Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:00 AM
Connect Directly

5 Big Incident Response Mistakes

Failing to have a formal incident response plan is just one of the mistakes organizations make.

Organizations that suffer major security incidents can end up spending tens and even hundreds of millions of dollars in remediation costs, fines, damages, and other expenses. Many suffer considerable brand damage as well.

While the initial breach itself tends to draw the most attention, how an organization responds to the incident shapes the eventual scope and damage of the attack. This is where being prepared for a breach can help, according to security analysts. Organizations with a formal incident response plan and process in place generally are better able to contain resulting costs and damage.

A Ponemon report last year showed that companies worldwide that had an incident response team spent about $12.60 less per record on average on response and mitigation costs compared to those that did not have one.

Not having a formal plan and being unprepared are just two of the mistakes that organizations make. Here are some of the others:

1. Responding before understanding the full scope of the breach.

Modern attacks are not quite as noisy and random in nature as attacks of the past. They are a lot more targeted, stealthy, and persistent. Companies sometimes may be more deeply compromised than an initial analysis might suggest, says Wade Woolwine, director of global services at Rapid7.

“Victims often think that once they’ve found a backdoor, they’ve identified all ingress methods used by the attackers,” he says. The reality in many cases is that organizations fail to effectively investigate endpoints and other systems to derive reliable indicators of compromise and to use those IOCs to properly scope the incident across the enterprise, Woolwine says.

Not properly understanding scope is a huge problem, Ben Johnson, chief security strategist at Bit9+carbon Black, says. “An organization may have found patient 0, or maybe it has actually found patient 20,” Johnson says. “If it’s patient 20, there will be a lot machines to clean up. Understanding how big or small an incident is will be critical to proper response and recovery. “

2. Not communicating effectively.

The manner in which an organization communicates breach details to stakeholders is vital. Disclosing too many details without proper vetting is almost as bad as releasing nothing at all especially in incidents involving loss of personal data. Organizations need to have a formal post-breach communication plan beforehand, and not scramble to figure what to say publicly in the middle of a breach situation.

“Putting out a claim that only X number of records were accessed or saying that everything has been cleaned up when, in reality, you don’t know the full scope of the impact, or the incident is still being eradicated,” is inadvisable, Johnson says. “It is a dangerous path to navigate and puts a bigger target on the company’s back. “

If the information released turns out to be incomplete or incorrect, it also suggests a sloppy investigation, or that your organization does not have a proper handle on the situation.

3. Not getting legal involved early.

Data breaches can have legal consequences. Many organizations that have suffered data breaches in recent times have been hit with big lawsuits from victims claiming a lack of due diligence in protecting their data, loss of privacy, financial losses, and other issues. So it’s vital to get your legal team involved, or to get legal help, as soon as possible once you’ve discovered a breach.

“Legal does not often move at the speed of security and definitely not at the speed of attackers,” concedes Johnson.

But that’s no reason for not getting them involved quickly anyway, he says. “Legal should be responsible for coordinating with outside parties to avoid information leakage or disclosure to other parties."

Disclose information only under legal advice, and only when there are enough relevant facts around what happened, how, and whom it affected, he says.

4. Tipping your hand.

Playing “whack-a-mole” with an attacker is the best way to drive them deeper into your network, says Woolwine. When investigating a data breach, it is vital not to tip your hand to the attacker.

A knee-jerk reaction to an attack in many cases, for instance, is to immediately shut down affected systems. “For an attacker, this is an immediate indication that they’ve been made,” Woolwine says. “[This] usually results in the attacker establishing other methods of ingress and disappearing off the victim’s detection radar,” entirely, he says.

It’s only when you have fully scoped the breach and have a clear idea of the ingress points, the nature of the intrusion, attack tools, and tactics, that you should start shutting it down.

5. Using an improperly staffed response team.

Not all breaches are the same. A denial of service attack, for instance, is very different from a malware infection. A network intrusion by an external threat actor is different from one carried out by a trusted insider with privileged access to enterprise systems and data. So it is important to assemble the right team and have the right skills and resources in place when initiating an incident response.

Using the wrong people to investigate the breach is a mistake that organizations can often make, Woolwine says.

“Identifying the right technical expertise to investigate the breach is critical,” he says. Having inexperienced IT specialists who dabble in incident investigation or selecting a third party without the credentials to respond to an enterprise breach, can have major consequences, he says.

In addition to the right technical staff, an IR team should ideally also include representatives from legal, communications, HR, and other enterprise functions.

Ultimately though, the key to mounting a good response is planning and preparation, Woolwine says.

“Making sure that you have the technology, processes, and expertise at the ready to help your organization deal with the breach will help streamline the various breach response processes,” he says. It should “remove some of the firefighting stigma associated with responding to breaches.”

Interop 2016 Las VegasFind out more about attacks and breaches at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/19/2016 | 4:27:08 AM
2016 should be the year of Incident Response
During last months, I have read a lot of articles about Incident Response and it seems it would be the buzz word during this year.

For sure, these 5 tips are a great start point to advance from a protect and detection view to the protect/detection/response view. FMPOV, this is the only way to fight properly against cyberattacks.
User Rank: Apprentice
2/14/2016 | 9:12:34 AM
Great tips
Great tips to reduce the possibility of an inneficient incident response plan.


I just want to add that have a good response protocol against incidents, categorizing and identyfing possible response process by information assets is very effective.




Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
PUBLISHED: 2019-05-17
Typora (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...