April 26, 2024
Here’s a scary scenario: Your business or organization has just been hit by a cyberattack. In exchange for releasing their grip on and/or not disseminating the sensitive data they’ve swiped from your systems, the perpetrators are demanding lots of money. What do you do? Who talks to whom? Who performs which tasks?
If you don’t yet have a solid plan in place, you’ve likely realized you need one. Mishaal Khan, principal solutions architect at Mindsight recently shared a step-by-step guide to enduring just such a crisis. And it applies to all types of businesses and organizations and functional areas—everything from municipal governments and schools to e-commerce companies and healthcare providers. The titles of those in charge of containing the situation might change, but their responsibilities remain largely the same.
Ideally, of course, it’s best to prevent attacks before they occur through constant human and technological vigilance. But even the best defenses aren’t always enough to ward off determined bad actors, and so the threat keeps growing year over year. By 2028, the annual cost of cybercrime in the U.S. alone is predicted to reach $1.8 trillion.
“Cyber resilience is what we’re after,” Khan says. “Panic management, crisis management, next steps. How quickly can you recover from an attack in the short-term, and what long-term strategy should be in place to prevent other attacks?”
Here’s his expert advice on what to do if (not, fingers crossed, when) you discover intruders on the premises.
Discovery of a Breach
The first step is to validate and investigate whether an apparent breach is actually a breach. It could just be that systems are down because of misconfiguration, a power outage, a bug, or something else. This process of discovery and confirmation is done by an internal response team that can determine with certainty what’s going on. They’ll triage the situation and troubleshoot. They’ll go through their logs and look at their various security systems depending on where the attack appears to have occurred. If an attack is confirmed, it’s time to enact your Incident Response Plan (IRP).
Post-Attack Chain of Command and Events
The C-suite, along with the security team, should closely follow whatever plan is in place. If there’s no plan in place, they’ll have to rely on a third-party incident response team to help them figure out how to proceed. Depending on the organization, there should be specific details within each incident response plan, including contact information for internal tech teams and law enforcement entities. Depending on the type of organization and its predetermined course of action, the CEO (or equivalent), CFO (or equivalent), CIO, CISO, CMO and board of directors will all be tasked with certain decisions and actions in service of getting systems back up and running. But titles have little to do with responsibilities. In other words, a company’s top boss—its president or CEO—may well hang back while other executives and more tech-savvy experts lead from the front.
Here’s a for-instance: If there’s no other choice than to meet an attacker’s ransom demand, who calls the shot? It’s not your internal security team. It’s not law enforcement. Typically, the CFO should be ready to make that decision (often with the board’s and/or CEO’s blessing) beforehand about how much they’re willing to pay and how it will be paid out. Maybe it’s a wire transfer. Maybe it’s Bitcoin. If it’s the latter, does the company have a Bitcoin account? In some instances, an organization’s cyber insurance policy will cover a payout on the client’s behalf. Whatever the case, map it all out in your IRP.
Informing External Users
This is the last step, but it doesn’t need to happen right away. Unless the target is a healthcare organization, in which case federal law demands full expedited disclosure. In most instances, however, companies can determine how quickly they want to respond and how much information they want to divulge.
If your users and systems remain unaffected by an attack that was quickly contained, you may decide to keep a lid on things to avoid prompting concern or panic. This internal threshold differs from company to company, organization to organization. If systems are down, though, there’s no choice (no ethical one, anyway) but to tell them why and, based on internal estimates from security specialists, for roughly how long.
In most cases—particularly early on, while an investigation is still underway—disclosure of a cyberattack comes in the form of a fairly generic statement that contains only general details. Not everyone needs to know everything, and definitely not right away. There’s also a reputational component to consider here. In fact, it might be smart to enlist a lawyer’s help in drawing up/delivering a public statement so as to avoid language that could spur potential lawsuits from users whose data was breached. Additionally, your IRP should detail the means by which you’ll disseminate this disclosure externally—i.e. website, email, social media, etc.—and deliver future updates.
If all of the above seems fairly straightforward, it is. But since each incident response plan differs, it’s vital to do dry runs before an attack happens. Organizations need to create and enact breach scenarios, see how everyone responds based on the IRP and pinpoint places for improvement. If outside assistance is required, MSPs like Mindsight have plenty of experience in creating incident response plans from scratch and performing tabletop exercises.
The ultimate goal, of course, is to avoid being hit by cybercriminals in the first place. That means instituting a long-term strategy that involves regular risk assessment processes (PEN tests, for instance) and internal training. Proactive versus reactive measures.
Whether you’re bolstering cyber defenses or trying to mitigate damage during an active attack, your effectiveness rests largely on one thing: being prepared. There is no substitute. And for those companies that don’t yet have an IRP in place, there’s no time to waste.
About Mindsight
Mindsight, a Chicagoland IT services provider, is an extension of your team. Located in Downers Grove, IL we proudly serve customers across the area including Naperville, Oak Brook, Northbrook, and surrounding counties (Cook, Lake, Dupage, Will, Kane, and Grundy). Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.
About The Expert
Mishaal Khan is a subject matter expert in cybersecurity, pentesting, privacy, Open-Source Intelligence, and social engineering. He is a frequent speaker on these topics at universities and popular cybersecurity conferences like DEFCON, Wild West Hacking Fest, and multiple BSides events. Mishaal has worked with multinational companies for over 20 years, securing their networks and providing executive-level consultancy to manage risk and avoid breaches. He’s an author, holds a CCIE and CEH, and runs the cybersecurity practice at Mindsight as a vCISO. Visit Mishaal’s LinkedIn page.
