Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/17/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Mission Critical: What Really Matters in a Cybersecurity Incident

The things you do before and during a cybersecurity incident can make or break the success of your response.

As a lawyer who figuratively parachutes into dozens of catastrophic cybersecurity incidents a year, I've learned what is truly mission critical during a cybersecurity incident. In leading cyber-emergency responses across industries, enterprise platforms, and threat vectors, there are common themes that arise no matter whether an organization is small or large. Here is what I've learned:

Related Content:

How to Create an Incident Response Plan From the Ground Up

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

1. The Incident Response Plan Is Important as a Discussion Point Pre-Incident but Rarely Consulted During an Event
Incident response plans are important tools to drive an organization's strategy before an incident. Tabletop exercises, where hypothetical breaches are discussed, assist in helping an organization get past the novelty of navigating a cyber catastrophe. But in the midst of a truly catastrophic cyber event, I have never seen anyone consult an incident response plan. Sometimes this is simply because the incident response plan — like the rest of the network — is encrypted and locked away as part of the spoils of the ransom. Often, though, this is just the nature of the emergency: there is no time to review the plan or convene the alleged response team.

My advice is to make certain that — no matter what incident response plan is in place — your organization knows who it will call first in an incident. The incident response plan cannot reflect the fantasy but rather the reality of your organization. Do you have a CEO who is hands-on? In that case, the incident response plan needs to reflect that they will be part of the incident response team. A hands-on CEO is not going to stand down when her organization is under extreme threat.

What is most important is that the team knows that the chain of command is altered during an event and knows to follow the new command lines. Lawyers are in the room to take command and guide the organization through the murky pre-liability space. If anyone other than in-house or outside counsel leads the incident response, the entirety of the investigation could be exposed. This is because the attorney-client privilege is the only true means of confidentiality in an incident. Often, sophisticated technology counsel needs to lead the investigation because having a Luddite lawyer attempt to learn the meaning of acronyms like SIEM or VM on the fly is not conducive to a quick response time.

2. Logging Is Never Where It Needs to Be
Some of the first words out of my mouth during a cyber incident are to ask whether there are logs. This is not idle curiosity. This is because I have learned the hard way that unless log preservation is the primary focus in the first few minutes of an incident, those logs can be lost.

Not only that, but the decision to skimp on log aggregators in the budget often leads to massive headaches during an incident. Why? Because as a lawyer, I rely on technical forensic experts to utilize logging to lay out where a threat actor may have been and where that threat actor may have acquired personal identifying information to sell on the Dark Web or to use for their own malicious purposes.

3. Network Maps and IT Asset Inventories Can Make or Break a Recovery
Up-to-date network maps and IT asset inventories are among the most critical pieces of information during a ransomware response. In the middle of an incident, your organization is inviting in what are essentially strangers in the form of forensics teams and sometimes law enforcement. These experts are attempting to rapidly respond to your event to "clear" the scene of the crime to say that it is safe to remediate and come back online. If you have a complicated IT landscape across multiple locations, having an immediate understanding of the lay of the land is critical. Understanding where threats could be living and what needs to be restored comes down to understanding the assets in play at any given time.

In the calm before an incident, focus on what matters most: (1) developing up-to-date maps and inventories; (2) developing logging strategies that can capture lateral movement across your environment; and (3) worrying less about the incident response plan and more about having a team that understands the chain of command.

Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30315
PUBLISHED: 2021-10-20
Improper handling of sensor HAL structure in absence of sensor can lead to use after free in Snapdragon Auto
CVE-2021-30316
PUBLISHED: 2021-10-20
Possible out of bound memory access due to improper boundary check while creating HSYNC fence in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
CVE-2021-42739
PUBLISHED: 2021-10-20
The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.
CVE-2021-1980
PUBLISHED: 2021-10-20
Possible buffer over read due to lack of length check while parsing beacon IE response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, S...
CVE-2021-1983
PUBLISHED: 2021-10-20
Possible buffer overflow due to improper handling of negative data length while processing write request in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables