Cyber Tactics / Cyber Security News / Columns

5 Common Mistakes in Cyber Incident Response

Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business.

Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business. How damaging a breach is depends upon a number of factors including what assets are at stake and how quickly the breach is detected, contained, and remediated. Here are some common mistakes that companies make when learning of and responding to computer intrusions, all of which you can prevent.

Avoidable Delays.  With the average cost of a data breach placed at $3.5 million, you would expect companies to focus on continuous threat detection and rapid response.  Unfortunately, there still are long and costly delays in detecting intrusions, assessing the extent of the compromise and engaging the right level of assistance to remediate the problem. In particular, there is a tendency to rely upon outdated technologies to detect a breach, followed by a tendency to rely upon insufficient internal personnel resources to simultaneously run a business while eradicating malware, expelling hackers and fulfilling legal obligations. Whether it’s a call to outside legal counsel, a computer incident response firm, a public relations/crisis management company, or all three, potential engagements should be pre-arranged with contracts signed and ready to go, costing your company nothing unless and until you use them, but allowing for quick deployment.

Communicating With the Bad Guys.Many companies that have been breached still use their internal systems to communicate about the incident. Whether it’s documenting a company’s incident response efforts and findings, or emailing others to enlist their help, using compromised systems typically is a bad idea. After all, unless and until the hackers are removed, they very well could be reading those communications.  Consider instead using your mobile phone to make calls and to get and receive emails using accounts not associated with your corporation. To the extent all-employee emails relating to an incident are required, such as to change passwords, consider phrasing them as routine IT requests until you are confident the hackers are out.

Pulling the Plug.The instinct of many people upon seeing a hacker on their system is, quite literally, to pull the computer plug straight out of the wall. Removing the power from a computer not only results in lost volatile memory, much of which can be critical to a forensic investigation (and should be imaged), but also may lead the intruder to establish other points of entry. To the extent action must be taken immediately to isolate key assets, it is better to consider limiting remote connectivity or perhaps taking some systems offline. For those systems that continue to allow external network access, it is important to closely monitor Internet egress points to identify hacker activity in outbound network traffic. 

Lost Logs.When it comes to effective incident detection, containment and remediation, the value of log files (of which there are many types) cannot be overstated. For companies that are vigilant enough to have had essential logging enabled across the enterprise, it is still necessary to have a valid way to retain and preserve that information. Hackers attempt to cover their tracks by deleting or modifying evidence of their crimes, making it important to employ techniques such as duplicating logs, limiting access to logs, having log files append rather than overwrite, establishing separate logging servers and using write-once media.

Moving On Like Nothing Happened.Whether hackers are stopped at the perimeter or removed after a successful intrusion, it is important to re-examine significant events, capture lessons learned, and revise incident response processes as appropriate. It also is helpful to gather real-world examples experienced by your company when conducting workforce training. Surprisingly, few companies include actual events when conducting information security training, deferring instead entirely to sterile off-the-shelf materials. That’s a lost opportunity.  

Be Prepared.When it comes to the seeming inevitability of a network security incident, the Boy Scout’s motto – be prepared – is particularly appropriate. Get your resources in place in advance of an incident, and enlist expert assistance quickly when needed. 

 

About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at steve.chabinsky@crowdstrike.com. You can follow him on Twitter @StevenChabinsky.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+