Cyber-Response Program: The First 48 Hours…Are You Ready?

Over the last year, cybersecurity responsibilities have been avoided, diverted, and passed off to other departments within an organization. Some business managers, directors and even executives may have denied that a hack has even occurred, perhaps because of a lack of awareness. There have also been squabbles that there is no culpability by their respective departments to “worry” about the intrusion. They claim it to be an information technology (IT) problem and that those individuals in IT should be accountable for resolving the issues.

When we look back over the course of even five years, the most non-analytical person can derive that there are multiple facets of a cyber-attack. They will not only impact the company, but also the individual departments that may have originally tried to evade responsibility to help with remediation. If you have not considered a Cyber-Response Program (CRP), then perhaps it is time to evaluate your risk.

The First 48 Hours

When a cyber intrusion occurs, eyes immediately fall upon the technologists in the company. Correct, they are the front line of defense and are charged with the security of their environments — but what about day two, day seven, or day 20? The first 48 hours are the most critical for a response initiative by your organization. Does it just stop there with IT? Many have said, “Yes.” But the risk mitigation spans the company, and the sole owner of an attack should not rest on the shoulders of only your IT department. That is right tech folks, take a brief sigh of relief; but just a little one, you still play a critical role.

Who do we engage?

The intrusion has occurred. What now? Who takes the lead? Outside of the IT groups, most organizations have areas for risk operations. They may be responsible for compliance, physical security, possibly audit and very likely anti-money laundering (AML) and fraud investigations. Clearly, not a complete list and depending upon the structure of your organization, they may not all fall under your risk department. But with experience and access to information, there are key resources to help a company quickly resolve and respond to a cyber-attack.

A word that has become more frequently used these days is, “collaboration.” The first days of breaking down the internal silos of politically charged departments likely came about because of compliance for AML programs. These programs led to collaborative efforts in order to hook as much information as possible into one group, so that a proper determination could be made on the identification and reporting of a suspicious activity. As organizations evolved and more stringent requirements were put into place by regulating agencies, AML and fraud departments began sharing data collected during their investigations. As a result, more walls began breaking down when AML and fraud departments began sharing data collected during investigations. Internal and external examination efforts ultimately ensured that both areas of investigation were covering the gaps across the company to mitigate the risk that one group may be reporting on a customer while the other simply closed the case. This level of collaboration between departments brought alignment to the teams and shared knowledge, as well as to confirm that the findings by either investigation were in sync and a proper disposition was achieved for the company at large.

Heads of risk, IT and any other department deemed reasonable to participate, should form a cooperative task force to immediately respond to the threat. Keep in mind: Form this task force prior to an event occurring; they should be on standby for an attack. At the center of this team are your technical resources. IT confirms the intrusion has occurred. They secure the systems to ensure no further information is immediately being captured by the hacker. IT identifies the how, what, and when. How did the environments become compromised? What data has been exposed? When did the attacker first enter the system to the point where information was stopped from leaving the database? Clearly, there are a multitude of duties, but for the purposes of this article, let us keep it refined to CRP 101.

Assemble the Cavalry

Knights of the roundtable should be convened with all parties, such as, and certainly not limited to, marketing, physical security, investigation unit(s), IT and even audit. The data from day one should be shared and discussed. Each team member will be responsible for their areas of expertise to ensure all information is shared and that they will be the authority representing their department while working with the task force.

Marketing will handle the press and the reputation of the organization. The worst case scenario a company can do is fail to report or attempt to hide that a data breach has occurred. As previously stated, the primary purpose of the CRP initiative is to ensure knowledge transfer and to develop a plan of action based on the events of the attack. A campaign may need to be developed for later use as the examination moves forward. Best case scenario: No data was taken and you were able to stop the attack prior to loss. Use that to your benefit by proudly announcing that a significant attempt was made and you stopped the intruder and saved your customers from being another statistic. Regardless, there should be preparation to ensure a strong message is ready to deliver, if needed.

Physical security/internal investigations should be a part of your process as well. As the examination continues, physical security/internal investigations should ask themselves the following questions: Was there someone onsite that helped with the attack? Has there been a breach of the perimeter that may have been caught on camera that was not seen or alerted? Are there gaps that can be identified and filled to prevent further intrusion? Were there new employees with access to the affected systems that may have had the opportunity to place the malware?

Engage your team of investigators and let them do what they do best — collect and correlate all of the evidence that is gathered by the task force. Investigation unit(s) start assessing the data and information that was stolen. They compile the case and begin building an investigation around the entire event. Your existing case management system is a collective tool for your task force, whereby, everyone can share their information and keep it stored in one location. If necessary, they work with law enforcement and retain the proper information and evidence needed to further the cause of identifying the suspects. Is there something relevant about the data stolen? How may the attacker intend to use the data taken from the organization? A dossier of the attack will be critical to have a clean, concise perspective of the event and activity documented from the other team members. When you present to any agencies moving forward, you must present a united front. Your reputation and revenue is at stake.

In the event of an attack, why would you want internal audit to participate? Because they are your front line of defense when it comes to your regulators and most of them can squeeze blood from that stone; it is their job. They will be examining information and providing relevant information to agencies involved to ensure there are controls in place and action plans are in effect. This will be a very sensitive subject and timing will be critical. Disseminating the proper information at the appropriate time will make or break the outcome of an external examination. You need their support and you need to leverage their capabilities to demonstrate the organization has the expertise in place to rectify the issue and remain reputable rather than seemingly incompetent.

IT is a given when it comes to a cyber-intrusion. They will be searching for every hole and every entry point to not only prevent further intrusion, but to also build barriers for future intruders to run up against. Hackers have a community — make no mistake — once it is figured out that there is one vulnerability, then they will find several more of which to take advantage. IT needs to be one step ahead if not several; they should be identifying exposed points of entry before someone else does. Take your most experienced internal persons and attempt a simulated attack; use the resources you have to fight back and protect yourselves. It is a game of chess for these attackers, just make sure you win.

There are many other facets based on the size, complexity and the type of industry that impact the involvement of departments and team members. The ones identified above are merely an example of who your core contributors may be. An evaluation should be performed to identify those resources and construct a CRP prior to an incident. You do not need to hire expensive resources when you have well-equipped departments and individuals internally. You may just need an individual to take lead and build the teams needed to come together in the event of an attack.

Connect and Communicate

Regroup, communicate and absorb. What have the other teams found and how does that connect with information that another team member has found through the examination? Has there been any media exposure and are statements being prepared in case there needs to be an announcement? Has physical security/internal investigations identified any suspects? There are going to be numerous questions that are going to be raised and each team member needs to be aware of the answer.

A CRP is going to be a new initiative that will streamline and save the organization revenue and reputational damage if managed appropriately. Clearly, this is the Cliffs Notes version; as there is a greater amount of detail behind each step that needs to be taken. You cannot escape a cyber-intrusion and brush it off to IT. It takes a village to fight back against an attack. If you have not considered a CRP, then it is time to start mitigating the risk to your organization by looking at your company’s infrastructure and identifying the quality of resources you have in-house that are ready to respond.

Cameron T. Jones, CAMS, director, SAS Security Intelligence, Chicago, IL, USA, cameron.jones@sas.com