Cybersecurity first responders give advice on data breach aftermath

Your company just got hacked. Now what?

According to a top cybercrime expert who specializes in data breaches and incident response, the first step is keeping the CISOs and IT security staff calm. A high impact cyber-attack can be a stressful and disorienting event – even for the most veteran technology and business executive.

Dario Forte was police officer in Italy for 15 years, in various crime enforcement squads, including cybercrime enforcement. He’s now founder and CEO of DF Labs in Crema, Italy, a leader in information security, incident management, e-discovery, litigation support and digital forensics.

“The first step is definitely supporting the customer who is reporting the incident – in order to avoid panic,” says Forte.

Forte has extensive real-world experience as a cybersecurity first responder. He has 15 years experience in the Italian military and financial police, and has worked in the United States with NASA and many federal agencies. In both countries, Forte has managed information security strategies and undertook incident management and digital investigations. He is currently the Italian Chief of Delegation and a Subject Matter Expert and Co-Editor serving the Italian Delegation for ISO Standards on Digital Evidence and Investigations, and Incident Management.

When asked if his experience as a police officer carries over to cyber incident response, Forte says yes. “I’ve spent over 15 years in the police, working in the drug and then organized crime enforcement for 10 years. The first thing they teach you is – Don’t panic. If you cannot keep calm things will only get worse”.

“The CISOs we usually talk with have four priority questions to answer about incident response,” says Forte. He explains:

1. What is happening?
2. How can I prioritize my response?
3. How can I contain the damage?
4. Has this occurred elsewhere?

Forte continues “The answers to these questions can be given only by a structured approach, where a well prepared Incident Management Team can orchestrate the investigation and response, sharing the artifacts with their trusted peers in order to reduce the reaction time.”

After the first interaction when he helps to keep level heads, Forte explains the next step. “We ask if they’ve been notified of any information that has been disclosed to unauthorized parties, stolen, deleted or corrupted. That will help us to understand the incident scope, its potential impact and the customer ability to govern it. From a technical standpoint, our team immediately engages a conference call with the technical staff at the customer site. Usually that happens no later than 45 minutes from the first call. This phase is fundamental as it gives us an immediate sense of which information is available for investigation and/or helping the customer to avoid any mistake in evidence handling. The latter is the most common cause of failure in the investigation and in response to the incident.”

Reg Harnish, Founder and CEO at GreyCastle Security

Forte makes a crucial point about the importance of securing the (cyber) crime scene.

Brian Minick, former CISO at a Fortune 500 corporation – GE Aviation and Energy – agrees. “When a client discovers they’ve had a breach, there is often a mistaken assumption that the scope of the breach is fairly static,” says Minick, now CEO at Morphick, a cybersecurity professional services firm in Cincinnati. “In reality, the intrusion usually starts weeks or months before detection, and the intruder likely has broad access to the client’s network and can move around it quickly. The Morphick Incident Response Team’s first priority with a client is to rapidly identify and disrupt the attacker’s access to the client’s networks and data to mitigate further losses. Preserving evidence and identifying the perpetrators is important, but the investigation can’t begin until the crime scene is secured.”

Seems like cybercrime response is a lot like street crime response. Another cyber-expert confirms that thought. Ondrej Krehel, managing director and founder at LIFARS, LLC, a New York City digital forensics and cybersecurity intelligence firm that provides data breach incident response – chimes in on his best practices for first-responder work. “The primary objective is to provide intelligence about the technical skill-set and the motivation of the attacker, along with immediate steps to remediate and protect critical assets.”

Krehel goes on to say “we holistically examine the situation to address the incident. This includes initial damage assessment, initial vector of compromise, indicators of compromise, preservation of forensic artifacts, and further forensic analysis of information collected.”

Some first-responders sound more like detectives. Seth Danberry is one of them. After a 16-year career as a CIO, Danberry started up his cybersecurity firm Grid32 in Jersey City, N.J., almost six years ago. When asked about his firm’s incident response, Danberry provided Grid32’s methodology – which is a well defined five-step process:

• Step 1. Identification. “Step one is to dive in and fully identify the incident by reviewing errors, log files and other telling information from the client’s firewalls, [intrusion-detection systems] and other assets.”
• Step 2. Containment. “Once we have identified the issue, we look to contain the threat and stop the bleeding by putting in filters, altering routing or DNS, or if necessary, taking systems offline.”
• Step 3. Eradication. “Once the situation is initially stabilized, we move to fully eradicate the threat from all affected systems and ensure reinfection cannot occur.”
• Step 4. Recovery. “After the threat is eradicated, our focus shifts to recovery, where affected systems are brought back online to resume normal operations, all while monitoring to ensure no further signs of compromise.”
• Step 5. Analysis and Lesson Learned. “Once the immediate crisis is over, we then use forensics and other investigatory techniques to attempt to track the source of the incident and also glean any information to prevent subsequent incidents with the client.”

Corporations and government agencies who handle cyber-incidents internally may want to model around Grid32’s five-step process.

Some cybersecurity experts are more focused on keeping CSOs and CISOs grounded in reality after their company has been the victim of a cyber-attack. “Breach and incident response can be an emotional, chaotic affair for organizations – our first priorities are to calm people down and set some expectations,” says Reg Harnish, Founder and CEO at GreyCastle Security in Troy N.Y. “These are not the best days for the organization, but they don’t have to be the worst” he adds.

Harnish has 15-years of hands-on security and incident response experience in several industries including financial services, healthcare, and higher education. He offers interesting advice. “First, the client should understand that this is not CSI or a Tom Cruise movie – the likelihood of identifying a cybercriminal in the foothills of Romania, getting your money back and bringing them to justice – is near nil. In addition, the client should be focused on minimizing the negative impact of the event, not chasing criminals. Setting this expectation is key”.

When Harnish’s firm looks in to a breach, they are also thinking about what comes after… and sometimes that can mean legal action including courtroom appearances. “The investigation begins with triage, and making some rough determination of scope and impact. How many records, how much money, how much evidence and how much negative impact – all of these factors will drive the response process. Also important is to decide if litigation is possible as a result of the incident, if it is we will integrate evidence and chain of custody procedures to be prepared for court.” Harnish differs with the step-by-step process advocated by others. “The client should understand that breach response is organic and dynamic. There is no such thing as a step-by-step procedure that applies to all incidents.”

With high-profile hacks getting ink on the front pages of major newspapers and more visibility on the evening news, perhaps we might see Tom Cruise starring in a cyber film playing Reg Harnish – cybercrime expert witness. Who would play the corporate CISO? That’s not important if you listen to Albert Whale, another cybercrime first-responder who says “each CISO is one breach away from losing their current position.”

Whale is president and CSO at Pittsburgh-based IT Security, In the past, he has worked as an Ethical Intruder – helping companies to prepare for the worst. If you believe Whale, then whoever plays the CISO would only be making a cameo appearance. In the real world a CISO might hang up with his or her legal counsel after reporting a serious breach, and then dial a headhunter.