In our last post we examined the best practices in responding to a cyberattack with a from-the-trenches case study. We close out this series with hard-hitting, practical advice on mitigating cyberattacks from guest contributor, Brian Kelly, Chief Security Officer with Rackspace.
Concerned about how to manage cyberattacks, board directors are asking: “What can be done to minimize the damage?” Here are five lessons learned that offer guidance in successfully containing and eradicating cyberattacks.
1. Cast incident response in the context of business risk
Decisions made unilaterally by the security team without an appreciation for strategic initiatives can have significant implications for the corporation. CISOs must translate the incident into business terms, as which point the board and leadership team can provide a point of view or strategic focus that may be vital to the incident. For example, the response team may be unaware of M&A activity, clinical trials and new R&D efforts. Through board-level, two-way conversations the response team can gain insight into the possible motives of an attacker and make a connection that may alter the investigation.
2. Seek unity of command
When an incident is declared, people often come out of the woodwork to get involved. Because time is critical, nothing can be worse than senior executives trying to influence activity or wrestle control when an attack is in progress. Slow response and uncoordinated containment activities can provide attackers with the time necessary to move laterally in the network, creating an even more serious breach. It is therefore vital that command and control be clear, understood and followed with precision.
3. Adopt an outcome-based approach
Some forensics organizations take a checklist approach to incident response. However, no two cyber events are the same and incident response is not a scripted process. What is needed is an outcome-based approach to incident response. Recognize that there are multiple ways to achieve the desired outcome, and more important, understand and plan for what can go wrong along the way. Investigators who are experienced in outcome-based incident response are better able to focus on what matters, form hypotheses, take action based on the type of attack and observable facts and pivot when necessary.
4. Be prepared for containment to affect business activities
During the containment effort, organizations should be prepared to shut down or block services, revoke privileges, increase controls and place restrictions on network connectivity and Internet access. Because such activities can dramatically affect business processes, the decision to perform such actions should never be one-sided. The decision to implement controls during containment always should include a two-way discussion with business process owners and company leadership.
5. Focus on people, process and technology during eradication
Malware detection and eradication can be an expensive and time-consuming process, as malware can lie dormant in a system for months and then reactivate. Although it is easy and tempting to apply a quick fix, attention must be given to finding and fixing the true root cause. Here, the natural tendency is to lead with a technology solution. With new security tools comes the belief that the problem is solved. The reality is that, without taking people and processes into consideration, technology actually can create more complexity, consume more resources than it returns and deliver only incremental value. Organizations must therefore take a holistic approach of leveraging technology as a tool that enhances people and processes to eradicate threats and mitigate security gaps.
No organization is immune to cyberattacks. Unfortunately, the worst time to figure out how to respond is during an actual incident. Lines of communication and identification of decision makers and critical business processes must be known before a breach occurs in order to expedite the containment and eradication process and return the business to full operational capacity as quickly as possible.
To read more about containment and eradication, please visit SecurityRoundtable.org to download “Navigating the Digital Age: The Definitive Guide for Directors and Officers.”
-Brian Kelly, Chief Security Officer, Rackspace