You know the scenario. You’ve played it over in your head. You get a call from the FBI saying that your sensitive data is being leaked, or it’s a ransomware message flashing on a screen, or you get a common point of purchase letter from a credit card company informing you that your company is suspected to be the source of attack on card holders. As the saying goes, “it’s not if, but when an attack will happen.”
Even for those companies that have invested in tools, information security experts, and threat intelligence, there’s no way to prevent all attacks all of the time. A similar notion applies to incident response. You can have a detailed incident response plan, a crack team of responders identified, and highly reputable third-party service providers, but you may not be as prepared as you think.
I’ve had more than a decade of experience in digital forensics and incident response, and have led more than one hundred large scale data breach investigations. I know the mistakes the almost-prepared make. Below are a few of the most common and ways to avoid them.
Mistake #1: You have an outside law firm on retainer, but not an incident responder.
This might sound self-serving, but it’s actually a practical matter all businesses must consider. There aren’t many incident responders with sufficient experience and global reach. Those firms that do have the capabilities you need are in high demand, especially during massive attacks like WannaCry and NotPetya. Put your first choice incident response team on retainer with a service-level agreement defining a clear response time. This way, when you need help, you won’t be last in line to get it. Plus, even if your outside counsel has an existing relationship with an incident responder, there is still a contract to be written, read, and signed before the incident responder can act. Analyzing legal language is not what anyone wants to be doing right after discovering an intruder in their system.
Mistake #2: You have backups, but haven’t tested them.
Backing up data on a regular basis is the number one way to outsmart a ransomware attack. The prepared know this. But if you don’t test the backups, they may not work, and your business may be disrupted from ransomware nevertheless. If you have cloud backups, restore times may not be ideal hence testing the download and restore times is critical. In targeted attack scenarios with deep malware infection, there is a need to restore a complete backup of the operating system. The restore speed of full system backups should be tested to ensure quick recovery.
Mistake #3: You have an incident response plan, but you plan to immediately rebuild infected systems.
Wiping and rebuilding machines is a natural gut reaction to knowing the machine is infected. But if you delete data to rid the machine of the malware, you’re also deleting evidence. Should you need forensic experts to investigate, they won’t be able to. Essential evidence, such as the communication with attacker IP addresses and open files on the operating system, can also be lost by shutting down the machine. The safer plan is to understand the attack first, preserve the data needed, and then rebuild the compromised systems.
Mistake #4: You reviewed your cloud providers and other third parties for cybersecurity, but the contracts are missing details important to breach response.
Your third parties have top of the line security controls and have never been the victim of a major breach as far as you know. But it’s not only their security that matters. In the case of a breach, you may quickly need forensic images of your servers, log data, emails, and other assets stored remotely. Forensic imaging allowance should be outlined in your SLAs. This can prevent “out of luck” scenarios like not being able to create forensic images. Likewise, turnaround time for data from third parties is also critical during investigations. You can’t make good decisions without knowing the facts, and if you don’t get to analyze data in time, you may make bad decisions and put your company and customers at risk.
Mistake #5: You have a multidisciplinary team on-call for breaches, but no chain of command.
It’s more common than you may think. Companies set up an internal multidisciplinary response team, which is best practice, but when I administer a table-top exercise and ask who is in charge, often multiple parties raise their hands. IT, security, legal—frequently everyone raises their hands thinking they’re running the investigation. Practice the plan so the team knows how to work together and problems like having too many leaders can be solved in advance.
Avoid these mistakes of the almost-prepared and your business will be less disrupted when a data breach happens. While, it’s true, even the most prepared companies can falter in the face of an attack, preparation is the difference between a company that is ravaged by an attack and one that finds it a mere inconvenience. If you practice your response to common scenarios like intellectual property theft, credit card data breach, healthcare data breach, personally identifiable information (PII) breach, wire fraud, ransomware incident, hacktivist attack and other foreseen attacks for your organization, you are likely to make good decisions at the 11th hour and reduce the risk for your company and your customers. Being ready for a breach and all of the chaos it threatens to unleash is the foundation of resilience.