As individuals, some people are good at improvisation, that is, dealing with things as they come and creating the best outcome for it. But, organizations in the midst of an incident are notoriously terrible at improvising. There is no better example than Equifax, whose initial response was fraught with missteps. First, it downplayed the breach and delayed notifying consumers. When it finally did notify, Equifax set up a website for consumers to check their breach status, but it did so on a separate domain. Not only was this website on a unknown and questionable domain, but it was, at times, inaccessible and inaccurate. Midway through the public relations period, Equifax’s own twitter account directed consumers to a URL created to mock the company. And when all the experts were telling people to freeze their credit, Equifax continued to steer users to their paid monitoring service instead, offering one year free if users waived rights to sue for the breach. They messed up from an IT perspective and a public relations perspective. Now the courts will decide how much they messed up from a legal perspective. The consequence was that the CSO, CIO, and CEO lost their jobs, not to mention being hauled in front of Congress. And Equifax is not alone. Uber, Yahoo, Sony and others mismanaged their responses as well.
While breaches are becoming the new normal, botched responses need not be. Equifax was simply unprepared to deal with an incident. “Practice makes perfect”, but perfection is not the goal. Competency is. So what can we do in order to develop competency with incident response?
First, anticipate potential scenarios, or threats. Focus on the highest probability threat and the threat with the greatest impact. While this needs to be evaluated for each organization individually, an easy place to start is at ransomware and data breach. These are the two most prolific attacks reported and both generally result in a significant impact to businesses, large and small.
Second, identify roles and responsibilities for the response. Incident Response is not an issue isolated to IT (one of the reasons why, at LEO, we refer to it as Cyber Crisis Management). An incident can generate from anywhere in the organization, and while IT will be involved with technical investigation and remediation, there is a point at which the incident escalates into an organization problem. At this point, executives, lawyers, and public relations staff need to be involved. Having different perspectives is critical to effective planning and response.
Do not assume that just because someone’s job title aligns to an incident response role, that he/she is the best person to fill that role. Managers may not be a good fit, especially if they cannot dedicate the time to planning and practice. Think creatively about who really is the best person to fulfill the role. Also, because people have varying schedules, consider designating and training up multiple candidates for each role.
The next step is to document processes and procedures involved in the incident scenario. Treat this similar to a formal project with project management principles. Research any requirements (compliance or other) such as notification deadlines and include them in documentation. We’ve already talked about the Roles (Resourcing Plan), but there is also Schedule, Critical Success factors, Stakeholders, Procurement (third party vendors), and most importantly the Communication Plan.
Communication will be one of the most important pieces of the Incident Response to ensure that everyone is on the same page, actions are assigned and executed, and information is both shared and properly protected. Communication is difficult in a non-stressful environment, and only gets amplified during a charged response scenario. Ensure that you have communication tools and expectations ready. And that communication is consistent across the whole response.
Third parties will be a necessary part of any incident response. Whether law enforcement, CIRT, CERT, outside counsel, forensic investigation, or any other external entity, it will be best to build relationships with, and document your partners prior to needing their services. Think of it as the difference between asking a friend or a stranger for a favor. Who is going to be more helpful?
While there are many more details that could and should be included, the most important part of the incident response plan is practice. Practice is not a lecture or a written quiz on the incident response document. Practice is an engaging and immersive exercise that tests the incident response plan for effectiveness and trains the incident response team to their responsibilities. As all skills require a crawl, walk, run methodology, so should incident response. Here, we can borrow methods from Hollywood. Start with a read-through of the script (incident response plan), build relationships with team members, and work all the way up to a dress rehearsal. If you can properly run through the response rehearsal, you will have a much better chance of success in an actual incident, even if it is not exactly what you have prepared for (it probably will not be).
LEO Cyber Security has developed a cyber crisis management program around the aforementioned elements, using as a framework, NASA mission control principles. Please reach out with any questions or for help in preparing your organization for an incident.