When a successful attack against your organization occurs, the required intervention must be both human and technological. The great irony of IT security is that, despite your best efforts, some form of successful attack is likely to happen at some point, no matter what you do. After all, defenders have to be right every time, whereas attackers only need to be right once. To further complicate matters, it might not be immediately clear when the actual penetration has taken place.
It can come in the form of a successful phishing attack, a lockdown from ransomware, the work of someone with little expertise other than how to work a specialized kit, or an advanced persistent threat. After the initial compromise, the attackers will be looking to extend their access to other devices on the network, wage privilege escalations in order to extract more data, and generally move through your infrastructure until they find the specific targets that they seek. Once this is done, they may cover their tracks and withdraw, or more likely they will try to maintain a presence on your network that can facilitate future attacks. Bear in mind that data can be intercepted while in transit or stolen while at rest.
While it makes sense to do everything possible to fend off these attacks and prevent them from happening, it is equally important to assure you have the infrastructure and plans in place to detect the breach, notify the necessary people, and collect all the information required to track the breach, close the exposure, and prevent it from ever happening again. Many experts suggest the best tactic is to delay the attacker long enough for the security teams to discover the incursion (or attempted incursion) and resolve the issue before damage is done, or until it can at least be minimized.
This is essentially a team approach that transcends your technologists and engages business-level roles, as well. This team should include your Trusted Advisor and a managed security services provider, if one has been commissioned. It may also include your communications team.
“Many times, we assume that the most important component to the response to an incident is the technical component, which is let’s get the systems and operations back up and running and let’s get the impact minimized,” said Leo Taddeo from Cyxtera, a secure infrastructure company with 57 data centers. “I’ve always believed that the technical aspects of incident response are not as important as the communications aspects. If you look at what really harms a company after a cyber breach, it’s not they’ve lost data or a server. What they have lost is trust, and that trust is lost when communications are not concise, clear, and open. So, when you form a task force for incident response, the most important person in the room is the one responsible for outward communications, meaning what are we going to tell our customers and partners? What are we going to tell the government? The government reaction is much more severe when the government suspects the company is withholding information improperly, and thereby putting other people at risk.”
Taddeo, who previously ran the FBI’s largest cyber-investigative unit out of New York, said that since most executives are trained to protect the enterprise from litigation and loss of reputation, they often translate that objection to severely limiting public information. But breaches and related issues can rarely be kept under wraps for very long. Sometimes employees may speak too much about what they know. Other times the attackers themselves may discuss their exploits, perhaps on the dark web. All this leads to speculation, some of which might be wildly untrue, yet equally damaging to the company.
Dealing with a cyberattack requires more than great technology. It requires a great team.