Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2019
05:25 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Tips for the Aftermath of a Cyberattack

Incident response demands technical expertise, but you can't fully recover without non-IT experts.

Incident response teams need technical skills from security experts who can analyze and contain cyber threats. They also demand strategic and communications skills from employees who aren't as tech-savvy but equally essential to getting the business back up and running.

"When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority," said Matt Barrett, CyberESI's chief operating officer, during a panel discussion at the Incident Response and Recovery: Reducing Uncertainty and Looking Beyond IT event hosted today by the National Cybersecurity Alliance (NCSA) and NASDAQ in New York City.

In the aftermath of a security incident, many departments that need to rebuild are unrelated to IT and consequently overlooked. Technical concerns about containing threats and preventing data leakage often trump the role of communications experts, legal teams, law enforcement, and HR – all of which should be involved with developing and practicing an incident response plan.

Communications, which can be a difficult hurdle not only between the business and its partners and customers, can also be difficult among the many experts sitting around the response table.

"Having a soft-skilled person at the table is critical," said Lisa Plaggemier, chief evangelist at InfoSec and member of the NCSA's board of directors. She calls these employees "a secret weapon" which many CISOs don't realize they have. Consider security training and awareness managers: they can translate technical concepts between security analysts and executives, letting engineers focus on their jobs instead of conveying executive updates to the board.

[See CrowdStrike's director of proactive services Justin Weissert demonstrate what incident response is really like during the Live Incident Response Simulation at Interop next month]

As for external communications, it's important to equip all of your employees – not just the PR and communications experts – with guidance for what they should say. "I think it's important not to overlook the role employees play in crisis communications," said Plaggemier, who said all employees across the organization should be informed on how to respond to inquiries.

"It's not just what you're going to say, but who you're going to say it to, and in what order of priority," she continued. For example, sales teams may be given different guidance than IT employees. Your workers will talk about the incident, and you want to prevent rumors. "I'm an advocate for arming employees with information as quickly as you can."

Practice Makes Progress

Panelists urged the audience to practice response plans, and practice often. "The number one thing is to have a playbook and rehearse the playbook," said Tim Vidas, senior distinguished engineer in Dell SecureWorks' Office of the CTO. In a real incident, "people may not be aware of what the plans and procedures are … emotions run high."

Beuchelt explained how at LogMeIn, the team simulates different incidents to test different response tactics. "It's important to build muscle around technical response capabilities," he noted. It's also important to mirror those technical response capabilities with a communications response plan that packs social media and public relations strategies, he said.

The company chose to include general counsel and senior HR leadership in rehearsal. "It was really an eye opener for them … the impact will be fundamental," he said. These days, LogMeIn is testing out a new "escape the room" practice game with executive leadership. Participants have to solve puzzles: who broke the rules and who was the insider who spilled the beans.

You'll want to choose scenarios carefully when practicing response plans, added Plaggemier. You don't want to cause panic, but you do want to put employees in a situation that could realistically happen. In situations that are too easy to run a tabletop, participants often walk away with a false sense of security. Further, she said, every response exercise should conclude with an honest post-mortem: be truthful about what went well and what should improve.

"No matter how many times you practice it, you're always going to learn something new," she said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ilan_Abadi
50%
50%
Ilan_Abadi,
User Rank: Author
4/21/2019 | 12:41:12 PM
Management Responsibility

I have enjoyed to read this acritical and it just make my opinion that Cyber-events can't be manage by the CISO. Cyber-attack at these days are impact almost all layers of business and need to be manage by BCM (Business Continuity Management) team. This team can have other name depending on the business but most of the time this team run by a senior executive management member. The CISO team have an important and critical role by blocking and contain the attack but its go further and the recovery process can be take days, months and beyond. The real message also should be for that board and executive management need to take responsibility for overall Cyber risk including "back to normal" and then we can go for drills, r&r in major cyber event.     

 

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/18/2019 | 1:18:04 PM
Re: Public relations scenario
I wrote this for humor but one helluva lot of it comes out of Experian and consulting such as City of Atlanta last year and general knowledge of IBM and Wipro.  Parts of this little diatribe are very very true.  This is how many firms manage a breach either in sum total or in parts.  While funny it is also mostly real world so smile, laugh but then think a bit.  How would YOUR firm respond? 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/18/2019 | 10:29:01 AM
Public relations scenario
First week - we suffered a minor breach and we are investigating.

Second week - we have experts and contracted consultants investigating at minimal cost.

Third week - we have fired the consultants due to cost and have internal staff reviewing.

Fourth week - we have fired internal staff and hired Wipro.

Fifth week - we fired Wipro

  Day 2 of Fifth week - we hired IBM to investigate.

  Day 3 of fifth week - we fired IBM and hired ex-FBI agents to investigate.

Sixth week - Our initial survey indicated that minimal loss of customer data exists.

Seventh week - FBI agents report significant amounts of customer data are being sold on the dark web.

Eighth week - we offer free credit monitoring service.

Ninth week - CIO and CISO have been fired.  CEO to testify before Congress.

Tenth week - shareholders demand firing of CEO

Eleventh week - CEO fired and replaced with H1-B Visa candidate from Tata.

All is well
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...
CVE-2018-7844
PUBLISHED: 2019-05-22
A CWE-200: Information Exposure vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause the disclosure of SNMP information when reading memory blocks from the controller over Modbus.
CVE-2018-7853
PUBLISHED: 2019-05-22
A CWE-248: Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause denial of service when reading invalid physical memory blocks in the controller over Modbus
CVE-2018-7854
PUBLISHED: 2019-05-22
A CWE-248 Uncaught Exception vulnerability exists in all versions of the Modicon M580, Modicon M340, Modicon Quantum, and Modicon Premium which could cause a denial of Service when sending invalid debug parameters to the controller over Modbus.