Some first-responders sound more like detectives. Seth Danberry is one of them. After a 16-year career as a CIO, Danberry started up his cybersecurity firm Grid32 in Jersey City, N.J., almost six years ago. When asked about his firm’s incident response, Danberry provided Grid32’s methodology - which is a well defined five-step process:
- Step 1. Identification. "Step one is to dive in and fully identify the incident by reviewing errors, log files and other telling information from the client's firewalls, [intrusion-detection systems] and other assets."
- Step 2. Containment. "Once we have identified the issue, we look to contain the threat and stop the bleeding by putting in filters, altering routing or DNS, or if necessary, taking systems offline.”
- Step 3. Eradication. "Once the situation is initially stabilized, we move to fully eradicate the threat from all affected systems and ensure reinfection cannot occur."
- Step 4. Recovery. "After the threat is eradicated, our focus shifts to recovery, where affected systems are brought back online to resume normal operations, all while monitoring to ensure no further signs of compromise."
- Step 5. Analysis and Lesson Learned. "Once the immediate crisis is over, we then use forensics and other investigatory techniques to attempt to track the source of the incident and also glean any information to prevent subsequent incidents with the client."
Corporations and government agencies who handle cyber-incidents internally may want to model around Grid32’s five-step process.
Some cybersecurity experts are more focused on keeping CSOs and CISOs grounded in reality after their company has been the victim of a cyber-attack. "Breach and incident response can be an emotional, chaotic affair for organizations - our first priorities are to calm people down and set some expectations,” says Reg Harnish, Founder and CEO at GreyCastle Security in Troy N.Y. “These are not the best days for the organization, but they don't have to be the worst” he adds.
Harnish has 15-years of hands-on security and incident response experience in several industries including financial services, healthcare, and higher education. He offers interesting advice. “First, the client should understand that this is not CSI or a Tom Cruise movie - the likelihood of identifying a cybercriminal in the foothills of Romania, getting your money back and bringing them to justice - is near nil. In addition, the client should be focused on minimizing the negative impact of the event, not chasing criminals. Setting this expectation is key”.
When Harnish’s firm looks in to a breach, they are also thinking about what comes after… and sometimes that can mean legal action including courtroom appearances. “The investigation begins with triage, and making some rough determination of scope and impact. How many records, how much money, how much evidence and how much negative impact - all of these factors will drive the response process. Also important is to decide if litigation is possible as a result of the incident, if it is we will integrate evidence and chain of custody procedures to be prepared for court.” Harnish differs with the step-by-step process advocated by others. “The client should understand that breach response is organic and dynamic. There is no such thing as a step-by-step procedure that applies to all incidents."
With high-profile hacks getting ink on the front pages of major newspapers and more visibility on the evening news, perhaps we might see Tom Cruise starring in a cyber film playing Reg Harnish - cybercrime expert witness. Who would play the corporate CISO? That’s not important if you listen to Albert Whale, another cybercrime first-responder who says “each CISO is one breach away from losing their current position.”
Whale is president and CSO at Pittsburgh-based IT Security, In the past, he has worked as an Ethical Intruder - helping companies to prepare for the worst. If you believe Whale, then whoever plays the CISO would only be making a cameo appearance. In the real world a CISO might hang up with his or her legal counsel after reporting a serious breach, and then dial a headhunter.