Mission Critical: What Really Matters in a Cybersecurity Incident

As a lawyer who figuratively parachutes into dozens of catastrophic cybersecurity incidents a year, I've learned what is truly mission critical during a cybersecurity incident. In leading cyber-emergency responses across industries, enterprise platforms, and threat vectors, there are common themes that arise no matter whether an organization is small or large. Here is what I've learned:

1. The Incident Response Plan Is Important as a Discussion Point Pre-Incident but Rarely Consulted During an Event
Incident response plans are important tools to drive an organization's strategy before an incident. Tabletop exercises, where hypothetical breaches are discussed, assist in helping an organization get past the novelty of navigating a cyber catastrophe. But in the midst of a truly catastrophic cyber event, I have never seen anyone consult an incident response plan. Sometimes this is simply because the incident response plan — like the rest of the network — is encrypted and locked away as part of the spoils of the ransom. Often, though, this is just the nature of the emergency: there is no time to review the plan or convene the alleged response team.

My advice is to make certain that — no matter what incident response plan is in place — your organization knows who it will call first in an incident. The incident response plan cannot reflect the fantasy but rather the reality of your organization. Do you have a CEO who is hands-on? In that case, the incident response plan needs to reflect that they will be part of the incident response team. A hands-on CEO is not going to stand down when her organization is under extreme threat.

What is most important is that the team knows that the chain of command is altered during an event and knows to follow the new command lines. Lawyers are in the room to take command and guide the organization through the murky pre-liability space. If anyone other than in-house or outside counsel leads the incident response, the entirety of the investigation could be exposed. This is because the attorney-client privilege is the only true means of confidentiality in an incident. Often, sophisticated technology counsel needs to lead the investigation because having a Luddite lawyer attempt to learn the meaning of acronyms like SIEM or VM on the fly is not conducive to a quick response time.

2. Logging Is Never Where It Needs to Be
Some of the first words out of my mouth during a cyber incident are to ask whether there are logs. This is not idle curiosity. This is because I have learned the hard way that unless log preservation is the primary focus in the first few minutes of an incident, those logs can be lost.

Not only that, but the decision to skimp on log aggregators in the budget often leads to massive headaches during an incident. Why? Because as a lawyer, I rely on technical forensic experts to utilize logging to lay out where a threat actor may have been and where that threat actor may have acquired personal identifying information to sell on the Dark Web or to use for their own malicious purposes.

3. Network Maps and IT Asset Inventories Can Make or Break a Recovery
Up-to-date network maps and IT asset inventories are among the most critical pieces of information during a ransomware response. In the middle of an incident, your organization is inviting in what are essentially strangers in the form of forensics teams and sometimes law enforcement. These experts are attempting to rapidly respond to your event to "clear" the scene of the crime to say that it is safe to remediate and come back online. If you have a complicated IT landscape across multiple locations, having an immediate understanding of the lay of the land is critical. Understanding where threats could be living and what needs to be restored comes down to understanding the assets in play at any given time.

In the calm before an incident, focus on what matters most: (1) developing up-to-date maps and inventories; (2) developing logging strategies that can capture lateral movement across your environment; and (3) worrying less about the incident response plan and more about having a team that understands the chain of command.