5 Ways Bad Incident Response Plans Can Help Threat Actors
While incident response plans are essential for businesses, sometimes they fail and hamper organizations instead of helping.
Actual attack scenarios were discussed at a RSA 2021 conference session on Monday, where the focus was on mistakes made while executing the plan amid the chaos. James Christiansen, Vice President and CSO at Netskope, and David Estlick, CISO at Chipotle Mexican Grill, shared personal stories of Incident Response (IR) situations they have experienced. Most importantly, they shared how those experiences revealed what not to do. Some of the lessons learned included maintaining a small inner circle during the breach response to prevent information leaks, maintaining multiple mandates for different IR companies, and the availability of the cryptocurrency in the event of an attack by. ransomware.
The session highlighted five main issues that help to help the abuser rather than the victim.
The first was the inability to distinguish which activities are normal for your infrastructure. Estlick walked through a real world scenario that he called “too common in today’s world” – an organization receives reports of inoperative systems followed by a ransom note. The problem occurs when the systems are taken offline and the IR team is unable to access them, but payment requests continue to increase.
“We’ve seen this a lot in the news lately,” Estlick said during the session.
The solution, according to Estlick, is tabletop IR planning and establishing a clear understanding of the assets and a good backup plan that allows for recovery if the management team decides not to pay the ransom. He stressed the importance of going through a scenario with the management team so that there is an understanding in advance whether the organization will pay the ransom or not.
Estlick also recommended doing tabletop exercises where the ransom demand is relatively small compared to the impact on the business so that the management team can have a meaningful conversation about whether or not to pay, instead of rejecting a large multi-million dollar ransom that cannot be paid.
“And if you pay the ransom, there are things in the works – do you have a Coinbase account? Have you acquired cryptocurrency? These are all things you don’t want to do in a crisis,” he said during the session.
Another challenge is to determine if the incident merits investigation. Estlick said IR teams are often virtual and don’t have the time to locate everything that lands on their desk, so prioritization is crucial.
“Likewise, if they stop all alerts and alarms and you have a high degree of false positives in the system, it can lead to complacency,” he said. “Make sure you have excess capacity for burst needs.”
Estlick and Christiansen both said they had multiple companies under their mandate because incidents ended up happening in groups. “When it’s going to hit it’s going to hit hard and there’s no way to recruit staff for this type of event. They should know your operating systems and network ahead of time,” Christiansen said during the session.
The second problem is not having all of your IR ducks in a row. He highlighted another common problem: password security. If there is evidence that administrator level passwords have been breached and the administrator password is in use on many critical systems, teams should be prepared to change all administrator passwords at any time.
Estlick shared an anecdote of an incident at a former employer where he had to reset all credentials at 3 a.m., after several days of an ongoing incident. After getting home for a few hours of sleep, he returned to the office expecting the worst working day of his career. However, he was pleasantly surprised.
“I didn’t bring anyone into my office to say, ‘What did you do and why did you do this?’ The management team was aware that the scenario was a possibility and in fact shielded me from organizational pushback, ”he said. “Instead, it was if security deemed it necessary, then there is a reason for it. It was all the result of relationships and hard work prior to the incident.”
Similarly, the third point of the session was to run out of energy before the opponents did. As Estlick’s anecdote was captured, incident response teams can be on their feet at any time of the night. Additionally, the timelines for service restoration and full recovery are unknown. Responding to attacks can take hours, days, or weeks.
Christiansen shared an unpleasant experience when a member of his staff was injured on the way home because he fell asleep. “It learns through experience and making sure you insist on rest,” he said during the session. “The key people will want to stay – they are running on adrenaline.”
Estlick said he saw past examples where critical items like log data were changed or deleted because team members were simply exhausted and made mistakes.
The fourth issue they highlighted was the lack of appreciation for the difficulty of completely stopping an ongoing hacking attack. Problems can arise when attackers compromise cloud services and IR teams are not informed in this area. Thus, it is important to train IR teams to manage technologies or have on-site expertise.
On the last issue, which speakers called “managing,” Christiansen said executive communication was essential. “The reality is, if you do a breach analysis, you’re going to deliver a lot of bad news. It will be a flood of bad news, so prepare the management team for that.”
Additionally, Christiansen said it was important to show the situation was under control.
Another crucial part of the opponent’s response is how the IR team is formed. Christiansen said it should be made up of the key stakeholders, legal, public relations, security team, IT group and customer service who will be part of the notification at the end.
“Equally important is knowing what their role is not – who will not speak to the press, who will speak to management and internal staff, members of the board of directors – this is an important key element,” did he declare. “Put everyone under an agent-client [privilege] is a way to minimize the impact and prevent misinformation reaching the public, as it can have a huge impact on your branding image. “
In that regard, Estlick said it’s important to try to keep the squad as tight as possible. If the incident becomes a large-scale public event, all of those people can be dropped off. “There is a lot of pressure from people who want to be in the know, but really ask yourself who is essential to be on this team.”