How to Properly Respond to a Cybersecurity Incident

March 22, 2017

Burlington Electric made headlines when The Washington Post reported that malware had compromised its systems and the Russians had hacked into the power grid. The incident as reported was false; it turns out that the utility had detected malware on a single laptop that was separate from its power systems and no breach had occurred. This “red herring” highlights misconceptions of what constitutes a cybersecurity incident.

The code presumably associated with the Russian hacking operation turned out to be nothing more than a "specific type of Internet traffic" - Fortune

And while the language used is of vital importance, another significant factor in any cybersecurity incident is knowing when to react and to what degree. Poor threat intelligence can be a costly distraction for security teams that are short on resources.

First, Learn When to React

Cybersecurity, like physical security, is the principle of setting up protections and reacting when those protections have been compromised or breached. The difference between physical and cyber security is that a physical security breach is easily detected, while cybersecurity breaches are much more subtle. The majority of cyber incidents take months to fully unravel and, even then, there is no certainty of fully understanding the entire kill chain. (The ‘kill chain’ refers to every step of an intrusion, from the reconnaissance to the execution of the malicious code). This complexity belies understanding the extent to which systems are compromised.

So when and how should organizations react?

There are three ways organizations can respond to a cybersecurity incident:

  1. Traditional Incident Response - Isolate, investigate, and remediate the incident. This response is appropriate for low to mid-severity breaches.
  2. Company-Level Response - For more severe incidents, notifications and policy changes need to be re-aligned to manage security risk. This response is appropriate for mid-to-high-severity breaches.
  3. Public Response - The organization releases information and a statement to disclose the breach, its impact on stakeholders, and its remediation. This response is appropriate for high-severity breaches with a material impact on the company, its customers, and partners/suppliers.

Second, Control the Crazy

During a cybersecurity incident response, the velocity of activity occurring will be crazy for a period of time. The amount of activity occurring in a compressed timeline makes the environment seem chaotic, at least from the outside. To mitigate this chaos, each incident response team should have well-defined standard operating procedures and know the notification chain.

Each incident should have a recognized incident lead. This does not mean each incident has a different incident lead, but someone who is responsible for the incident response cycle management. Normally most teams will have a leader who is in charge of the incident response environment, whether it is a shift leader or a designated manager to bear the burden. Incident responders live in an environment of constant incidents, each requiring a response. These front-line workers are very adept at time management but still require a supervisor to prioritize their efforts and remove any barriers.

The incident response supervisor, or leader, has the responsibility to notify internal stakeholders of any incident that attains a certain threshold. External notifications should be done in conjunction with legal counsel and public affairs personnel. Different industries have different reporting criteria for their organizations. This is the first method to identify your external reporting requirements. The next method involves the fiduciary responsibilities to your shareholders.

Third, Manage the Uncontrollable

As the Burlington Electric incident shows us, once information is provided to the public, things can spiral out of control. For organizations concerned with brand reputation and maintaining trust, public disclosures are the greatest concern for cybersecurity incidents. Once the information is made public, there is little that can be done to control the narrative.

The greatest challenge during a cybersecurity incident is to communicate what occurred (the incident) and also convey the proper context so that people can understand the impact. This challenge is compounded by a media environment that is eager to grab headlines and be the first to break the story; sometimes without checking their facts. Today, much of the media is motivated to capture attention rather than focus on reporting correct information.

“If you don't read the newspaper, you're uninformed. If you do read it, you're misinformed.” - Denzel Washington

How can organizations manage this situation?

The first step is to release information in an unambiguous way with press releases that provide more information than would normally be thought necessary. Specific details in a press release will help inform influencers (e.g., experts) who can amplify the message that things are under control. For Burlington Electric, the issue affected one laptop, did not compromise the security of the power grid, and was a “non-event”. When the false news broke, the utility company did an excellent job communicating the correct details and sets a good example for how to counteract misinformation.

Data breaches and compromises will only increase in the coming years. It's essential that companies follow the fundamental steps to prepare for cybersecurity success. Threat intelligence is a long con, requiring more planning and preparation to execute effectively. By having well-defined standard operating procedures in place, when cyber incidents do occur, your team can focus on controlling the chaos and maintaining the necessary notification chain. Learn more about threat intelligence applications here.

If you enjoyed this post, subscribe to our blog and follow @Idenhaus on Twitter.

Photo credit: Flickr

By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Contact us today!

More News