The Human-Centric Approach to Cyber Incident Management & Response
We all know that the occurrence of cyber incidents has become increasingly common. It is often said that it is no longer a question of if an organisation will experience a cyber attack, but rather when. The accuracy of that statement is perhaps debatable but what is true is the potential damage caused by a cyber incident can be catastrophic, ranging from loss of sensitive data to financial losses and reputational damage.
The traditional way to try and mitigate the impact of a cyber incident, has been for organisations to develop incident response plans (IRPs). These plans however are rarely seen as a crucial part of an organisation’s cybersecurity strategy and they are more often than not developed as an after thought and on a ‘what do we do if our security strategy fails’ basis.
But, isn’t that the wrong way around? Is trying to secure against every eventuality and then having a vague, poorly constructed failure strategy really the best approach? After all, if there were no threats, no malware, no bad people trying to unlawfully access your network and steal your data your organisation wouldn’t need a cyber security strategy at all. Would it?
We define cyber incident management as the overarching process of planning, organising, and coordinating resources to prevent, detect, and respond to cyber incidents. It involves establishing policies, procedures, and protocols to ensure a proactive and holistic approach to cyber risk management.
In other words, understanding where your business may be most likely to suffer a successful attack, and adjusting your cyber security strategy to as much as possible mitigate those threats; or see incidents developing and respond to them in time to stop them or drastically reduce the impact of them on the business.
It is important to recognise that relying solely on IRPs during or after a cyber attack is no longer sufficient. In this post, we will delve into the reasons why proactive cyber incident management and response should be led by people, emphasising the importance of human expertise, flexibility, communication, and speed.
Organisations that create incident management teams from all parts of the business, and third party specialist support teams that regularly meet to discuss the ‘what ifs’ will become more resistant to attacks and more able to efficiently respond to attacks that do occasionally breach the defences. Once up to speed, such teams are able to develop much more effective incident playbooks to deal with those situations when they arise. The development of those playbooks should then drive changes to cyber security strategies in order to more effectively address the risk of successful attacks.
The Power of Human Expertise
Cyber incidents are complex and demand a high level of both business management and technical expertise to effectively resolve them. Whilst incident response plans provide a framework for responding to a cyber attack, they do not possess the human expertise required to handle complex and intricate situations. Human expertise is vital in identifying the root cause of an incident, understanding the impact of the attack, and taking the necessary steps to prevent future incidents.
Teams that are able to identify and understand where those potential root causes may be, and the potential impact of them ahead of time will always perform better during an actual attack compared to a business that relies upon a single point of reference (the IRP) that has sat untouched and gathering dust for the last few years.
The threat landscape moves at pace and changes regularly. People will recognise that and react accordingly. Static documents do not.
Consider a scenario where a user reports that they received a PDF attachment via email from a third party supplier that they regularly deal with. When they attempted open the PDF file they received an error stating the file was corrupted and could not be opened. The user contacted the supplier to ask that the file be sent again and the supplier stated they had not sent the email in question.
Would that scenario trigger an incident response in your organisation? Who would be accountable for recognising that situation as a potential threat, and who do they then escalate it to? How quickly would this happen? What are the steps you would take as an organisation to investigate this potential incident? There are many more questions that should be asked and answered in this type of event.
In reality the attempt to open the PDF file dropped a trojan onto the users laptop which marked the start of a ransomware attack. Over the course of the next nineteen days the attackers stole hundreds of gigabytes of data from the victim network and then launched an encryption event that crippled the company for an extended period of time. A ransom demand in the sum of two million US Dollars was then received.
IRPs may provide post attack guidance as to how to deal with that incident but it won’t address the fact that were nineteen days of attacker activity that could (should) have been detected and dealt with before the crippling encryption event occurred.
Food for thought? It should be.
Whilst IRPs can offer a structured and systematic approach, cyber incidents often deviate from predictable patterns. Each attack is unique, demanding adaptability and flexibility in response. The ability to assess and adjust strategies on the fly is crucial to minimising the impact of the attack. Whilst IRPs provide valuable guidelines, they may not cover every possible scenario.
In a recent incident, we encountered a situation where the attacking ransomware group had made a mistake and attributed stolen data to the wrong organisation. Samples of stolen data were posted to the ransomware group leak site after a twenty four hour warning about the posting had been made to our client. On analysing the posted data it became obvious that the data did not belong to our client and was actually data from a company with a very similar domain name. Our client was obligated to conduct a full incident response and forensic investigation in order to prove to certain regulatory bodies and media agencies that they had not in fact been breached. The cost and disruption to the business was significant
This experience serves as a powerful reminder of the significance of flexibility in cyber incident management and response as there isn’t an IRP or playbook that could have foreseen that particular set of circumstances.
The Human Element in Communication
During a cyber attack, effective communication is paramount. Whilst incident response plans may outline communication protocols, they cannot replace the human element in communication. It is essential to promptly inform stakeholders about the incident’s impact and the steps being taken to address it. A personal touch in communication ensures transparency and instils confidence in all parties involved.
In this day and age, businesses that fall victim to a cyber attack are more often judged on the openness and transparency of their response than by the fact they have been breached. Discussing and agreeing disclosure and communication strategies ahead of time is therefore of paramount importance.
Questions should be asked of the business as to how well prepared it is to handle disclosures and communication during a critical critical incident.
Does your inside counsel or incumbent legal partner have the necessary experience and expertise to provide proper advice during a ransomware attack? Do they understand the need to operate under legal privilege and the benefits and safety net that can provide? Do they have the necessary experience to take down a rogue server in another country?
Does your internal or third party marketing team properly understand the nuances and subtleties of effective PR during a critical incident? Can they quickly produce safe and effective disclosure statements to stakeholders and other interested parties. Do they have contacts and gravitas within the media community? Are they able to potentially stop or delay a media story?
Again, lots to think about and lots of decisions that will need to be made. Do you really want to add finding suitable legal and PR partners to your to do list at the point of an incident when that is the time that you will need specialist support the most?
The Need for Speed
Cyber incidents can escalate rapidly, necessitating swift action to minimise the damage. Whilst incident response plans provide a framework for responding to an incident, they may not always cater to time-sensitive situations. Human expertise and judgement are crucial in determining the appropriate response to an incident and taking the necessary steps quickly.
It is important to define ahead of time who in the organisation can make those critical decisions and when they should make them. Sometimes, particularly in ransomware or destructive wiper attacks extreme measures have to be considered, such as disconnecting the business from the internet to stop the spread of the encryption or wiping process. In most cases taking this sort of action will have a severe impact on the businesses ability to operate, or may even stop the business operating altogether however, it may be an act of last resort that speeds up recovery from the incident.
As an IT manager or IT admin would you want to make that decision without knowing that the business will support you if you have to make that decision alone at 4am on a Sunday morning?
In a ransomware attack, we dealt with some time ago exactly that situation arose. The client was evaluating and EDR solution and had it rolled out to about a quarter of it’s very large network. In the very early hours of a Saturday morning the EDR solution started to alert for Volume Shadow Copy deletions and Boot Loader manipulation on a number of systems. At the time these were very good indicators that an encryption event had been launched and that the encryption of multiple systems would follow. Sure enough, within a short space of time digital ransom notes started to appear on systems that had data encrypted on them.
At that time the symptoms of the encryption attack could be seen but the source of it was not readily obvious. The decision was made to close the firewalls blocking all inbound and outbound traffic. This action stopped the spread of the encryption process and as a result just 3% of the network was encrypted but the action did render the business almost completely non operational. Following a concerted forensic investigation to identify and deal with the malicious files and processes, the business was able to start bringing systems back online on the Tuesday following the attack. A much faster recovery period than if the encryption process had been left to run its course.
How did the business know that closing the firewalls may stop the spread of the encryption process? It was raised as a question, and an answer found during an incident management team meeting some months before the attack.
The Role of Leadership
In addition to technical expertise, effective cyber incident response requires strong leadership. Leaders must understand the intricacies of cyber threats and be able to make informed decisions under pressure. They must inspire and empower their teams to act decisively and collaboratively. Leadership plays a crucial role in setting the tone and creating a culture that prioritises cyber incident management and response.
It is crucial that leaders with the right qualities and experience are selected to act as Incident Manager for the business. If the right experience does not exist in the business then consider training someone who has the right qualities or retain the services of a competent and suitably experienced third party incident manager.
Strong leadership is instrumental in coordinating the efforts of an incident management and response team. The leader should set clear goals, provide guidance, and instil a sense of calm professionalism and confidence in the team. Their ability to make swift and well-informed decisions will be vital in mitigating the impact of an attack. This example given above regarding the closing of firewalls highlights the importance of leadership in driving effective cyber incident response.
Collaboration and Knowledge Sharing
Cyber incident response is a team effort that requires collaboration and knowledge sharing. Incident management and response teams must work together seamlessly, leveraging each other’s expertise and experience. Sharing lessons learned from previous incidents and staying updated on the latest threats and best practices is essential for continuous improvement.
Once an incident management team has been formed the organisation should facilitate regular knowledge sharing sessions where incident management and response team members discuss their experiences and share insights. This collaborative approach will significantly enhance your incident management and response capabilities and allow you to stay one step ahead of cyber threats. By fostering a culture of collaboration and knowledge sharing, organisations can strengthen their cyber incident management and response capabilities.
Whilst incident response plans are undeniably vital components of an organisation’s cybersecurity strategy, they should not be the sole focus during a cyber attack. I hope to have shed light on the immense value of a human-centric approach to cyber incident management and response. Human expertise, flexibility, communication, speed, leadership, collaboration, and knowledge sharing are all essential elements that complement and enhance the effectiveness of incident response planning, preparation and execution.
To effectively combat cyber threats, organisations must invest in developing their incident management response capabilities, nurturing human expertise, fostering a culture of flexibility and collaboration, promoting open communication, and empowering incident management and response teams to act decisively. By embracing a human-centric approach, organisations can better protect themselves, their data, and their stakeholders from the ever-evolving landscape of cyber threats.
Remember, when facing a cyber attack, it is the collective power of people that will make the difference.
This post was written by Stuart Bird, the founder and Managing Director of Affinitas Global and a seasoned cyber incident manager with over 20 years of experience in the DFIR field.