Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/17/2019
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Tips for the Aftermath of a Cyberattack

Incident response demands technical expertise, but you can't fully recover without non-IT experts.

Incident response teams need technical skills from security experts who can analyze and contain cyber threats. They also demand strategic and communications skills from employees who aren't as tech-savvy but equally essential to getting the business back up and running.

"When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority," said Matt Barrett, CyberESI's chief operating officer, during a panel discussion at the Incident Response and Recovery: Reducing Uncertainty and Looking Beyond IT event hosted today by the National Cybersecurity Alliance (NCSA) and NASDAQ in New York City.

In the aftermath of a security incident, many departments that need to rebuild are unrelated to IT and consequently overlooked. Technical concerns about containing threats and preventing data leakage often trump the role of communications experts, legal teams, law enforcement, and HR – all of which should be involved with developing and practicing an incident response plan.

Communications, which can be a difficult hurdle not only between the business and its partners and customers, can also be difficult among the many experts sitting around the response table.

"Having a soft-skilled person at the table is critical," said Lisa Plaggemier, chief evangelist at InfoSec and member of the NCSA's board of directors. She calls these employees "a secret weapon" which many CISOs don't realize they have. Consider security training and awareness managers: they can translate technical concepts between security analysts and executives, letting engineers focus on their jobs instead of conveying executive updates to the board.

[See CrowdStrike's director of proactive services Justin Weissert demonstrate what incident response is really like during the Live Incident Response Simulation at Interop next month]

As for external communications, it's important to equip all of your employees – not just the PR and communications experts – with guidance for what they should say. "I think it's important not to overlook the role employees play in crisis communications," said Plaggemier, who said all employees across the organization should be informed on how to respond to inquiries.

"It's not just what you're going to say, but who you're going to say it to, and in what order of priority," she continued. For example, sales teams may be given different guidance than IT employees. Your workers will talk about the incident, and you want to prevent rumors. "I'm an advocate for arming employees with information as quickly as you can."

Practice Makes Progress

Panelists urged the audience to practice response plans, and practice often. "The number one thing is to have a playbook and rehearse the playbook," said Tim Vidas, senior distinguished engineer in Dell SecureWorks' Office of the CTO. In a real incident, "people may not be aware of what the plans and procedures are … emotions run high."

Beuchelt explained how at LogMeIn, the team simulates different incidents to test different response tactics. "It's important to build muscle around technical response capabilities," he noted. It's also important to mirror those technical response capabilities with a communications response plan that packs social media and public relations strategies, he said.

The company chose to include general counsel and senior HR leadership in rehearsal. "It was really an eye opener for them … the impact will be fundamental," he said. These days, LogMeIn is testing out a new "escape the room" practice game with executive leadership. Participants have to solve puzzles: who broke the rules and who was the insider who spilled the beans.

You'll want to choose scenarios carefully when practicing response plans, added Plaggemier. You don't want to cause panic, but you do want to put employees in a situation that could realistically happen. In situations that are too easy to run a tabletop, participants often walk away with a false sense of security. Further, she said, every response exercise should conclude with an honest post-mortem: be truthful about what went well and what should improve.

"No matter how many times you practice it, you're always going to learn something new," she said.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ilan_Abadi
50%
50%
Ilan_Abadi,
User Rank: Author
4/21/2019 | 12:41:12 PM
Management Responsibility

I have enjoyed to read this acritical and it just make my opinion that Cyber-events can't be manage by the CISO. Cyber-attack at these days are impact almost all layers of business and need to be manage by BCM (Business Continuity Management) team. This team can have other name depending on the business but most of the time this team run by a senior executive management member. The CISO team have an important and critical role by blocking and contain the attack but its go further and the recovery process can be take days, months and beyond. The real message also should be for that board and executive management need to take responsibility for overall Cyber risk including "back to normal" and then we can go for drills, r&r in major cyber event.     

 

REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/18/2019 | 1:18:04 PM
Re: Public relations scenario
I wrote this for humor but one helluva lot of it comes out of Experian and consulting such as City of Atlanta last year and general knowledge of IBM and Wipro.  Parts of this little diatribe are very very true.  This is how many firms manage a breach either in sum total or in parts.  While funny it is also mostly real world so smile, laugh but then think a bit.  How would YOUR firm respond? 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/18/2019 | 10:29:01 AM
Public relations scenario
First week - we suffered a minor breach and we are investigating.

Second week - we have experts and contracted consultants investigating at minimal cost.

Third week - we have fired the consultants due to cost and have internal staff reviewing.

Fourth week - we have fired internal staff and hired Wipro.

Fifth week - we fired Wipro

  Day 2 of Fifth week - we hired IBM to investigate.

  Day 3 of fifth week - we fired IBM and hired ex-FBI agents to investigate.

Sixth week - Our initial survey indicated that minimal loss of customer data exists.

Seventh week - FBI agents report significant amounts of customer data are being sold on the dark web.

Eighth week - we offer free credit monitoring service.

Ninth week - CIO and CISO have been fired.  CEO to testify before Congress.

Tenth week - shareholders demand firing of CEO

Eleventh week - CEO fired and replaced with H1-B Visa candidate from Tata.

All is well
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Sure you have fire, but he has an i7!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35327
PUBLISHED: 2021-03-04
SQL injection vulnerability was discovered in Courier Management System 1.0, which can be exploited via the ref_no (POST) parameter to admin_class.php
CVE-2020-35328
PUBLISHED: 2021-03-04
Courier Management System 1.0 - 'First Name' Stored XSS
CVE-2020-35329
PUBLISHED: 2021-03-04
Courier Management System 1.0 1.0 is affected by SQL Injection via 'MULTIPART street '.
CVE-2021-22183
PUBLISHED: 2021-03-04
An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
CVE-2021-22189
PUBLISHED: 2021-03-04
Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.