By Steven Chabinsky, CrowdStrike’s General Counsel and Chief Risk Officer
Network intrusions have become a fact of corporate life. A breach can not only be damaging to a brand’s reputation, but is increasingly factored in as one of the many costs of doing business. The impact of a breach depends upon a number of factors, including what assets are at stake and how quickly the breach is detected, contained, and remediated. Here are some mistakes that if prevented, companies can recover faster and more effectively after an incident.
With the average cost of a data breach totaling $3.8 million, you would expect companies to focus on the proactive detection of threats. Unfortunately, in today’s business world many struggle to efficiently and effectively detect intrusions, assess the extent of the compromise and engage the right level of assistance to remediate the problem. This had led to significant delays in breach detection and a rising remediation costs.
In particular, many businesses lack the necessary tools to perform proactive detection. A tendency to rely on internal personnel to fight fires without the necessary automation and managed response also compunds the challenge. Whether it’s a call to outside legal counsel, a computer incident response firm, a public relations/crisis management company, or all three, potential engagements should be pre-arranged. Contracts should be signed and ready to go, costing your company nothing unless and until you use them, but allowing for quick deployment.
Communicating with the hackers
Many companies that have been breached still use their internal systems to communicate about the incident. Whether it’s documenting a company’s incident response efforts and findings, or emailing others to enlist their help, using compromised systems as a method of communication is a bad idea. After all, unless hackers are removed, they could very well be reading those communications. If all-employee emails relating to an incident are required, such as to change passwords, businesses should consider them as routine IT requests until they are confident the hackers are out.
Pulling the Plug
For many, the first reaction upon spotting a hacker on the network is to pull the computer plug straight out of the wall. Yet, removing the power from a computer not only results in lost volatile memory, (much of which can be critical to a forensic investigation, and should be imaged), but may also lead the intruder to establish other points of entry. Action must be taken immediately to isolate key assets. Businesses should consider limiting remote connectivity or perhaps taking some systems offline. For those systems that continue to allow external network access, it is important to closely monitor Internet entry points to identify hacker activity in outbound network traffic.
When it comes to effective incident detection, containment and remediation of the value of log files is critical. Hackers attempt to cover their tracks by deleting or modifying evidence of their crimes, making it important to employ techniques such as duplicating logs, limiting access to them and having log files append rather than overwrite, establishing separate logging servers and using write-once media.
Moving on like nothing happened
Whether hackers are stopped at the border or removed after a successful intrusion, it is important to re-examine significant events, capture lessons learned and revise incident response processes based on this. It also is helpful to gather real-world examples experienced by your company when conducting workforce training. Surprisingly, very few companies include actual events when conducting information security training, deferring instead entirely to hypothetical situations.
Cyber risk mitigation starts with anticipating and detecting potential threats and being prepared to defend against new tactics, techniques, and procedures (TTPs). Emerging intrusion trends require a new approach to proactive defense that includes active real-time hunting and detection, prevention, and investigation capabilities that are geared to defend against increasingly stealthy attacks.
Ultimately, when it comes down to anticipating and dealing with a network intrusion, preparation is key. If resources are in place and a fully tested response plan is lined up in advance of an incident, any damage can be remediated before it is too late.
About the Author: Steven Chabinsky is General Counsel and Chief Risk Officer for the cybersecurity technology firm CrowdStrike. He was appointed by President Obama to the White House Commission on Enhancing National Cybersecurity. Previously, he was Deputy Assistant Director of the FBI’s Cyber Division. You can follow him on Twitter @StevenChabinsky.