There’s a popular saying in the cybersecurity space, “There’s two types of organizations, those that have been breached and those that don’t know they’ve been breached.” In working with organizations that know they’ve been breached, I’ve noticed a very alarming fact. It’s not their first breach! This left me wondering why and how?
How can an organization suffer from one breach and have a second or third similar breach? What did they not learn from the initial breach that would leave them vulnerable to similar subsequent breaches? One of the common themes we see is that they “handled” the first breach themselves or they hired a security consultant with little to no experience in incident response that focused on recovery and not fully understanding how the attack was carried out. This is a very scary reality that we are seeing more and more daily.
I’d like to offer a few points to consider when thinking about how you can prepare your organization for a breach or protect from a subsequent breach.
- Build a formal incident response plan that incorporates a team of experts. No one knows your IT environment better than your team that manages it daily. However, tasking that team to fully handle incident response for your organization can be a risky decision. Unless you have experts on your team in digital forensics and reverse engineering it’s very likely you’ll not fully understand the anatomy of the breach that has occurred.
- Don't underestimate the value of reverse engineering and forensics. It’s one thing to “recover” from a breach by bringing systems back online, but if you don’t fully understand how the breach occurred, then you leave yourself subject to a subsequent breach. You and your team must know how that breached occurred and what was done. If you don’t, it’s possible that the attacker has established some form of persistent access that will allow them to continue to covertly operate within your organization. Reverse engineering of malicious software used during an attack is crucial in understanding how the breach occurred, and what was done. One of the key components that reverse engineering can provide is the capability of malicious software and tools used against your organization. You need to know if sensitive information was accessed and even more so was data exfiltrated from your organization. A forensic investigation post-breach is another crucial component that helps ensure that the attack has been fully contained and shutdown. You need to know these details if you expect full containment and remediation of a breach.
- Ask the following question when starting a relationship with a cybersecurity provider: Is incident response a core part of their business? If this is something they only deal with from time to time, that should be a red flag. Having a team of experts that deal in incident response consulting daily is the only option. Incident response scenarios can range from a quick 30-minute phone conversation discussing details of a suspicious event, to boots on the ground within hours of a breach event.
- Promote communication within your team to ensure everyone has the opportunity to understand and be involved in the response plan. Time is of the essence when a breach occurs. Your team needs to know their role.
It’s no longer if, but when, an organization may experience a cyber-attack. The traditional view of cybersecurity was to simply focus on keeping hackers out. With new attack vectors developing at such a rapid pace, today’s organizations must be prepared for the unthinkable and have a proactive approach to incident response in order to protect their IT environment and minimize data loss and damage in the face of a crisis. Be sure your team is prepared and understand how to properly handle a breach.
For weekly insights into cybersecurity, please sign up here: