You’ve been attacked. Now what?
By Justin Harvey, CSO of Fidelis
You’re damned if you do and you’re damned if you don’t. That’s the opinion taken by some companies when deciding when, who and how to announce a breach. Talk to customers and press early, you may be commended for the early warning sign. But talk too early, without enough information, and you could be holding up your hands to a mistake that’s actually far larger than the reality, only adding fuel to the flames. Some would argue that this is what happened to TalkTalk. Rather than impacting all of its four million customers, its data breach was much smaller than first thought, impacting 28,000 obscured credit and debit card details (with the middle six digits removed) and 15,000 customer dates of birth. Not talking enough, however, can be considered an even worse sin. In these instances, customers are left completely unaware that their data could have been harvested and used to defraud them. What’s more, incident response is not just about communication, there are some major IT, legal and investigatory issues that need to be addressed.
Responding to a data breach incident requires careful orchestration. You have to assemble a cross-functional response team, conduct forensic analysis, control communications, implement timely containment and aggressively expel the attacker from your network. At the same time you need to incorporate advice and guidance from outside legal counsel and law enforcement, intelligence from regulators and provisos from insurance providers.
We regularly work with large organisations that are attacked by an advanced persistent threat actor and believe there are five critical steps enterprises must take in the first 48 hours after a breach, to minimise both the reputational and financial damage. As always, speed is of the essence throughout all these steps.
1 – Engage outside legal counsel skilled in cybersecurity incidents. Having legal counsel enables an outside consultant to operate under lawyer-client privilege, which protects internal communications and accelerates a company’s ability to resolve the incident. Some incident response teams also serve as cybersecurity advisors to legal counsel at executive and board meetings.
2 – Involve the police at the very start of the investigation. In a recent incident response case we dealt with in the US, the FBI reciprocated by providing potentially related artefacts, which originated at other organisations, so the company could search for them during the investigation. Although we didn’t find any of the artefacts in our client’s environment, the spirit of information sharing was helpful. Our client, in turn, shared all of the artefacts from its investigation with the FBI.
3 – Alert industry regulators and perform disclosures to comply with multiple regulatory obligations. To offset the negative news, companies should directly notify customers, employees and the police about the breach and the status of remediate actions that are underway
4 – Develop a communication strategy. The incident response team should hire outside crisis communications agencies to craft messaging to defuse speculation and control the spread of inaccurate news. Team leaders should direct internal and external legal experts to review all communications related to the incident, mobilise the communications team to handle internal communications, and engage an external crisis-communication firm to compose messages that carry the proper tone and minimise potential misunderstandings.
5 – Notify the insurance provider. Once it’s been determined that data was actually stolen, the organisation should begin a discussion about insurance coverage to determine what costs would or would not be covered.
There is no doubt that experiencing a cyber attack is disruptive and this is why the response needs to be carefully thought out and planned. Response to a serious security incident correctly requires a strong partnership between the incident response team and their outside forensic and legal experts. Inside the organisation, you’ll need key incident response staff, line of business managers and c-suite executives and board directors, so that you have the right balance between decision makers, those that implement the decisions, as well as the right technical expertise to resolve the issue. Getting the right people involved and understanding the best way to efficiently use them is essential to properly investigate and resolve the event, while managing the costs and minimising the impact on the business.
During an incident that we were responding to, we performed a focused and thorough forensic analysis and developed an aggressive remediation plan. The incident response team was able to remove the attackers from the network within 36 hours. The expulsion event eradicated the attacker’s tools, cut off their ability to re-enter the network, and minimised the risk of retaliation.
The first 48 hours responding to an incident is critical. The following stages are often a slower process, more concerned with the detail. Organisations need to analyse and properly understand the attack, how it happened and ways to prevent it in the future. The legal fall out may go on for years as those, whose data has been compromised, seek compensation. It’s essential that a communication plan is developed and executed to restore customer faith in the company. Let’s not forget, the company also needs to keep an eye on the industry and the competition to ensure that the data breach doesn’t hold the company back in terms of innovation or market strategy. The initial survival strategy following a data breach is only the start and running a successful, profitable business post-attack is the mark of a business that was well prepared to begin with.