Surviving first contact

The 19th century German field marshal Helmuth Von Moltke is famous for having made remarks about the value of planning that continue to resonate today. "No plan of operations," Moltke said, "extends with certainty beyond the first encounter with the enemy's main strength." You may be more familiar with this notion in its more popular contemporary form: "No plan survives first contact with the enemy." Either way, in today's socio-economic environment, in which practically everything has been digitized (or soon will be), it's an idea we would do well to remember in the context of cyber security.

Why? Because shifting work paradigms—in particular, the accelerated move to remote work at organizations of all shapes and sizes brought about by the COVID-19 pandemic—has increased cyber risk across the board. Attacks are very much on the rise, a fact that has put cyber preparedness at the top of many organization's priorities.

But if no plan survives, what's the point? Easy: the planning itself.

In terms of cyber security specifically, preparedness typically involves increased investment in detection, preventive technologies and solutions; awareness training for employees adjusting to new remote work habits; and adapting procedures to the 'new normal.' Practicing and training technical response capabilities and procedures, as well as executive communications that deal with and navigate a cyber incident, are similarly critical.

Now, let's be clear: certain things can be planned for and practiced prior to a cyber incident. The reason I've invoked Moltke is that other aspects are far less predictable—and these are often the most crucial. Maybe they're unique to your organization, your sector or your geography and might therefore require an approach that cannot be fully anticipated. Whatever the case, the areas in incident response that can be planned constitute a framework the organization can follow to respond in a structured and focused manner. But the framework itself depends on a certain amount of agility and flexibility for the response to address not only the unique nature of the breach but also the attack vector and the organization's technical and procedural response composition.

Some cornerstones an organization should consider implementing when preparing their cyber incident response plan include:

1. Have a third-party incident response and forensics firm on retainer to engage under pre-negotiated terms and service level agreements. Engaging a third party to support your response team should happen as quickly as possible. Too often, valuable time gets spent on negotiating statements of work, which could allow an attacker to penetrate deeper into the organization and exfiltrate possible confidential data, in turn increasing the damage.
2. Have a breach coach on retainer. A breach coach is someone with experience in organizing and dealing with cyber breaches from a privacy and communications perspective. This person often engages a third-party incident response and forensics firm (see 1) "under privilege" to investigate the cyber incident.
3. Have a cybersecurity insurance policy in place. From the investigation costs, legal costs, business interruption, ransom fees, public relations fees and so on, having a comprehensive cybersecurity insurance policy can be a safety net when dealing with a cyber incident.
4. Have a PR firm on retainer. Messaging to the public and other stakeholders around a cyber incident is an important factor in maintaining trust with clients and other parties during and after a cyber breach. Organizations that communicate and deal with a cyber breach in a trustworthy manner will experience less bottom-line impact after the event.
5. Have incident response playbooks on hand so staff knows what to do in case of emergency. Having response procedures and activities pre-defined in a document will help response teams get over initial panic and initiate a coordinated response effort. Incident response plans should at a minimum outline who front-line staff can contact for assistance (i.e., internal and external stakeholders who should be involved in the cyber incident response process) to ensure valuable time is not lost locating such information. Furthermore, detailed technical cyber response playbooks could assist a response team with the initial triage, containment and scoping activities to respond to the incident while the larger internal and external response teams are being assembled.
6. Practice your IR and communications plans. Practicing and testing plans, procedures and communications on a regular basis will bring the team responsible for responding to cyber incidents together and identify possible gaps in process. Often, we see disconnects between technical and non-technical teams when responding to cyber incidents. Addressing and identifying these disconnects in a safe environment will better prepare you to respond to a cyber incident as whole.

Regardless of how thorough your organization's response plan is, it will never guarantee total preparedness, as every incident is unique. And given that they aren't very likely being exposed to breaches constantly, an organization's response team often lacks critical experience and expertise. Having an agile and flexible response plan and an experienced team on standby will help to mitigate any incident in a timely manner.

In this context, technical and executive (communication-focused) Tabletop Exercises are commonly used to prepare for the 'inevitable breach,' and I'll have more to say about them in my next post.