Cyber Tactics / Cyber Security News / Columns

5 Common Mistakes in Cyber Incident Response

Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business.

Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business. How damaging a breach is depends upon a number of factors including what assets are at stake and how quickly the breach is detected, contained, and remediated. Here are some common mistakes that companies make when learning of and responding to computer intrusions, all of which you can prevent.

Avoidable Delays.  With the average cost of a data breach placed at $3.5 million, you would expect companies to focus on continuous threat detection and rapid response.  Unfortunately, there still are long and costly delays in detecting intrusions, assessing the extent of the compromise and engaging the right level of assistance to remediate the problem. In particular, there is a tendency to rely upon outdated technologies to detect a breach, followed by a tendency to rely upon insufficient internal personnel resources to simultaneously run a business while eradicating malware, expelling hackers and fulfilling legal obligations. Whether it’s a call to outside legal counsel, a computer incident response firm, a public relations/crisis management company, or all three, potential engagements should be pre-arranged with contracts signed and ready to go, costing your company nothing unless and until you use them, but allowing for quick deployment.

Communicating With the Bad Guys.Many companies that have been breached still use their internal systems to communicate about the incident. Whether it’s documenting a company’s incident response efforts and findings, or emailing others to enlist their help, using compromised systems typically is a bad idea. After all, unless and until the hackers are removed, they very well could be reading those communications.  Consider instead using your mobile phone to make calls and to get and receive emails using accounts not associated with your corporation. To the extent all-employee emails relating to an incident are required, such as to change passwords, consider phrasing them as routine IT requests until you are confident the hackers are out.

Pulling the Plug.The instinct of many people upon seeing a hacker on their system is, quite literally, to pull the computer plug straight out of the wall. Removing the power from a computer not only results in lost volatile memory, much of which can be critical to a forensic investigation (and should be imaged), but also may lead the intruder to establish other points of entry. To the extent action must be taken immediately to isolate key assets, it is better to consider limiting remote connectivity or perhaps taking some systems offline. For those systems that continue to allow external network access, it is important to closely monitor Internet egress points to identify hacker activity in outbound network traffic. 

Lost Logs.When it comes to effective incident detection, containment and remediation, the value of log files (of which there are many types) cannot be overstated. For companies that are vigilant enough to have had essential logging enabled across the enterprise, it is still necessary to have a valid way to retain and preserve that information. Hackers attempt to cover their tracks by deleting or modifying evidence of their crimes, making it important to employ techniques such as duplicating logs, limiting access to logs, having log files append rather than overwrite, establishing separate logging servers and using write-once media.

Moving On Like Nothing Happened.Whether hackers are stopped at the perimeter or removed after a successful intrusion, it is important to re-examine significant events, capture lessons learned, and revise incident response processes as appropriate. It also is helpful to gather real-world examples experienced by your company when conducting workforce training. Surprisingly, few companies include actual events when conducting information security training, deferring instead entirely to sterile off-the-shelf materials. That’s a lost opportunity.  

Be Prepared.When it comes to the seeming inevitability of a network security incident, the Boy Scout’s motto – be prepared – is particularly appropriate. Get your resources in place in advance of an incident, and enlist expert assistance quickly when needed. 


About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at You can follow him on Twitter @StevenChabinsky.  

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Steven Chabinsky

You must login or register in order to post a comment.



Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.


Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

Security magazine February 2015 issue cover

2015 February

In the February 2015 issue of Security Magazine, see what other companies have learned from the massive data breach and what they are doing in the now and in the future. Also, what could adding thermal cameras to your operation do for you? and Mohegan Sun at Pocono Downs prepares for the future with security decisions.
Table Of Contents Subscribe

Tougher Cybersecurity Legislation

On January 20, President Barack Obama called for tougher cybersecurity legislation in his 2015 State of the Union address. Which of the following points do you feel is most needed today?
View Results Poll Archive


Effective Security Management, 5th Edition.jpg
Effective Security Management, 5th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.


Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.