As a lawyer who symbolically participates in dozens of catastrophic cybersecurity incidents every year, I understand what is the real key task in cybersecurity incidents. In leading network emergency response across industries, enterprise platforms, and threat vectors, some common themes will appear regardless of the size of the organization. This is what I learned:
1. Incident response plan is very important as a discussion point before the incident, but it is rarely consulted during the incident
The incident response plan is an important tool to promote the organization’s strategy before an incident occurs. Desktop exercises, which discuss hypothetical violations, can help organizations get rid of the novelty of dealing with cyber disasters. But in a truly catastrophic cyber incident, I have never seen anyone consult an incident response plan. Sometimes this is simply because the incident response plan-like the rest of the network-is encrypted and locked as part of the ransom. However, this is usually just the nature of an emergency: there is no time to review plans or convene so-called response teams.
My suggestion is to ensure that—no matter what incident response plan you have—your organization knows who it will contact first in an incident. Incident response plans cannot reflect your organization’s illusions, but reality. Do you have a hands-on CEO? In this case, the incident response plan needs to reflect that they will be part of the incident response team. When her organization faces extreme threats, a hands-on CEO will not back down.
Most importantly, the team knows that the chain of command has changed during the event and knows to follow the new command line. The lawyers direct and guide the organization through the vague pre-accountability space in the room. If anyone other than internal or external legal counsel leads the incident response, the entire investigation may be exposed. This is because the lawyer-client privilege is the only real means of confidentiality in the incident. Usually, senior technical consultants need to lead investigations, because having Luddite lawyers try to understand the meaning of acronyms such as SIEM or VM immediately is not conducive to fast response time.
2. The log is never where it needs to be
In a cyber incident, the first sentence I said was to ask if there were any logs. This is not pointless curiosity. This is because I learned through the hard way that unless log preservation is the main focus of the first few minutes of an event, these logs may be lost.
Not only that, but the decision to cut the log aggregator in the budget usually leads to big troubles when the event occurs. why? Because as a lawyer, I rely on technical forensics experts to use logs to determine where the threat actor may have been and where the threat actor may have obtained personally identifiable information for sale on the dark web or for my own malicious purposes .
3. Network maps and IT asset inventory can determine the success or failure of the recovery
The latest network map and IT asset list is one of the most critical information in the ransomware response process. During the incident, your organization invites strangers in the form of forensic teams, and sometimes even law enforcement agencies. These experts are trying to respond quickly to your incident to “clear” the crime scene to ensure that it is safe to repair and come back online. If you have a complex IT environment in multiple locations, it is important to immediately understand the layout of the land. Knowing where the threat may be and what needs to be restored comes down to knowing the assets that are at work at any given time.
In the calm before the incident, focus on the most important things: (1) Develop the latest maps and checklists; (2) Develop a logging strategy that can capture the lateral movement of the environment; (3) Worry less about incident response plans, and more Pay more attention to having a team that understands the chain of command.
Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the boardroom. As the chairperson of Woods Rogers’ Cyber Security and Data Privacy Practices, she advises clients on cyber security and data privacy issues.In this capacity, she… View full resume