10 cyber incident response tips from Equifax, Mandiant and cyber attack survivors

SAN FRANCISCO – RSA CONFERENCE – Cybersecurity leaders who have seen a cyberattack from the inside shared their best advice and cautionary tales here Monday. Their recommendations had very little to do with technology – no suggestions for the latest bells and whistles in the exhibition hall – and a lot to do with crisis communication, process documentation and friendship.

Patricia Titus, Chief Information Security Officer (CISO) of Brooking Holdings Inc., moderated the panel “Life After the Breach: A Survivor’s Guide.” Panelists included Tim Crothers, CISO of Mandiant; Russ Ayres, SVP and deputy CISO of credit bureau Equifax; and John Carlin, partner at Paul, Weiss.

The panelists have extensive experience dealing with the aftermath of a cyber incident. Crothers previously worked for Target, joining in 2014 to help restore its security reputation shortly after its legendary data breach in 2013. Ayres was present in the 2017 Equifax data breach, which exposed the personal information of 143 million U.S. consumers and the credit card numbers of 240,000 U.S. consumers. Carlin served at the U.S. Department of Justice as Acting Assistant Attorney General, building the Justice Department’s ransomware task force and contributing to the response to the SolarWinds and Colonial Pipeline incidents.

Related:Why cyber resilience may be more important than cybersecurity

Here’s some of the key advice they gave to CISOs and other IT leaders who may be experiencing their worst day ever:

1. What seems funny today…isn’t

John Carlin: “You and your people will be working around the clock. Then people become powerful. You’re going to use all these real-time communications – they’re preserved, they need to be protected by law. Make sure you do that.” Smart Communications refresher courses to remind everyone: What seems funny now won’t look funny two years from now when you’re testifying or in Congress. This little reminder can save you and your business so much pain.

2. Establish “privileged communication” with emergency responders

Tim Crothers: “If you’re a CISO, the general counsel should be your best friend.”

Carlin: “They initially assume that it is a small incident and therefore call in the emergency responder without (legal) authority. And a big mess ensues. And now you want to protect some of those early communications, but you didn’t originally bring them through (legal) advice, so you can’t protect those communications.”

3. You have a friend in cybersecurity

Russ Ayres: “You’re going to think you probably won’t get through this. The first thing to consider is: you have friends in this group. This group is a very close-knit community. Reach out to your community. . The reality is if you reach out to someone who has been through this before they will give you all the answers you need and give you the help you need.

Related:Clothing giant VF Corp. Announces Cyberattack Under New SEC Rules

4. Get to know your crisis communication now

Crothers: “Why is communication important? Because everyone wants to know if you’re under control.”

Carlin: “Consider who the external crisis communications company is that we will bring in. Let’s meet with them beforehand so they know our values ​​and make sure they’re not the same people we go to on good news days.”

5. Prepare your deputies

Patricia Titus: “What happens if your CSO or CISO is unavailable? Are you practicing to make sure your second, third, or fourth levels have the competency to take the reins when it happens?”

Ayres: “Look at our situation (before the Equifax breach): the CEO left, the CIO left, the CSO left… At the same time, three of our executive directors were embroiled in a Securities and Exchange Commission investigation. …Six of our key leaders who would have been relied upon for wargaming were gone…You have to think about your deputies.”

6. Rebuilding trust takes longer than you think

Related:Cyber ​​attack disrupts operations at Johnson Controls International

Crothers: “The biggest thing you probably won’t expect is just the lack of trust. So if you haven’t handled communication well and/or have a popular brand and feel among people, you’ll have a serious breach (because again, you haven’t handled communication that well). You essentially all these organizations that you deal with – auditors, etc. – that really don’t believe you… One of the things that, before I looked into these breaches, I didn’t anticipate how much work you put in would to regain that trust and credibility for this organization and just do business.”

7. Make war games realistic

Crothers: “On the wargaming front, do it without your CISO… You’re on a plane from Paris to Minneapolis, so they have to fly without you for the first 10 hours of the incident and wait to see what happens next.”

Carlin: “I don’t have any answers. Do an exercise that asks you, ‘How long will it take you to stand up again?’ “I don’t know” “How did this happen?” “I don’t know, and maybe I won’t know for weeks, maybe months, maybe never.”

8. Document your risk decisions

Carlin: “As a regulator, as an advocate, as a person investigating the incident, they tend to follow the chain backwards. You may ask what system that was and who was responsible for controlling that system? And so often in.” The most significant incidents I responded to were something that was outside the CISO’s purview. For some reason the company made an exception or didn’t inventory it properly and that’s the surprise.

“…’Yes, but this system was an exception, or we just acquired this system, or it was a system that a key executive absolutely needed to use at the time, or we had technical debt.’ These are real problems, but the problem is that the problem has not been documented in a way with a risk register, with a compensating control where you can show that you have thought about this problem and it was a conscious decision at the time .”

9. Expect the unexpected

Carlin: “We found war games so effective that the President of the United States and the Cabinet took part in them…We have been playing war games for years about what it would look like if a nuclear-armed rogue state attacked the United States using cyber means. I don’t know.” If you remember what that first attack was – we thought it was electrical or the water mains – but no, it was a movie about a group of smoking journalists.” (Carlin is referring to the state-sponsored attack North Korea on Sony Pictures Entertainment in response to the film “The Interview”)

10. Go back to basics

Ayres: “Know what you want to patch and how often. …Check what you expect. I can’t tell you how many of the things that were just done that we think worked, but when you look deeper into it, it’s not what you think.”