5 Common Mistakes in Cyber Incident Response
Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business.
Network intrusions have become a fact of corporate life, and increasingly are viewed as among the many costs of doing business. How damaging a breach is depends upon a number of factors including what assets are at stake and how quickly the breach is detected, contained, and remediated. Here are some common mistakes that companies make when learning of and responding to computer intrusions, all of which you can prevent.
Avoidable Delays. With the average cost of a data breach placed at $3.5 million, you would expect companies to focus on continuous threat detection and rapid response. Unfortunately, there still are long and costly delays in detecting intrusions, assessing the extent of the compromise and engaging the right level of assistance to remediate the problem. In particular, there is a tendency to rely upon outdated technologies to detect a breach, followed by a tendency to rely upon insufficient internal personnel resources to simultaneously run a business while eradicating malware, expelling hackers and fulfilling legal obligations. Whether it’s a call to outside legal counsel, a computer incident response firm, a public relations/crisis management company, or all three, potential engagements should be pre-arranged with contracts signed and ready to go, costing your company nothing unless and until you use them, but allowing for quick deployment.
Communicating With the Bad Guys.Many companies that have been breached still use their internal systems to communicate about the incident. Whether it’s documenting a company’s incident response efforts and findings, or emailing others to enlist their help, using compromised systems typically is a bad idea. After all, unless and until the hackers are removed, they very well could be reading those communications. Consider instead using your mobile phone to make calls and to get and receive emails using accounts not associated with your corporation. To the extent all-employee emails relating to an incident are required, such as to change passwords, consider phrasing them as routine IT requests until you are confident the hackers are out.
Pulling the Plug.The instinct of many people upon seeing a hacker on their system is, quite literally, to pull the computer plug straight out of the wall. Removing the power from a computer not only results in lost volatile memory, much of which can be critical to a forensic investigation (and should be imaged), but also may lead the intruder to establish other points of entry. To the extent action must be taken immediately to isolate key assets, it is better to consider limiting remote connectivity or perhaps taking some systems offline. For those systems that continue to allow external network access, it is important to closely monitor Internet egress points to identify hacker activity in outbound network traffic.
Lost Logs.When it comes to effective incident detection, containment and remediation, the value of log files (of which there are many types) cannot be overstated. For companies that are vigilant enough to have had essential logging enabled across the enterprise, it is still necessary to have a valid way to retain and preserve that information. Hackers attempt to cover their tracks by deleting or modifying evidence of their crimes, making it important to employ techniques such as duplicating logs, limiting access to logs, having log files append rather than overwrite, establishing separate logging servers and using write-once media.
Moving On Like Nothing Happened.Whether hackers are stopped at the perimeter or removed after a successful intrusion, it is important to re-examine significant events, capture lessons learned, and revise incident response processes as appropriate. It also is helpful to gather real-world examples experienced by your company when conducting workforce training. Surprisingly, few companies include actual events when conducting information security training, deferring instead entirely to sterile off-the-shelf materials. That’s a lost opportunity.
Be Prepared.When it comes to the seeming inevitability of a network security incident, the Boy Scout’s motto – be prepared – is particularly appropriate. Get your resources in place in advance of an incident, and enlist expert assistance quickly when needed.
About the Columnist: Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm that specializes in continuous threat monitoring, intelligence reporting, network security penetration testing, assessments and incident response. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. He can be reached at firstname.lastname@example.org. You can follow him on Twitter @StevenChabinsky.