The middle of a DDoS attack or ransomware infection is hardly the time to start talking about divisions of labor, or who should do what when.
Image Source: Wikimedia Commons, courtesy of PH1 Terry Cosgrove
Failing to plan, as we know from Zen masters and MBA lecturers, is planning for failure. So when things go off the tracks with networks, servers, or your data, you need to have a plan, even if it’s super-basic or seems gratuitous. Some back-of-the-envelope notes won’t do the trick, nor will trying to recall hazy remnants of conversation from that night you and a coworker discussed incident response over a couple beers.
The middle of a DDoS attack or ransomware infection is not the time to be talking about divisions of labor or who should do what, crisis communications experts remind us, and they’re right. Have an incident response plan, even if you don’t follow it to the letter, or are forced to improvise more pieces of it than you’d like. You can minimize the improvisation and come out the other side in better shape if your incident response plan incorporates many of these steps. You can also recover more quickly and get on with the business of serving customers and making money.
Test Your Plan Regularly
Great! You’ve got your incident response plan nailed down, now make sure you test it at least once a year. Mark Weatherford, chief cyber security strategist for security vendor vArmour, suggests working with an independent third-party the first time you test in order to see the necessary elements and criteria. The drill can last two hours or may require a full day. But by walking everyone through a specific scenario, people start to understand their own roles and identify any gaps in the plan. “Things never work like clockwork, but if you have a chain of command – and communications – it will help a lot,” Weatherford adds.
And check with your attorneys or legal department; depending on your industry sector or jurisdiction, the company may be subject to compliance laws that require you to test your readiness regularly.
Image Source: Wikimedia Commons, courtesy of Cpl. Matthew Manning
Look Who’s Talking
Every solid incident-response plan must specify who is going to handle internal communications with management, staff and clients (quite possible they will be different people) as well as who will handle external communications with the media and investors. By being highly detailed about roles and responsibilities, organizations can help minimize the potential assumptions about who does what.
Who’s handling these various communication functions must also be widely disseminated so there’s less confusion in the middle of an incident and everyone has a document to refer to in the heat of the moment.
Determining Legal Exposure
The scope and scale of an incident aren’t always immediately evident; it can take 24 hours or more to determine exactly what happened, depending on the impact and type and type of incident. So company management will have to work closely with the legal department or retained counsel to determine if the incident constitutes a regulatory issue, and whether the company is obliged to report it.
Making clear determinations about legal exposure was a lot easier 25 years ago, before a raft of corporate compliance laws were passed at county, state, federal and international levels. Additionally, financial services and healthcare companies operate under additional compliance constraints in which these determinations aren’t always obvious. But getting all the information the legal teams needs should be a top priority in any incident-response plan.
Image Source: Creative Commons/Flickr, courtesy of wp paarz
Getting the Board On Board
Does the incident need to be reported? That’s the primary concern of an organization’s board of directors, says vArmour’s Mark Weatherford. And because incidents like this make directors nervous (risk exposure; trade secrets compromised; share price in jeopardy), it’s essential for the CEO to have clear answers and a strategy – which may or may not be possible in the first day or so after something transpires.
“The CEO is going to want to wait as long as possible to call the board, because board members tend to get very excited,” Weatherford explains. “Suddenly, there are 10 people asking questions instead of one, so having a plan on how to address the board is very important as well.”
Communicating with the board doesn’t need to be part of a generally circulated incident-response plan. Still, CEOs are going to want to fully think through their approach before jumping on that conference bridge.
Image Source: Flickr, courtesy of U.S. Army RDECOM
Gather Forensics Data
Of course you want to find out what exactly happened, what’s been exposed (or held for ransom, or shut down), and just how egregious the exposure is. And every good investigator knows you don’t let the trail get cold, so IT forensics specialists stress the importance of gathering information on critical assets within the 24 hours of the incident.
“Companies don’t always understand what their critical assets are, and that those assets can change over time,” vArmour’s Weatherford says. “Going back and doing that kind of forensics analysis sometimes takes time.”
Image Source: Wikimedia Commons, courtesy of Daekow
‘CEO Gut Check’
Let’s say your forensics team comes back to say that the intruder is still active in your servers or databases. What does the chief executive do then?
Mark Weatherford of vArmour calls this the “CEO gut check.” Decision-makers can either throw the bad guys out, or let them remain while investigators figure out how deeply the intruders have penetrated and how bad the problem really is.
“If you pull up the drawbridge, you’ve no idea what they’ve infected. If you monitor it for a week, two weeks, or a month, you can see what’s been exposed and compromised,” Weatherford says. “But it’s hard to let somebody wander around your house and pretend they’re not there.”
And those in the “C” suite need to check their gut and see how much risk they can temporarily endure in the name of understanding more about the nature of the incident — and the perpetrators.
Image Source: Wikimedia Commons
Friends In High Places
It’s good advice for any emergency: Have a list of key people and organizations you know you’ll need to contact and put them on speed dial – like your local FBI agent or the ISP that handles most of your bandwidth needs.
But that’s only half of the job. “You also need a personal relationship with those two contacts so that they’ll take your call when it comes in at 2 o’clock on a Saturday morning,” Weatherford laughs, but he’s not really kidding. If you’re in the middle of a DDoS attack, and you need the ISP to throttle the bandwidth, personal relationships can mean the difference between staying alive or having to pull the plug on the whole network. And nobody wants that.
Image Source: Wikimedia Commons, courtesy of Retaildesigner
No, don’t use a Xerox machine, even those fancy, cloud-based ones you may have heard so much about. Use real, automated, high-speed data backups of your data – especially the most critical volumes. That way, you can avoid or at least minimize the impact of a breach, a leak or a hack and not have it be a catastrophic blow to the business.
“We have recently seen ransomware that does not decrypt data but deletes it and companies who did not have a backup were devastated,” says Jeremiah Fowler with the MacKeeper Security Research Team. An offline backup of company data keeps you from putting all your eggs in one basket, he adds.
Given the exponential increases in ransomware, You might even consider pre-purchasing of Bitcoins — the currency used to pay the ransoms of this pernicious malware – so that your servers, desktops or smartphones aren’t tied up any longer than they need to be, advises Jeremiah Grossman, chief of security strategy for SentinelOne.
Image Source: Wikimedia Commons, courtesy of Loozrboy
Keeping It All On Track
Purists will quibble that incident-response planning can easily tip over in to business continuity, the skillset that ensures the business can still operate after some sort of incident, natural or man-made.
But in the event of a major technical incident, it’s fair to ask as part of incident response what the plans are for staying in business when the impact of the incident is far-reaching. Incident-response plans should specify alternate resources where the organization can shift its operations, whether it’s another data center, ISP or cloud provider, according to vArmour’s Weatherford. The more attention paid to contingencies, the faster everyone can rebound from an incident.
Image Source: Wikimedia Commons, courtesy Daniel Case
Find out how to protect yourself and business at: http://cyber.aspida.org