Arming the Boardroom, Part 3: You’ve Been Attacked. Now What?

In our last post, we focused on knowing the enemy. In this installment we explore the best practices in responding to an attack by an advanced persistent threat (APT) actor with a from-the-trenches incident response case study.

Responding to an incident requires careful orchestration. You have to assemble a cross-functional response team, conduct forensic analysis, control communication, implement timely containment and aggressively expel the attacker from your network. At the same time you need to incorporate advice and guidance from outside legal counsel and law enforcement, intelligence from regulators and provisos from insurance providers.

We recently worked with a large information services organization that was put to the test when it experienced an attack by an APT threat actor. The company engaged Fidelis Consulting Servicesto lead the incident response. As always, speed was critical. The Fidelis Incident Response (IR) Lead moved quickly to form a collaborative, cross-functional IR team comprised of internal and external stakeholders.
By quickly engaging experts in responding to security incidents to complement their top caliber internal response team, the organization was able to make quick headway within the first 48 hours after it discovered the incident.
Here are some of the things that we worked with the client on during those initial hours:

• Engaged outside legal counsel skilled in cybersecurity incidents. This legal counsel enabled Fidelis to operate under attorney-client privilege, which both protected internal communications and accelerated our ability to resolve the incident. Fidelis also served as a cybersecurity advisor to legal counsel at executive and board meetings.
• Involved the local FBI office at the start of the investigation. The FBI reciprocated by providing potentially related artifacts, which originated at other organizations, so the company could search for them during the investigation. Although we didn’t find any of the artifacts in the client’s environment, the spirit of information-sharing was helpful. The company in turn shared all of the artifacts from its investigation with the FBI.
• Alerted industry regulators and performed disclosures to comply with multiple regulatory obligations.
• Required internal and external counsels to review all communications related to the incident, mobilized the communications team to handle internal communications and engaged an external crisis-communication firm to carefully compose the messages to ensure they carried the proper tone and minimized any potential misunderstanding.
• Notified its insurance provider once it was determined that the incident had resulted in data theft so they could evaluate the insurance coverage and determine what costs would be covered.

By performing a focused and thorough forensic analysis and developing an aggressive remediation plan, the IR team removed the attackers from the network within 36 hours. The expulsion event eradicated the attacker’s tools, cut off their ability to reenter the network and minimized the risk of retaliation. Going forward, with Fidelis’ help, the company implemented a defense-in-depth cybersecurity strategy that minimized risk and improved their threat-detection capabilities.

Experiencing a cyber attack is disruptive. Responding to a serious security incident correctly requires a team of outside forensic and legal experts partnered with the internal incident response team. A well-defined incident response team includes key staff and line of business managers as well as C-suite executives and board directors. Getting the right people involved and understanding the best way to efficiently use them is essential to properly investigating and resolving the event while managing costs and minimizing the impact on your business. Directors must ensure that their organizations have a well-thought-out incident response plan to minimize the organizations liability and exposure.

-Ryan Vela