When incident response teams mistakenly identify forests for trees

Tracking down a cyberbreach’s origins is a painstaking process that pays off in the end. As the AT&T report Cybersecurity Insights notes, an incident response plan detailing the participants, processes, and lines of reporting following a serious attack can help mitigate the impact of a breach.

Incident response also involves an established sequence of steps, and any attempt to rush the process can make a bad situation even worse. When it comes to the actual work, what’s clear is that patience is a virtue.

But the task is complicated by organizational challenges, where different teams involved in the process can wind up working at cross purposes because of conflicting priorities. While forensic examiners seek to understand how the intruders compromised the network, systems administrators and security executives are more keen on plugging the breach and then getting the enterprise back online as soon as possible. If they take shortcuts, the danger is that valuable clues about the attackers can get destroyed.

Haste also harms the organization in other ways.

If the breach hasn’t been rooted out, prematurely giving the all-clear signal fosters a false sense of security. But the organization will be at risk if the intruders are still lurking on the network and are free to read employee communications or carry out further thefts. Even if you think the breach is fixed, there may still be other network vulnerabilities that intruders can exploit - especially if they managed to access different areas of the network.

Step by step

In the immediate aftermath of a successful attack, the investigation should focus on identifying the breach with an eye toward containing the damage. The steps should be outlined in the organization’s cyber incident response plan, which functions as the playbook. Throughout the process, make sure to keep the following in mind:

  • Coordinate the teams assigned to the investigation and eradication of the breach. Each side must be aware of the others’ efforts in order to conduct a thorough process of evidence collection and analysis.
  • Include computer forensic examiners or people with proper training who can reliably record the evidence and preserve it for later review.
  • Keep a record of the system at the time of the incident to share with the organization’s lawyers, outside investigators, or law enforcement agencies. System administrators should review their log information to identify the identity of the malware and determine whether any stolen data was transferred to a location controlled by the attacker. An examination may reveal whether anyone had tampered with files, system settings, or permissions.
  • Don’t assume this was a one-off attack. Unlike yesterday’s prototypical solo hacker, the constellation of potential threats nowadays includes organized criminal groups, state-sponsored actors, and politically motivated “hacktivists.” All are sophisticated and experienced at getting past network defenses.
  • Maintain close system monitoring to detect any anomalous activity for signs that the intruder is trying to reenter the network.
  • Examine the history of threatening communications prior to the incident. The same goes for any suspicious emails or other similar requests for information.

This might go more slowly than some would like but as the AT&T report points out, the ability to quickly mitigate the effects of a breach requires a strategic, dynamic, fully tested incident response plan. And it means practicing what you preach.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

How much is a data breach going to cost you?