RISING NEED FOR STRONGER CYBER RESPONSE
No matter how big or small, every enterprise faces the daunting task of defending itself against increasingly brazen, well-funded, and capable cyber threat actors. There is no underestimating the difficult situation most enterprises find themselves in. Enterprises cannot afford to delude themselves about the current situation — protecting against the soaring threat of cybercrime has never been more critical. Discounting cybercrime is not just negligent; it’s dangerous.
If the past few years have confirmed anything, it is this: there is now no escaping the risk of cybercrime. There is no shortage of high-profile examples. Recently, Colonial Pipeline Company — which carries 45% of the East Coast’s (USA) supply of diesel, petrol, and jet fuel — was forced to pay nearly $5 million in ransom after hackers unleashed a strain of ransomware that debilitated its computer network. The high-stakes hack sent shivers down the spine of many nations, businesses, and civilians.
Leading CISOs have long acknowledged that debilitating cyber attacks are inevitable and applied a balanced approach to cybersecurity, carefully investing in defensive and rapid response capabilities. In this blog, we outline detailed cyber incident response measures to prepare you for the inevitable.
CURRENT BUSINESS CHALLENGES
If there is one thing that frustrates CISO efforts to fortify cyber response measures, it is this: Executives that constantly discount inevitable cyber threats, treat cybersecurity as a necessary evil, and barely show up at cyber crisis response exercises. This leads to squabbles during an actual incident, miscommunication, and abdication of leadership responsibilities. Consequently, brand equity suffers irreparable damage, and the CISO loses credibility. In our experience and interviews with peers, a further three significant challenges commonly hinder cyber incident and management response. These include:
- As threat actors sharpen their weapons, it’s increasingly harder to detect highly evasive malicious programs that can sneak through aged perimeter defences and exploit crown jewels for extended periods. As CISOs struggle to get budgets approved, threat actors are reinventing billions from their illicit activities. Unsurprisingly, a report by IBM found that the average time to detect and contain a data breach is 280 days.
- Building cybersecurity monitoring and response capabilities in-house instead of outsourcing these advanced capabilities to organizations equipped to deliver advanced monitoring capabilities at scale. This is often a terrible miscalculation from small to medium-sized corporations lacking the financial and human resources to rapidly build world-class security operations centres.
- Poor visibility into one’s digital ecosystem. Logs from critical systems, such as authentication systems or software-as-a-service platforms, are often overlooked. Security monitoring projects are often prematurely signed off before integration with some critical infrastructure or new systems are deployed and never configured to ship logs to the SOC. This leaves critical blind spots across the digital ecosystem.
Leading CISOs strike the right balance between investing in defensive and response capabilities by carefully crafting a detailed plan that covers cyber incident prevention, identification, assessment, and containment. To do this, the CISO must assemble a multi-disciplinary Cyber Incident Response Team (CIRT), led by a Cyber Incident Response Manager, with sufficient authority to invoke appropriate mitigations without delay in the result of a cybersecurity incident. The CIRT assesses, contains, and responds to cyber incident breaches above a specific threshold.
The CIRT is also tasked with evaluating the severity of the incident, business impacts, legal ramifications, reporting obligations, and taking drastic actions such as disconnecting critical systems from the network.
While the CISO remains an integral part of a cyber crisis response team, high stake cyber crises must be led by very senior business officers. Ideally, the Chief Executive Officer (CEO) should assume this vital role. However, it can be any other senior business officer with the authority to make big decisions, such as the CEO’s chief of staff, an experienced public relations hand, or an assistant general counsel.
CYBER INCIDENT PREVENTION
The CISO must conduct a detailed assessment of the environment to ensure adequate controls are in place to prevent high-impact incidents from occurring. The CISO’s primary responsibility is to reduce the enterprise’s exposure to high-impact and highly plausible cyber attack scenarios. First and foremost, doing this requires fortifying the enterprise’s defences to reduce the probability of threat actors reaching crown jewels. Here are our top 8 recommendations:
CRITICAL PREVENTABLE CONTROLS
- Tighten control over privileged access — use a commercial password vault solution to protect passwords for privileged accounts in all your high-value applications and critical information technology (IT) infrastructure. Hardening these proverbial “keys to the kingdom” materially impedes the threat actor’s ability to move laterally across your network.
- Encrypt sensitive data at rest —High-value data, such as health records, passwords, and board papers, must be encrypted at rest and in transit using industry-grade encryption tools. When this proves hard (often the case with legacy or some bespoke applications), the CISO must identify a set of mitigating controls to reduce risk.
- Segment your network — Design a network infrastructure that isolates digital assets into different segments based on risk. For instance, development and production workloads must be strictly segregated through firewall rules, and high-value applications must not have unrestricted access to the internet.
- Enforce MFA — Mandate multi-factor authentication (MFA) to access high-value applications, transactions, or networks even from remote locations.
- Create a cyber-savvy workforce — Deliver a risk-based security awareness program to empower your staff with the knowledge to detect advanced phishing threats and promptly report missteps.
- Tighten your email and internet security gateways — Deploy robust domain name service (DNS) filters, spam control, uniform resource locator isolation, sandbox, blocklist, secure sockets layer decryption and inspection. Staff will always make mistakes, so it makes sense to reduce the probability of malicious emails ever hitting their mailboxes.
- Restrict installation of unapproved applications — Deploy commercial tools to prevent unverified or unauthorized applications from executing in all high-value systems.
- Harden your environment — Configure firewalls to block access to known malicious internet protocol (IP) addresses, disable all unrequired services and ports, and ensure devices and systems are up to date with patches and antivirus updates.
CYBER INCIDENT IDENTIFICATION
After establishing preventative measures, the next phase involves implementing relevant measures to detect and report security incidents promptly. Cybersecurity incidents are often reported by employees and business partners or detected by monitoring solutions. To make this process effective, the CISO must consider two essentials for success:
- Take time to configure the SOC to eliminate noise. Security tools should ideally ship logs to a 24/7 security operations centre to enable automated log correlation, filtering, and rapid notifications. Logging security events without actively monitoring them is an utter waste of computing resources. A stark example of this was seen in 2013 when Target’s US security team ignored security warnings sent by their security operations team in India, giving hackers a window to pilfer more than 40 million payment card details.
- Send an unequivocal message to all staff that making mistakes is human and permissible. Employees must feel free to promptly report their mistakes without fearing retribution. A strong cyber culture enhances cyber response capabilities.
Once a material incident has been identified, the Cyber Incident Response Team must conduct the initial assessment by asking seven important questions:
- What critical business systems has the threat actor compromised?
- Is the identity of the threat actor known (is this an internal or external threat actor)?
- When did the attack start? Is it still unfolding, or has it now been contained?
- How did the attacker gain access to the environment?
- Has any sensitive or confidential information been stolen?
- Is the organization the primary target, or is it only a victim of an industry-wide, opportunistic attack?
- What are the known impacts of the data breach?
CYBERSECURITY INCIDENT RESPONSE
Once the CIRT confirms the criticality of the incident, they must authorize critical cybersecurity containment activities outlined in the Cybersecurity Incident Containment section below. Cybersecurity incident response involves engagement with the general counsel to assess the legal implications of the breach and activate regulatory notification procedures based on applicable data protection laws and contractual obligations. It’s important to understand the different jurisdictions in which the organization does its business to ensure compliance.
Most importantly, the CIRT must prioritize different stakeholders (the board, staff, investors, shareholders, or the media) and authorize communication channels based on documented roles and responsibilities.
CYBERSECURITY INCIDENT CONTAINMENT
The CIRT should be involved in the cyber containment phase as it requires some critical decisions, such as shutting down a system or an entire network segment.
Effective cyber incident containment requires prompt and decisive action; however, common missteps can jeopardize a cyber incident response. These include prematurely disconnecting customer transactional systems, responding to false positives, unintentionally alerting the attacker of an activated response, and inadvertent tampering or destroying forensic evidence. This is a critical phase of incident response that must be executed with extreme care. Critical steps include:
- Disconnect infected computers from the network, shutting them down entirely or disabling specific services. However, the CIRT should attempt to isolate affected systems without simply powering them off to avoid losing evidence or data.
- Shut down routers, switches, and other relevant network appliances to isolate an infected segment from the more extensive network.
- Deploy missing critical patches to remove exploited vulnerabilities and confirmed backdoors.
- Reset passwords for all potentially compromised accounts or disable administrator accounts.
- Block suspected IP addresses or access from specific geographic locations through firewall filtering or relevant security gateways.
- Enforce MFA on all remote access.
- Block confirmed malware sources (for example, email addresses and websites) on email gateways, internet proxies, or firewalls.
- Inspect security logs and block threat actors’ backdoors or command and control channels. Note that the absence of backdoors, however, doesn’t mean the attacker has left your environment.
- Block all administrator access from remote locations.
COMMUNICATION IS CRITICAL
Please note that this section is an excerpt from our CISO Playbook, which was a collaboration between Cyber Leadership Institute and Daylight Agency, a Marketing Communication Agency and Risk and Reputation Management Consultancy.
How you communicate with your stakeholders, employees, and relevant third parties can significantly impact your company’s bottom line and brand reputation. Brand reputations are as important as an organization’s financial health. They are built over the years but can be compromised or even ruined in an instant.
Providing accurate and quick communication to the CIRT is critical for the containment, eradication, and recovery of the incident. Yet, communication is often the weak or forgotten link.
A 2018 Deloitte study of more than 300 board members and over 500 risk management, crisis management, and business continuity professionals found that 8 of the 11 lessons learned post-crisis were related to communication. These ranged from communicating better with stakeholders to monitoring social media channels better and implementing communications plans quicker.
Infosec describes communication as crucial both during and after an incident stating that efficient communication guidelines and channels must be established for your team.
BEING CYBER CRISIS READY
All planning elements and responses must work in unison to ensure cyber preparedness operates at an optimum level. Crisis communications must be embedded in your cyber risk plan and be included in ongoing reviews, monitoring, and testing to ensure success. When dealing with cyber incidents, communication principles and approaches are similar to managing other crises. The key is to be prepared, rehearsed, and ready to respond at any time. Agility and speed are essential. The c-suite or senior leadership team (SLT) must be heavily involved, and you must convene regular crisis meetings.
While most organizations will have a spokesperson that deals with the media and handles interviews, your role as CISO is critical and involves conveying details about what is happening right across the organization. Information about the incident must be delivered in a clear and concise manner, free from technical jargon.
In Table:1, we outline five things your business should always say and five things they shouldn’t when dealing with a cyber crisis.
Take complete ownership and be transparent.
Play the blame game or avoid responsibility.
Be on the front foot and keep your employees, customers, shareholders, and relevant stakeholders informed of the incident. Provide facts and information on how the business has responded so far. Tell customers what you know, what you are doing, and when you will update them next.
Rush to announce the scope of the breach before in-depth forensic investigations. Revising the numbers multiple times erodes confidence. Most of the initial estimations are wildly off the mark.
Explain how the business is cooperating with authorities (where relevant).
Pre-empt findings or actions by authorities or discuss possible litigations.
Describe the efforts being made to deal with the immediate situation.
Predict potential implications for the business.
List what you’ll do next and how you’ll maintain communication. Be clear in your communication and express compassion and sympathy to those affected.
Lie or try to hide the truth.
When planning crisis communication, there are three key areas of consideration. These include identifying and assessing the risks, understanding how to respond, and considering what the business can do and say. Our CISO Playbook: Cyber Incident Response and Crisis Management provides a detailed guide on these areas of consideration.
UNDERSTANDING THE ROLE OF THE MEDIA
CISOs must now think beyond technical controls and play an effective leadership role. This means understanding how media operate in a crisis and the role social media plays. In a crisis, it is essential to get on the front foot with the media. Journalists want information quickly and remaining silent will only encourage them to seek other sources leading to inaccurate information that will cause further damage. The designated spokesperson may not need to say much when the breach is first discovered, but they must say something.
Brief, regular statements and updates are better than infrequent lengthy ones. As CISO, your role is to assist the spokesperson and SLT in remaining factual and on-point.
Updating the SLT and stakeholders as more information about the breach is discovered shows the media that the business is concerned and working toward a solution.
THE POWER OF SOCIAL MEDIA
Remembering the power of social media in your cyber incident response plan is critical. Customers and third parties have often identified a breach before the company does. Social media could provide an early warning system, as many issues break here first, leading to a crisis if ignored.
If handled like mainstream media, social media can be used to communicate the organization’s position and how it is addressing the problem. Social media can also be used to update many stakeholders quickly and effectively during a crisis.
A Ponemon study revealed that 47% of businesses had not assessed the readiness of their incident response teams. As the HBR states, this means they will be assessing their incident response for the first time when they suffer a cyber-attack. Thoroughly planning for an inevitable attack will help identify areas needing improvement and ways to strengthen your incident response.
TEST AND REFINE
A good cyber resilience framework will just get better through regular testing and refinement. The board is responsible for ensuring that a comprehensive cyber crisis management plan is in place and response capabilities are routinely tested against high-impact scenarios. Stress testing cyber response capabilities in controlled environments validate key assumptions, uncovers defective procedures, and clarifies key responsibilities. It reinforces muscle memory which, as the HBR states, assists in the event of responding to a cyber-attack.
Stress tests also reinforce business confidence. Attempting to make critical decisions during a cyber emergency can lead to significant missteps, conflicting messages, or internal disputes, aggravating an already dire situation.
Business leaders must take deliberate steps to anticipate major cyber breach scenarios, assess the adequacy of response measures, and set aside sufficient capital to absorb the shocks should each scenario eventuate.
Cyber-risk drills must be attended by senior business, technology, and risk stakeholders and cybersecurity experts. Business leaders identify the business impact of extremely plausible cyber scenarios during these drills, such as a sustained distributed denial-of-service (DDoS) attack rendering essential digital services inaccessible, a wide-scale sensitive data breach, or extensive contamination of production data.
Narrowing down critical cyber-attack scenarios is necessary because attempting to anticipate every possible attack scenario is not feasible. Once the stakeholders have agreed on plausible scenarios, the next step involves quantifying associated impacts and determining how much capital should be set aside. Quantifying financial impacts from cyber breaches is still in its infancy, and this is where external consultancy can provide insight using their wider industry exposure.
ENSURE YOUR BUSINESS IS CYBER INCIDENT PREPARED
No individual, enterprise, or nation is immune to cyber risk. The crucial question is no longer if a cyber attack will occur but when.
Please see our CISO Playbook: Cyber Incident Response and Crisis Management for our BAU guide and a deeper exploration of cyber incident response and management, including detailed learning examples and achievable key objectives.