Research Assignment
smatal
3keystorespondingintelligentlytoacyberattack.pdf
3 keys to responding intelligently, publicly to
a cyberattack [Commentary]
By: #CyberAvengers 19 Sep 2017
(Natali_Mis/Getty Images)
Intelligent responses depend on three elements:
1. Incident Response Planning 2. Business Continuity Planning 3. Crisis Communication Planning
There are numerous articles and memos deal with the topic of incident response, business
continuity, and crisis communication plans. Many have been distributed through media outlets
even. So you may be asking: why us, why now, and what more could we possible offer in this
space?
We think the answer is pretty simple: sometimes you can’t get enough of a good thing. Similarly,
there are fundamental topics that people still are having problems with. Translation: more
homework to do. One subject area that evidently needs work is responding confidently to a
cyberattack in an intelligent and public manner. There are a great deal of texts and certifications
out there on these issues (some better than others of course), but if we could, we’d like to give
you some “basic street talk” on these issues. Essentially, we want to present to you the issues in a
way that you could discuss while having a coffee or drink.
We won’t name names, but there are real life examples of “good” responses. You intuitively
know a good response. You feel a level of confidence that the company has the facts, knows the
circumstances of what has happened, and is going “full steam ahead” to clean up whatever the
mess is. Despite the situation being bad, you know that whoever is steering the ship has things
“under control.”
And then there are the “other” responses. You intuitively know a bad response also. It’s the one
with the bad smell, the train wreck you can’t watch but still want to, and the one where you
throw up your arms and say to yourself “are you kidding me?! You can’t be that out of control!”
In cases like this, you’ll normally see a swarm of regulators, stakeholders, investors, and the
public directing a lot of “ahem” to the organization and its executives.
Paradoxically almost, you seldom remember the “good” responses, but you never forget the bad
one (they usually end up as case studies in business reviews and university textbooks).
Like we said, not naming names, but we want to give you some “quick hits” as to what we, the
#CyberAvengers, feel works and what does not work when you have a cyber train wreck at your
fingertips. Here goes:
Incident Response Planning
There are plenty of things that often come up concerning the importance of incident response (or
“IR”) planning. First, the importance of having a plan cannot be understated. The worst time to
figure out what to do or say if there is in the middle of cyberattack. Simply put, things get too
crazy to think.
For instance, internet access might get disrupted, files might get encrypted, executives might get
fired or suddenly retire, or revelations might occur indicating a major loss of customer
information or financial data. All of these issues might indicate a range of problems from either a
“manageable” to a “catastrophic” problem depending upon what happened. Problems get further
compounded if the company is publicly traded, or is regulated by a federal or state agency (such
as the SEC or the NY DFS) where the timeliness and accuracy of disclosures matter greatly,
along with the reputation of the company or firm being attacked.
All stuff you know so far. Now comes the moment of not mucking it all up.
To minimize the impact of such an attack and to protect the company and its stakeholders, strong
incident response plans have the following attributes:
1) The IR Plan needs to be practiced often and not left in the desk drawer waiting for the first
disaster to strike. Do even the top athletes of the world practice before the big game? Yes. They
do. So if the very best need practice for something routine (like playing a game they’ve played
their entire life), you can sure as bet you need a lot of practice for something that is hopefully not
routine (check your business model if you’re running into disasters a bit too often). And practice
your IR plan with all people internally, such as the board, executives, IT, HR, and the general
counsel’s office. It’s not a bad idea to have an outside lawyer and cyber forensic advisor as well
because in a real disaster, you’re probably going to need them too. Failure to practice your IR
plan is more or less the number one “YOU LOSE!” issue we see.
2) We recognize you have limited resource and can’t think of every possible disaster, but you
need multiple plans and you need plans to test your limits. Practicing touch football will do little
for you if you’re preparing for the Super Bowl. So think small and large breaches in various
forms, such as DDoS, ransomware, insiders, corporate espionage, and depending on your size,
even nation-state attacks. Make sure all of your plans have mechanisms to notify/activate the
right people. This includes law enforcement, regulators, stakeholders, and investors. And plans
can’t stay static, so keep in mind that plans need to address personnel changes and organizational
restructures. No two cyberattacks are alike, so all IR plans cannot be alike either. In the heat of
battle, you will simply be overwhelmed if you’re applying your DDoS scenario to your
ransomware issue. They have different characteristics and implications, meaning they are not
easily interchangeable.
Practice hint: if you are a multinational, you should have different regional plans and see if and
how they would need to interact, particularly if an attack in jurisdiction A can have an effect on
jurisdiction B. Different people involved, different laws, different vendors. You need to know all
this stuff ahead of time.
3) Who’s the boss? You need an incident commander. Somebody needs to be in charge (they
may be able to hand off if the situation changes) but somebody has to be the boss. Crisis
handling by committee usually ends up in a boil over. Identify who needs to be the boss for the
scenario at hand and who their support team will be. Sometimes it’s the CEO taking all the hits.
Sometimes is the general counsel leading, with the CEO being the public face. Other times it’s a
technical specialist running the table internally, but helping the PR team craft the external
message. Experienced crisis management firms are helpful for disclosures, but if you go this
route, make sure they know have experience in cybersecurity issues, because cyber is an animal
we still do not know well. Just be sure to have somebody calling the shots. And support them.
Now is not the time for puffy chest.
4) Timing is everything, especially for public companies that are trading daily on information
available to investors. We are often told that we should “just get the information out there” and
there is reason for that advice, but be prudent. Trying to outrun a potentially out of control
speeding locomotive without some safety precautions could result in … well, use your
imagination. We’re trying to keep this article G-rated. With that said though, don’t sit back to
watch and enjoy the show because once that train cross state lines, you may have no control at
all. We admit this is not an easy task. You have to find that sweet spot between “doesn’t have its
act together” or “is potentially hiding something.” It’s sort of like mastering that delicate art of
like tap dancing on the head of a needle without getting pricked. By the way: this is why we
practice!
5) The best way to respond to an incident is to know about it before anybody else so you can
kick the attackers off your system. We covered this issue in detail in our recent book, Take Back
Control of Your Cybersecurity Now, but here are some notes: used prudently, machine learning,
automation, and orchestration solutions are your friend. They can significantly reduce the time to
discovery of the breach (also known as “dwell time”). These tools may even help you prevent the
breach all together.
Business Continuity Plans
Business Continuity Planning (or “BCP”) is an essential part of corporate resiliency. We see
them activated for issues like natural disasters and even terrorist strikes. But in the face of
cyberattacks, they are more important than ever. Effective BCP helps get you back in the game
sooner. This is critical because too much down time could completely destroy your business.
Think of it like this: you have the ability to bend while others are breaking. And just like IR and
crisis management have evolved, so has BCP. Therefore, lead with skepticism if your BCP is
being conducted by somebody who has little understanding of cybersecurity issues.
Good BCP relies on proper investigation and remediation of attacks. Forensic cyber experts and
lawyers are well versed in these issues. And BCP relies on IT experts who create proper,
segmented, offline backup media (daily! ... and is regularly tested to ensure it will actually work
in time of crisis) so that the endpoints and network assets can be restored quickly and easily.
Reminder: #BackItUp!
Here is a thought for your scenario testing and planning: take your busiest day or time period,
say Black Friday or the two weeks before Christmas and imagine losing your services to
whatever scenario (ransomware, DDoS, etc.). Just play out your nightmare scenario and see how
you’d deal with it. PS – we just took out your first line of third-party suppliers/vendors/experts
because of supply chain integration. They’re down now too. What do you do now? PPS – Sorry,
but don’t say we didn’t warn you!
Just like with IR, review, update, and test BCP regularly. Businesses are dynamic. We have
accepted that into our corporate culture. But we have not necessarily adopted the same feeling in
terms of continuous improvement for IR or BCP. These are those things where we don’t see
return-on-investment until they’re actually needed. Just remember things can always be
improved and in this modern interconnected world, effective BCP must deal with the variety and
complexity of vendor dependency. Long gone are the days where you could do everything “in
house” unfortunately, so you need to regularly review and update vendor roles and
responsibilities. Yes, it’s cheaper during “peace time” to have a vendor-dependent/subscription-
based business model, but if you’re not ready for the war, your losses could be catastrophic.
Crisis Communications Planning
Worst time to exchange business cards is the middle of a crisis. Over-thinks cause delays.
Analysis paralysis can turn a press release into a bunch of gobbledygook. And seriously, do you
really want to be doing this for the “first time” during a crisis? The #CyberAvengers are an
adventurous bunch, but even we have our limits.
You see, crisis communications is there to manage the intangible, the things that rely on
confidence, such as reputation and market capitalization. You may in fact have your act together
but if the message coming out of your organization seems like utter chaos, the public will make
up their mind on that information, not what is actually going on. If you accept for a moment that
emotions and images are more powerful in impacting our decision-making over rationality and
words, then you see our point of view crystal clear. So toss out the window you are in control of
this situation (in terms of how the public views you) and do your best to manage what you have
to deal with. Here are a few pointers to help with the management.
1) A pre-meet with the FBI and Secret Service is not a bad thing. In fact, we strong believe in
doing so. Why? Go back to our “worst time to exchange business cards is in the middle of a
crisis” comment. Meeting beforehand gives all parties a chance to meet without someone’s hair
being on fire (and incredibly reduces the possibility of an errant punch to the face when
frustrations boil over). During the pre-meet you can discuss systems and IT networks. You can
also discuss expectations and levels of support. It makes a difference. And of course, you do that
good ole fashioned thing called “building a relationship” with persons and institutions. Not a bad
thing. We know. We do this religiously in fact. There are instances where a pre-meet, coupled
with time and accurate disclosure, have discouraged lawsuits. This is a very good thing. So
remember, a friend in need is a friend indeed. And if you got a nation-state or transnational crime
syndicate smashing through your network (or being the stealthiest little bugger you have ever
encountered), having friends of this kind are good to have.
2) Pre-draft your disclosures for different scenarios. Much like planning for different attacks,
having these different templates in your back pocket saves you valuable time. Consider that most
significant breaches will require disclosures to regulators, shareholders, investors, employees and
others. The European Union’s GDRP has given consumers a mighty hammer and if you’re not
ready for the GDPR, you may be facing a world of hurt on that (keep an eye out for the
#CyberAvengers playbook coming out soon which talks more about the GDPR). And some of
you may giggle at this, but have some disclosures ready to go with 140 characters. In case you
haven’t noticed, Twitter, social media, and bloggers sort of play a big role these days. It’s your
way of speaking directly to the people without an intermediary filtering your message.
3) Use people who have experience. This point is the pièce de résistance. As we mentioned
above a few times, it is important for all companies to project an air of confidence in the middle
of a breach. Confidence goes a long way. It shows the company has its act together. It shows that
it understands and appreciates its different constituents. It can move markets. Somebody who
understands all these moving parts are a system – not a bunch of individual goals – can turn a
crisis into a success within 72 hours. But don’t be fooled, these skills are not acquired overnight.
A good way to identify somebody experienced is if they (FIGURATIVELY!!!) have been
battered, bruised, full of battle scars, but are still going on with a smile on their face, plugging
away.
This, dear friends, is called resilience. And get used to it, because life today that is so reliant on
cyber will require a lot of resilience.
Much the same way you wouldn’t go do a podiatrist for your dental issues (despite increased
cases of foot-in-mouth syndrome, particularly over social media), you shouldn’t be using real
estate counsel to handle a cyber breach. Remember, cybersecurity is still a loosely defined
concept that we have mystified, meaning that you may very well need a “jack of all trades and
master of many” to get the job done for you. A well-rounded cybersecurity professional may not
have all the answers for you, but the will have somebody in their rolodex that can be pulled in as
a free agent in time of need. Point is, know these people beforehand.
On a final note, with the advent and increasing prevalence of firm state, federal and international
breach disclosure timing standards, time has become even more precious. Having ready-to-go-
IR, tested BCP, and executable crisis communication plans not only save you time, but could
save you from the enormous tangible issues, like fines and penalties, and spare you the intangible
carnage, like stock price drops and reputational damage.
Don’t lose in minutes what has taken you years to build just because you think it is okay to cut a
few corners or believe “this won’t happen to me.” As the old vaudeville joke goes: “How do you
get to Carnegie Hall? Practice, practice, practice.”
In Defense of the United States of America,
The #Cyber Avengers
The #CyberAvengers are a group of salty and experienced professionals who have decided to
work together to help our country by defeating cybercrime and slowing down nefarious actors
operating in cyberspace seeking to exploit whatever their tapping fingers can get a hold of.
Paul Ferrillo
Chuck Brooks
Kenneth Holley
George Platsis
George Thomas
Shawn Tuma
Christophe Veltsos
