The sophistication and frequency of cyberattacks is increasing every day. In this year alone, major hotel chains MGM and Marriott suffered huge data breaches and dumps. Twitter’s highest profile accounts were compromised in a scheme involving classic social engineering and crypto payments. And Magellan Health, a Fortune 500 company, suffered a phishing-based ransomware attack.
When these events show up at your company (and that’s “when,” not “if”), how can you be sure you are responding to them in the best way possible to limit financial and reputational damage to your organization? Now, we’re starting to see wider adoption of Digital Intelligence (DI) tools by multinational companies, major government agencies and law enforcement who are looking to keep up in an always-evolving landscape. Digital Intelligence is defined as the data collected and preserved from digital sources and data types (smartphones, computers, and the Cloud) and the process by which agencies access, manage and obtain insights from this data to more efficiently run their investigations. Incident Response (IR) is a key component of any enterprises’ DI strategy, and often represents the “front line” — the first and best chance your organization will have in response to a potentially devastating event.
A simple framework for successful IR can be broken down into Before, During, and After incidents occur.
Before: Preparation is critical
Like most successful things in life, good IR starts with good planning. We break it down into four pillars: Detection and Reporting, Triage and Analysis, Containment and Neutralization, and Recovery. Your organization needs to have the tools and processes to manage each of these segments, and with even the basics in place you’re much more likely to identify an attack in its initial stages. If you can do that, you’re much more likely to succeed in thwarting threats in the long run.
The nitty-gritty of these four pillars — the tools themselves — can be developed in-house or with help, and the best approach is to ensure your organization has the answers to these pivotal questions along the way.
Detection and reporting: Is your organization confident it can detect significant anomalies in a timely fashion, and does it have clear and well-publicized processes for reporting them?
Triage and analysis: Can the organization move quickly and accurately to triage threats, respond appropriately, and does it have the tools to analyze and understand the root causes of the problems?
Containment and neutralization: Can the threat be properly and accurately contained without major disruption to systems? Can it be neutralized in a way that preserves as much information as possible for investigation?
Recovery and learning: In the event that damage has already been done, are there comprehensive contingency plans beyond just the technical safeguards, including immediate PR and future process directives?
During: Education, cultural factors, and good processes
Obviously, a malicious actor or hacker won’t be going through the front door or trying to take on the most secure part of the business first. In many cases, they’ll be looking to gain a foothold by targeting employees who might not consider themselves “targets” for cyberattacks (e.g. phishing and social engineering). Organizations need to do two important things:
Educating employees. Enterprises need to educate all employees, regardless of position, about the common security risks they might face and how to begin to recognize something that seems “off.” In one case, a CFO received an urgent message from her CEO to wire a large sum of money for a soon-to-expire business opportunity overseas. Pressured to ensure a deal, the CFO wired the money only to find, of course, the CEO had never sent such an email and was being digitally impersonated. The CFO — especially any C-suite member — should be fully aware of such tactics. However, we’d never consider this a personal failure, but rather a shortcoming in proper security education.
Establishing a culture of trust. Employees must feel comfortable admitting they fell victim to a phishing attack (for example) so that response teams can begin their work quickly. They must know they’re in a safe environment and that security teams want to help and respond quickly — not find someone to throw under the bus.
After: Developing the sophistication to be proactive about security
With good planning, education, and culture, an enterprise can begin to become proactive about security threats. By having the process and habits ingrained in employees, security teams (and the entire organization) can begin to get in front of more threats before they have major impacts. And, with some investments in digital forensics, they can even begin to gain an understanding of who is targeting them and why. The far-reaching reputational and financial consequences of a cyber incident can be devastating or even business-ending, and enterprises should invest in IR accordingly.
After any significant event, an organization must move to establish a “new normal.” This is an opportunity to find areas of improvement and become even better prepared. The goal should be that the next time — because there will be a next time — the enterprise’s response is even better and faster. Even when things work as they should and attacks are stopped before they can do serious damage, there is much to be learned. Can employees be better educated? Are cultural issues still negatively impacting your organization’s security? Are technology upgrades needed?
With the right expertise, tools, and strategy, organizations can turn seemingly disastrous events into moments for real learning, further preparation, and actionable business insight — the promised land of sophisticated, enterprise-level Digital Intelligence.