What’s an Incident Response Plan, Again?
A company is never able to predict when or by what means it may be targeted in a cyberattack, but it can prepare a robust response plan in the event of a breach. That response – contingent on the team, corporate processes and the technology that supports them – will ultimately determine whether a company ends up on the front page of The New York Times next to Equifax with its clients’ information on the Dark Web.
The following scenario provides a look behind the curtain at a company that has just learned that their cybersecurity has been compromised as a result of a targeted malware attack. The real-world dialogue showcases the consequences of not having a well-prepared incident response plan and the chaos that ensues when trying to protect the company while coordinating with various support agencies, which leaves the business vulnerable and results in a disastrous reputational hit.
Cybersecurity Consultant: IT, I got your text to call you ASAP. What’s up?
IT: Thanks for calling so soon, Mike; we’ve detected anomalous traffic indicating a cybersecurity incident. We found that a workstation was compromised with malware, and subsequently a large amount of data was leaked to an unknown system. What do we do?
Cybersecurity Consultant: I’m glad you texted me. We need to initiate your incident response (IR) plan immediately.
IT: Ugh, IR plan? Oh yes, yes. I remember we created something. Let me dig it out and send to you.
Cybersecurity Consultant: Ok… Try to send that to me as soon as possible.
[One hour passes. IT calls Mike.]
IT: Mike, I just sent you the plan.
Cybersecurity Consultant: I have it up in front of me. First question, have you ever tested this plan through a tabletop exercise?
IT: No… We couldn’t get the budget approved. We haven’t tested it yet.
Cybersecurity Consultant: Alright, next question: have you isolated the machine?
IT: Not yet, but we will.
Cybersecurity Consultant: Have you looked at the logs?
IT: What logs?
Cybersecurity Consultant: Your SIEM (security information and event management) logs.
IT: Oh right, right. Our MSSP (managed security service provider) has those. What exactly am I looking for?
Cybersecurity Consultant: You want to make sure your MSSP is reviewing the logs for any current additional anomalous traffic, specifically to international hosts; we want to make sure this thing isn’t spreading.
IT: Ok, hold on a second, let me get them on the line, and then call you back.
[30 minutes pass]
IT: Mike, we were able to verify that no other workstations were affected.
Cybersecurity Consultant: Ok, have you isolated that machine yet?
IT: Not yet, we’re still working on it. It’s our VP of Sales’ machine, and we’re working on building him a new one right now.
Cybersecurity Consultant: Do you have a Forensics firm you work with?
IT: No, why? Oh, hold on, I just got an email, we’ve shut down that machine, and the VP of Sales is now up and running on a new workstation.
Cybersecurity Consultant: Great. Back to your IR plan, which includes communication and reporting. Do you guys have that under control?
IT: Communications and reporting? Ugh, to whom? Our customers?
Cybersecurity Consultant: And potentially the PCI Security Standards Council, employees; you know, all of the stuff we referenced in the plan.
IT: Dang; ok, we need to get Legal and Corporate Communications on the line, and maybe even our CFO.
Cybersecurity Consultant: Don’t forget your COO; she’s also part of the IR plan.
IT: Oh right, right; the plan.
Cybersecurity Consultant: I’m ready to join the conference bridge.
IT: What conference bridge?
Cybersecurity Consultant: You know, the conference bridge that’s specified in your plan. We need to get all of the players on the line so we’re all on the same page.
IT: Oh, um, ok. I guess I’ll set that up.
Cybersecurity Consultant: Yes, immediately.
[Conference bridge is now live. Attendees: Cybersecurity Consultant, IT, COO, CFO, Legal, Corporate Communications]
IT: Team, we’ve experienced a cybersecurity breach, and this call is to initiate our IR plan. I’ve brought in Mike, Head of Security at our Cybersecurity Firm, to help guide and walk us through our IR plan.
CFO: What’s an IR Plan?
IT: You know, our Incident Response plan.
CFO: Incident Response?
IT: Again, we’ve had a cybersecurity breach.
Corporate Communications: Wait a minute, we’ve had a breach? What does that mean? Do we have to tell our customers?
Legal: Do we have to report this to any regulatory bodies or the FBI?
COO: Woah, woah, woah, is this going to affect business? We can’t stop operations.
IT: The machine with the malware was our VP of Sales’ workstation; we’ve moved him onto another machine so we should be good, operationally.
COO: Great. So why do we need to be here? I’ve got work to do.
Cybersecurity Consultant: We need to know what data has been breached, before you can make decisions about your communication and next steps.
IT: According to our plan, we need to engage a Forensics firm with our MSSP.
COO: A Forensics firm? Why do we need a Forensics firm? That sounds a little drastic. Are we just wasting money here?
IT: They’ll identify the evidence we need to determine what we say and to whom.
CFO: Well, how much is that going to cost?
IT: I spoke to a couple of different firms, but we never got the green light for the retainer.
CFO: What about cyber insurance? I went to a conference a while ago; doesn’t that insurance cover and pay for something like this?
COO: I got a quote from an insurance carrier a while back, but we never went ahead with purchasing the policy.
Cybersecurity Consultant: Alright IT, next steps, I’ll send you some names of Forensics firms we recommend.
IT: Thanks. I’ll get on reaching out to them right away.
[Team disperses while IT speaks to Forensics firm. Two hours pass…]
IT: I’ve spoken with the Forensics firm; because we didn’t have them on retainer, they can’t come in for another 3-4 weeks, unless we want to pay their emergency rate of $1,000/hour.
CFO: Absolutely not, we’ll need to wait. That cyber insurance would’ve come in handy.
Corporate Communications: Legal, I don’t think we should communicate anything externally just yet. Do you agree?
Legal: Ugh, sure. I don’t even know what we’d say at this point. I might need to call that law firm that specializes in cyber breaches to get their recommendation. I’ll have to dig around for their contact info; it’s been a while.
[Four weeks later. The forensics firm has concluded their investigation.]
IT: Team, after working with the Forensics firm, they discovered that customer account information was part of the data set that leaked.
Corporate Communications: What do you mean “part of” the data set?
IT: Good news, bad news. When we isolated the problem, we took the machine offline to ensure the malware wouldn’t spread, but my team reimaged the machine before preserving it, which means we lost the ability for Forensics to conclusively determine if the customer account information was the only data that left the firm.
COO: In English, please. So what does that mean? Do we need to send something to our customers?
Corporate Communications: I’d recommend against sending anything. It’s been over a month now since the breach happened, and we still can’t conclusively state what information was really leaked.
Legal: I’m not sure that’s the right call. It was customer account information that was leaked.
CFO: Should we at least change the account numbers?
COO: Yes, probably.
Corporate Communications: How do we initiate an account change without telling our customers why?
Three weeks later, The New York Times reports that the company’s customer account information, including email addresses and phone numbers, have surfaced on the Dark Web.
No company is immune to cybersecurity risk – regardless of size, profile or value. This dialogue lays bare the risks companies open themselves up to with poor governance and cyber hygiene. Without a robust IR plan that’s withstood regular tabletop exercises, companies may severely compound the damage of a cyberattack. Indeed, mishandling the response or being otherwise ill-prepared can turn a minor data breach into a catastrophic event for a company’s reputation and its business.