While we work hard to ensure the right controls are in the right places to prevent breaches, the fact remains that no one is immune to attack. This was broadly apparent with the highly sophisticated SolarWinds Orion supply chain breach which penetrated some of the most well-resourced and security savvy organizations. Advanced threats always seem to find a way in.
George Washington was credited with saying “If we are wise, let us prepare for the worst.” For security pros, preparing for “the worst” means preparing for a significant breach. Breach preparation is not something that should be done in case a breach happens, the preparation needs to be done with the belief that a breach will happen.
If you haven’t done this already, your incident response plan should be well-documented. Having a well-documented plan is the best way to ensure your organization is prepared and ready to respond to cyber incidents. The NIST Computer Security Incident Handling Guide (SP 800-61 rev.2) is a great resource if you need help developing your incidence response procedures.
The Ben Franklin phrase, “by failing to prepare, you are preparing to fail” absolutely applies here. Your incident response plan needs to assume the worst-case scenario. If these three components are not currently in your response plan, they should be.
1 Establish a Communications Plan
One overlooked component of incident response is a communications plan. You need one. The first item on the communications plan should be to develop and document incident reporting mechanisms for staff. An internal website, phone number, email alias – some way for employees to easily report a suspected compromise. An anonymous incident reporting capability is also a good option. Often, non SecOps personnel will notice something suspicious, they need to know how to report it. Any mandatory employee security training needs to include how to use the incident reporting resources.
The communications plan also needs to include names and contact info of all incident response staff. In addition to your security team members, the incident response team should include members from corporate marketing, public relations, and customer services/support. Depending on the scope of the incident, these teams will likely need to get involved in both the internal and external incident response communications. If you are a publicly traded company and/or have customers that may have been impacted by the incident, your public relations team will need to get involved quickly. Your customer services/support team may also be inundated with calls, it is important that they are armed with the details and the talking points to address any customer concerns. Having all of these teams represented in your incident response plan is a must. A group alias on a secure messaging platform is a good way to ensure that you can keep everyone in the loop in the event of corporate system outages.
Additionally, the appropriate law enforcement agency contacts should be identified and documented within the plan. This should include both local law enforcement as well agency contacts such as the FBI. Depending on your business, there may be other key stakeholders that will need to be contacted as well, including suppliers or business partners that may have been impacted by the incident. A cyber incident could result in the inability to access your systems or files, so be sure to keep a physical copy of your contacts handy – that binder on the shelf that you hope to never use.
2 Prep Your “War Room”
As part of the incident preparation, designate a “war room” to support response operations. While you may not have an extra room to spare, your plan can include guidelines for converting a conference room into the war room. You’ll need to outfit the war room with some tactical equipment as well. Keep these on standby so you can easily access when the time comes.
• Forensic workstations with evidence gathering materials – cameras, recorders, evidence bags, analysis resources such as baselines and network diagrams
• Laptops equipped with sniffers and packet analysis tools to capture network traffic as well as removable media to copy log files and other incident data.
• Forensic software to create and preserve disk images (such as EnCase, Autopsy, or FTK Imager).
• Encryption software, secure storage, and available media (to copy critical data/systems).
3 Check Your Disaster Recovery Practices
Backing up data and testing recovery procedures is a standard practice for most disaster recovery (DR) programs. Of course, you will want a recent back up of critical business systems (and data) to be readily available so business operations can be quickly restored. However, when preparing for a breach there are some important recovery elements you should consider. Great incident response execution cannot compensate for poor planning.
If you encrypt your backup data (and you should), be sure that you have access to the decryption keys in the event of a widespread system outage. If your keys are stored on a system that is impacted by a breach (e.g. ransomware), you may not be able to access them, and your backups become useless. Be sure to have copies of decryption keys in an offline escrow that is adequately protected. Additionally, ensure that your system backups are properly segmented (air gapped) from the production systems. If you are hit with widespread malware, it is likely that your backups will also be impacted. When your systems are ravaged by ransomware, you don’t want the backup process overwriting the last known good data set with the impacted data – we have seen this before.
Fortify Your Defenses
You can’t choose not to be a target. However, putting in additional controls to detect and stop Advanced Threats is a sound business decision, especially considering the current cybersecurity pandemic. Avocado Systems can help. Avocado helps our clients to detect, deter, and block Advanced Threats, including ransomware, from doing damage. Let us show you how we do it.