It's the worst day of your life. The IT team at your wealth-management company has just called and told you that someone has breached your computer systems. Attackers have been inside your network, and the head of IT is only just starting to understand what they may have done. All eyes are on you. What do you do?
Part of any solid cybersecurity strategy includes a section devoted to incident response. Organized companies will move into high gear after discovering a breach, following a well-defined set of rules.
There are standard "playbooks" for incident response. One of the most respected comes from the National Institute of Science and Technology (NIST), which publishes the Computer Security Incident Handling Guide. It breaks down incident response into these steps.
1. A stitch in time saves nine
The first is preparation. In incident response, what you do before an attack occurs matters at least as much as what you do afterward. Preparing for a data breach involves marshalling a team of people, all of whom can execute a well-planned set of steps when the dreaded call arrives.
"It has to involve all players," says Jarett Parent, CEO of Ottawa-based cybersecurity consulting firm C3SA Cyber Security Audit Corp. This means operational IT staff, forensic IT investigators and cybersecurity experts must be in the room — but don't rely just on technology staff. "It's important to have your HR, your PR, your finance and your board of directors there, in addition to the geeks."
Each function will have a role to play in responding to a data breach responsibly. Public relations and communications staff can plan a strategy for responsible disclosure and help to manage the company's reputation at the most crucial time. Human resources can help determine whom — if anyone — is responsible for the breach, internally, while finance can work out how to pay for it.
Legal staff, meanwhile, can assess financial liability for the breach and advise forensic IT investigators on how to deal with technology systems in the wake of the breach. IT systems, at this point, are effectively a crime scene and should be treated as such.
After preparing for an attack, you have to detect it. This, the second step in the NIST guidebook, is perhaps one of the trickiest. Financial services institutions can't contain and eradicate an attack unless they know it has happened, yet data thieves are adept at hiding in corporate networks while they steal as much as possible.
Having proper visibility into your IT infrastructure is important so that IT staff can spot suspicious computing events that could indicate compromise. However, simple locking isn't enough; IT pros should set alerts that will automatically flag events that need attention.
3. Eradicating the threat
Discovering the breach is only half the battle. IT staff must work on containing the danger by determining how far attackers have gone. Hackers who gain access to internal networks will typically move laterally through them, gaining access to new systems as they encounter them.
In this, the third phase of NIST's incident response process, security experts must treat them like a cancer, finding out how far they have spread before protecting untouched systems and then removing the attackers from the network.
Containment strategies are based on the kind of incident you're dealing with, according to NIST's guidebook. Dealing with a denial of service attack on your systems requires a different containment strategy than an email-based malware attack or a social engineering attack would.
Truly prepared companies will have a different strategy to cope with a selection of scenarios that they have analyzed, the NIST's guidebook adds. This, in turn, requires a degree of threat intelligence. Understanding the kinds of attackers who threaten financial companies that fit your profile, along with their favoured attack techniques, will help you be more prepared.
4. After the storm
The smartest incident response teams won't stop once an attack has been contained and the attacker's malware scraped from their system. Instead, they'll make an extra effort to learn from what happened. This is the fourth and final phase of NIST's guidelines, and it separates a mature cybersecurity operation from a reactive, ad hoc one.
If someone finds a weakness in your company and exploits it, then the truly savvy incident response team will not only plug that hole, but look for similar ones while also documenting the attacker's technique and watching for it in the future. They'll identify the most likely threats, based on attacker profiles and previous techniques, and configure systems to watch for them.
"Let's take the top 10 events and incidents that we're going to find in the course of a year," Parent says. "Let's tweak our expert systems and our intrusion detection systems to ferret these out."
Incident response isn't a static process that should be documented once and then left on a shelf. Preparation should evolve constantly based on the existing threats at the time. That makes it a more time-consuming, thoughtful preparation process. However, when that dreaded call comes, you'll be glad you put in the effort.