Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:25 PM
Connect Directly

Tips for the Aftermath of a Cyberattack

Incident response demands technical expertise, but you can't fully recover without non-IT experts.

Incident response teams need technical skills from security experts who can analyze and contain cyber threats. They also demand strategic and communications skills from employees who aren't as tech-savvy but equally essential to getting the business back up and running.

"When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority," said Matt Barrett, CyberESI's chief operating officer, during a panel discussion at the Incident Response and Recovery: Reducing Uncertainty and Looking Beyond IT event hosted today by the National Cybersecurity Alliance (NCSA) and NASDAQ in New York City.

In the aftermath of a security incident, many departments that need to rebuild are unrelated to IT and consequently overlooked. Technical concerns about containing threats and preventing data leakage often trump the role of communications experts, legal teams, law enforcement, and HR – all of which should be involved with developing and practicing an incident response plan.

Communications, which can be a difficult hurdle not only between the business and its partners and customers, can also be difficult among the many experts sitting around the response table.

"Having a soft-skilled person at the table is critical," said Lisa Plaggemier, chief evangelist at InfoSec and member of the NCSA's board of directors. She calls these employees "a secret weapon" which many CISOs don't realize they have. Consider security training and awareness managers: they can translate technical concepts between security analysts and executives, letting engineers focus on their jobs instead of conveying executive updates to the board.

[See CrowdStrike's director of proactive services Justin Weissert demonstrate what incident response is really like during the Live Incident Response Simulation at Interop next month]

As for external communications, it's important to equip all of your employees – not just the PR and communications experts – with guidance for what they should say. "I think it's important not to overlook the role employees play in crisis communications," said Plaggemier, who said all employees across the organization should be informed on how to respond to inquiries.

"It's not just what you're going to say, but who you're going to say it to, and in what order of priority," she continued. For example, sales teams may be given different guidance than IT employees. Your workers will talk about the incident, and you want to prevent rumors. "I'm an advocate for arming employees with information as quickly as you can."

Practice Makes Progress

Panelists urged the audience to practice response plans, and practice often. "The number one thing is to have a playbook and rehearse the playbook," said Tim Vidas, senior distinguished engineer in Dell SecureWorks' Office of the CTO. In a real incident, "people may not be aware of what the plans and procedures are … emotions run high."

Beuchelt explained how at LogMeIn, the team simulates different incidents to test different response tactics. "It's important to build muscle around technical response capabilities," he noted. It's also important to mirror those technical response capabilities with a communications response plan that packs social media and public relations strategies, he said.

The company chose to include general counsel and senior HR leadership in rehearsal. "It was really an eye opener for them … the impact will be fundamental," he said. These days, LogMeIn is testing out a new "escape the room" practice game with executive leadership. Participants have to solve puzzles: who broke the rules and who was the insider who spilled the beans.

You'll want to choose scenarios carefully when practicing response plans, added Plaggemier. You don't want to cause panic, but you do want to put employees in a situation that could realistically happen. In situations that are too easy to run a tabletop, participants often walk away with a false sense of security. Further, she said, every response exercise should conclude with an honest post-mortem: be truthful about what went well and what should improve.

"No matter how many times you practice it, you're always going to learn something new," she said.

Related Content:




Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
4/21/2019 | 12:41:12 PM
Management Responsibility

I have enjoyed to read this acritical and it just make my opinion that Cyber-events can't be manage by the CISO. Cyber-attack at these days are impact almost all layers of business and need to be manage by BCM (Business Continuity Management) team. This team can have other name depending on the business but most of the time this team run by a senior executive management member. The CISO team have an important and critical role by blocking and contain the attack but its go further and the recovery process can be take days, months and beyond. The real message also should be for that board and executive management need to take responsibility for overall Cyber risk including "back to normal" and then we can go for drills, r&r in major cyber event.     


User Rank: Ninja
4/18/2019 | 1:18:04 PM
Re: Public relations scenario
I wrote this for humor but one helluva lot of it comes out of Experian and consulting such as City of Atlanta last year and general knowledge of IBM and Wipro.  Parts of this little diatribe are very very true.  This is how many firms manage a breach either in sum total or in parts.  While funny it is also mostly real world so smile, laugh but then think a bit.  How would YOUR firm respond? 
User Rank: Ninja
4/18/2019 | 10:29:01 AM
Public relations scenario
First week - we suffered a minor breach and we are investigating.

Second week - we have experts and contracted consultants investigating at minimal cost.

Third week - we have fired the consultants due to cost and have internal staff reviewing.

Fourth week - we have fired internal staff and hired Wipro.

Fifth week - we fired Wipro

  Day 2 of Fifth week - we hired IBM to investigate.

  Day 3 of fifth week - we fired IBM and hired ex-FBI agents to investigate.

Sixth week - Our initial survey indicated that minimal loss of customer data exists.

Seventh week - FBI agents report significant amounts of customer data are being sold on the dark web.

Eighth week - we offer free credit monitoring service.

Ninth week - CIO and CISO have been fired.  CEO to testify before Congress.

Tenth week - shareholders demand firing of CEO

Eleventh week - CEO fired and replaced with H1-B Visa candidate from Tata.

All is well
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...