Introduction
In February, I gave a talk entitled “Lessons Learned from Breach Response” at the SoCal ISACA Chapter meeting. During the talk, I shared practical and field-tested advice on building an effective breach response program and discussed the top ten challenges I regularly encounter during large-scale breach investigations.
In this blog post, I briefly discuss those challenges and provide guidance on how to address them. The list outlined below is by no means comprehensive. However, addressing the issues can significantly enhance an organization’s preparedness for cyber breaches.
Top 10 Breach Response Challenges
Challenge 1: An organization has no incident response plan
This gap leads to ad-hoc, chaotic, and disjointed decision-making, and generally a reactive approach during a breach response. Furthermore, organizations find it challenging to determine the impact and response urgency and allocate the necessary resources to respond to a breach effectively. Also, a lack of planning often leads to poor communication among stakeholders, engaging in blame, and making fear-based decisions.
Solution:
Enact an incident response policy and create an enterprise cybersecurity incident response plan (CSIRP).
Enact a cross-functional incident response team and assign the team full responsibility and authority to respond to breaches on behalf of the organization.
Document roles and responsibilities.
Document a communication plan and build alliances with stakeholders across the organization.
Challenge 2: An organization has no audit and log retention policy
Tracking malicious actor activity and reconstructing a timeline of events is extremely difficult without appropriate logging and a log retention policy. This gap also makes it challenging to make evidence-based decisions regarding containment and eradication.
Solution:
Develop an audit logging policy.
Develop and enforce platform-specific logging requirements based on the policy.
Deploy a centralized log store for log retention and querying.
Ask security personnel what audit logs they need to investigate incidents effectively.
Regularly audit policy compliance.
Challenge 3: An organization has poor asset management practices
This deficiency makes it difficult to map investigative findings to assets, establish breach scope, and inform containment and eradication. Moreover, poor asset management makes it challenging to identify system dependencies and map assets to business functions. As a result, remediation efforts often impact business operations.
Solution:
Deploy passive and active asset discovery tools.
Include asset management in the system development life cycle and assign ownership to the process.
Ensure an accurate, complete, and up to date repository of hardware, applications, and end-user computing devices.
Track configuration management information.
Maintain a repository of systems and applications that store and process confidential data.
Map dependencies for critical systems and applications.
Map systems and applications to business functions or business processes.
Challenge 4: Senior management perceives breach response as a tactical function
A lack of a cross-functional and integrated approach to breach response leads to business, security, and technology functions operating in silos. Moreover, a technical investigation is misaligned with business objectives, such as providing evidence to inform regulatory reporting requirements. This misalignment also causes the business to make decisions regarding business-level response based on assumptions and perceptions.
Solution:
Enact an incident response policy and create an enterprise cybersecurity incident response plan.
Enact a cross-functional incident response team and assign the team full responsibility and authority to respond to breaches on behalf of the organization.
Document roles and responsibilities.
Document a communication plan and build alliances with stakeholders across the organization.
Challenge 5: An organization manages breach response through an IT incident management process
An IT incident management process focuses on restoring system availability, leaving out the confidentiality and integrity aspects of cybersecurity. This leads to IT driving response priorities instead of focusing on data privacy, reputational, and financial impact resulting from a cyber breach. Another major drawback of this approach is that prioritizing containment and recovery often leads to the destruction of forensic data.
Solution:
Develop informational and operational impact criteria for scoring the impact of a cybersecurity incident.
Establish response urgency criteria based on cyberattack lifecycle stages.
Create a security-specific incident classification taxonomy.
Create a data acquisition and preservation protocol.
Develop incident-specific procedures.
Challenge 6: A lack of continuous improvement process
An organization does not remediate the weaknesses exploited by a malicious actor, such as poor access control practices, lack of visibility into security events, or immature vulnerability management. Consequently, it is a matter of time before another breach occurs. Moreover, it is challenging to implement lessons learned and improve response capabilities without a continuous improvement process.
Solution:
Establish a requirement for lessons learned as part of an incident response policy.
After lessons learned, perform business review of action items.
Regularly identify small incremental improvements and implement them as part of day-to-day operations.
Banish blame and encourage open and transparent communication and constructive feedback.
Challenge 7: An organization attempts to address a breach without external support
When an immature incident response team attempts to address a breach without external expertise, this leads to several issues. These include the destruction of forensic data through premature containment, poor tracking of investigative information, alerting the malicious actor, or a lack of consideration for an intelligence-driven response, among other issues.
Solution:
Know internal limitations and establish criteria for engaging an external firm.
Consult your cyber insurance vendor regarding preferred Digital Forensics and Incident Response (DFIR) firms.
Build a relationship with a DFIR partner.
Engage a Crisis Management team.
Hire an external Public Relations (PR) firm.
Challenge 8: An organization prematurely concludes an investigation
Prematurely concluding an investigation often leads to ineffective containment and eradication. In the case of a sophisticated threat actor, it is just a matter of time before the actor comes back by exploiting weaknesses that have not been remediated. This challenge may also lead to insufficient evidence-based information to inform regulatory and stakeholder notifications.
Solution:
Establish objectives for an investigation.
Partner with a reputable incident response firm.
Collect forensic data at scale and enrich findings with threat intelligence.
Pivot on investigative findings and monitor for indicators of compromise (IOC).
Rinse and repeat until diminishing returns.
Challenge 9: An incident response team inadvertently destroys forensic data
This challenge is often closely related to Challenge No. 5. Some organizations re-image or rebuild impacted systems without forensic considerations. Destroying forensic data through inappropriate containment makes it challenging to establish the scope and root cause of an incident.
Solution:
Establish a data acquisition and preservation protocol for forensic and live response acquisition.
Educate IT personnel and the Help Desk on handling compromised assets.
Aggregate audit logs in a centralized store.
Document a chain of custody.
Challenge 10: An incident response team relies on network telemetry to determine the breach scope
Host forensic data is the primary source of evidence during breach investigations. Network telemetry often provides context and ancillary information but is insufficient by itself to establish information such as what data a threat actor accessed. Moreover, threat actors often encrypt their payloads, and organizations have limited visibility into data flows on their internal network segments.
Solution:
Collect detailed endpoint telemetry and enrich it with threat intelligence.
Block known IOCs and behavioral characteristics associated with a threat actor.
Correlate endpoint and network telemetry.
Leverage Endpoint Detect and Response (EDR) features to isolate impacted assets.
Summary
In my consulting engagements, I observed that many organizations are insufficiently prepared for breach response. This blog post outlined some of the common breach response challenges I have encountered. Addressing those challenges requires a comprehensive, unified, and cross-functional approach to breach response.
I have also provided fundamental considerations to effectively prepare for breaches and ensure that response is aligned with business objectives. In my book entitled “Cyber Breach Response That Actually Works,” I provide practical and field-tested guidance on building breach response capabilities.