So, you're in charge of cyber security at your organization and you've prepared for the inevitable breach. You've practiced your processes, trained your team and your external support network. You feel you're as ready as you can be to respond to a cyber incident. And then it happens: Saturday night of the July long weekend, you're at the cottage, BBQ'ing with a cocktail in hand. At exactly the most inconvenient moment, your phone rings—it's IT support calling to advise you that a critical system had stopped responding and that further investigation has determined it was encrypted by ransomware!
Ok, maybe that kind of inconvenience sounds a little too convenient, a little too "on the nose," but what I've observed over the years is that the majority of incident response cases really do tend to occur at inconvenient times, like weekends or holidays. (Cyber breaches themselves are always inconvenient, of course, no matter when they happen and you find out about them.) In any case, now you're faced with putting the response plan in action.
So, what do you do?
Remember your training
The key to a coordinated response effort is to stick to the tried and true. Too often, I've seen organizations falter at the start of the response process, not following everything put in place for exactly this situation. All the plans and training that had been exactingly detailed and rigorously practiced are out the window. Staff is attempting to recover from the incident all on their own, reimaging systems and deleting valuable forensic artefacts that could be useful for incident response professionals to perform proper scoping, containment and root cause analysis activities. Only when they feel it's becoming too big to handle and begin to realize the possible full extent of the breach do they think to reach out to the support network you'd put in place. Slowly but surely, the plans are put in action, the appropriate internal and external resources are notified, and the support network is marshalled.
Executive/governance status meetings (several a day at the response's beginning) are scheduled. Business and technical leadership—together with external support stakeholders such as the breach coach and cyber insurance and incident response firms—discuss the approach and make decisions on how best to address the situation. 24/7 conference lines for technical and incident response teams are activated to coordinate the effort. And so on.
This is not a drill!
Suddenly, factors that might not have been fully apparent during the tabletop exercises you undertook are very real. The incident has brought the business to a grinding halt and the pressure to resume operations only rises the longer the forensic investigation takes. This can create additional pressure on the forensic teams to perform their investigation more rapidly than they should.
There are two reasons why business recovery pressures and forensic investigation need to be balanced and coordinated. First, so that a possible rushed recovery will not compromise the forensic investigation itself. And second, to avoid the risk of recovering potentially compromised systems, which could allow an attacker back into the environment.
What, meanwhile, is the forensic investigation seeking to accomplish? To answer the three question marks of a cyber incident:
1. Is the attacker still in the environment?
2. Have they taken any confidential data and, if so, what?
3. How did this happen?
Trust the process
The hard truth is this: there will always be pressures from different stakeholders during an incident response that can't truly be practiced and prepared for in the best of times. Business wants to resume operations as quickly as possible. Legal stakeholders want answers on the possibility and the extent of compromised personally identifiable information so they can inform privacy regulators appropriately.
For everyone to get what they want, all involved parties must remember to rely on the protocols and procedures established before the incident. Not only will this help manage unaccounted pressures and unforeseen curve balls, it's the only way the organization can fully contain as well as properly manage and recover from the breach.