoils of the ransom. Often, though, this is just the nature of the emergency: there is no time to review the plan or convene the alleged response team.

My advice is to make certain that — no matter what incident response plan is in place — your organization knows who it will call first in an incident. The incident response plan cannot reflect the fantasy but rather the reality of your organization. Do you have a CEO who is hands-on? In that case, the incident response plan needs to reflect that they will be part of the incident response team. A hands-on CEO is not going to stand down when her organization is under extreme threat.

What is most important is that the team knows that the chain of command is altered during an event and knows to follow the new command lines. Lawyers are in the room to take command and guide the organization through the murky pre-liability space. If anyone other than in-house or outside counsel leads the incident response, the entirety of the investigation could be exposed. This is because the attorney-client privilege is the only true means of confidentiality in an incident. Often, sophisticated technology counsel needs to lead the investigation because having a Luddite lawyer attempt to learn the meaning of acronyms like SIEM or VM on the fly is not conducive to a quick response time.

2. Logging Is Never Where It Needs to Be
Some of the first words out of my mouth during a cyber incident are to ask whether there are logs. This is not idle curiosity. This is because I have learned the hard way that unless log preservation is the primary focus in the first few minutes of an incident, those logs can be lost.

Not only that, but the decision to skimp on log aggregators in the budget often leads to massive headaches during an incident. Why? Because as a lawyer, I rely on technical forensic experts to utilize logging to lay out where a threat actor may have been and where that threat actor may have acquired personal identifying information to sell on the Dark Web or to use for their own malicious purposes.

3. Network Maps and IT Asset Inventories Can Make or Break a Recovery
Up-to-date network maps and IT asset inventories are among the most critical pieces of information during a ransomware response. In the middle of an incident, your organization is inviting in what are essentially strangers in the form of forensics teams and sometimes law enforcement. These experts are attempting to rapidly respond to your event to "clear" the scene of the crime to say that it is safe to remediate and come back online. If you have a complicated IT landscape across multiple locations, having an immediate understanding of the lay of the land is critical. Understanding where threats could be living and what needs to be restored comes down to understanding the assets in play at any given time.

In the calm before an incident, focus on what matters most: (1) developing up-to-date maps and inventories; (2) developing logging strategies that can capture lateral movement across your environment; and (3) worrying less about the incident response plan and more about having a team that understands the chain of command.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32794
PUBLISHED: 2021-07-26
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Due to a bug in ASF code `POST /Api/ASF` ASF API endpoint responsible for updating global ASF config incorrectly removed `IPCPassword` from the resulting config when the caller did no...
CVE-2021-36563
PUBLISHED: 2021-07-26
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the WATO module. This allows an attacker to open a backdoor on the device with HTML content and interpreted by the browser (such as JavaScript or other client-side scripts), the XSS pay...
CVE-2021-37392
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. When the API functions are enabled, the attacker can use API to update user nickname with XSS payload and achieve stored XSS. Users who view the articles published by the injected use...
CVE-2021-37393
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, the "nickname" variable is not properly sanitized before being displayed on page. Attacker can use "update password" function to inject XSS payloads into nickname variable, and achieve stored XSS. Users who view the articles published by the injected user...
CVE-2021-37394
PUBLISHED: 2021-07-26
In RPCMS v1.8 and below, attackers can interact with API and change variable "role" to "admin" to achieve admin user registration.