Anybody who has anything has something worth stealing. Today’s advanced cybersecurity threats are putting CISOs on the hot seat. And while detection and prevention remain the staples of security, effective incident response has become critical to the bottom line. When (not if) you are breached—how will you investigate, and how will you respond?
This post explores 7 important questions that every Chief Information Security Officer must be able to answer about incident response.
But first a bit of background on cybersecurity threats—past and present.
Anybody who has anything has something worth stealing
I was talking to an executive at a mid-sized company last month. He told me he believed his business was not a likely target for a cyber attack. He didn’t think his high-tech company, based in the San Francisco Bay Area, had anything worth stealing. He would rather put additional investment dollars into sales and marketing.
He’s wrong. Anybody who has anything has something worth stealing. Or, in the case of critical infrastructure, something worth damaging.
And today, with so much of our information online, there is loads more information to steal. Not just credit card numbers. PII—personally identifiable information—sells for more than credit cards on the black market. And you can easily imagine how confidential corporate data is an attractive target to organizations willing to do whatever it takes (including theft) to gain an advantage.
Cybercriminals are benefiting from all the same technology advances that are making our personal and business lives more efficient. The VPN that we use to work remotely, they use to gain access. The smartphones that makes us more productive no matter our location, they use to steal passwords. The social media we use to share content with friends, they use to create spear-phishing attacks.
Lamborghinis and Cybercriminals
There are different types of bad guys—from financially-motivated cybercriminals, to nation-state sponsored actors, to ideologically-motivated activists (‘hacktivists’), to ex-employees harboring grudges.
In real life, cybercriminals do not tend to match their public image. The predominant stock photography image of a cybercriminal is a guy in a hoody, in a dark room, hands at the keyboard. This is not today’s reality.
Rather, today’s cybercriminals are professional, organized, and well-funded. They are more likely to wear business attire to work. And yes—I said “to work.” Cybercrime is their profession. I’ve heard of Eastern European towns chock-full of Lamborghinis—all purchased with the profits of cybercrime.
Goals of a CISO: Prevent | Detect | Analyze | Resolve
But why write a post about Incident Response? Doesn’t planning for how you will respond to a cyber attack admit that you will fail?
In today’s new normal, attackers use a variety of tools and techniques to get the job done. When they encounter an obstacle, they do not give up—they just try another way. And another. And another.
Rafal Los from Accuvant’s Office of the CISO describes today’s attackers in this way: “They want something you have—and they’re willing to work very hard for it.”
Today, the CISO’s job does not stop with prevention. Some intrusions will get through defenses. It is no longer a question of ‘if’—rather it’s a question of ‘when’. This is the new normal. Recognizing this reality is an important step in making sure you are prepared to respond.
How effectively you respond to an incident determines how quickly the attack gets resolved, how quickly you can shut down the attacker’s entry points, and how quickly you can figure out what data has been stolen.
And how you manage communications with customers, partners, and employees in the face of a cyber attack can also impact your brand and reputation.
Planning for incident response in advance, before you’ve been breached, is just smart business.
DO YOU LOVE QUESTIONS?
I love questions. My love of questions explains why, when under the gun to submit a title and abstract for a cybersecurity talk in Dallas, I came up with the idea for a 7 questions talk.
So, what are the 7 Questions About Incident Response Every CISO Must Be Able To Answer?
1. How would you break in?
Stanford University recently hosted the White House Summit on Cybersecurity and Consumer Protection. Attendees included leaders from high-tech companies, government, and law enforcement; privacy and consumer advocates; law professors; and students. During the International Law Enforcement panel, Kevin Mandia—the founder of Mandiant and President of FireEye, a cybersecurity firm—was asked what questions one could ask a CISO to assess the CISO’s effectiveness. The first question Kevin Mandia recommended leaders ask their CISO was: “How would you break in?”
On the surface, the question of how you would break in does not seem to be about incident response.
But then again, maybe it is. Because a CISO’s answer shows whether he (or she) has tried to get in the mind of the attacker. The answer reflects whether the CISO recognizes that an attacker could get through. Which is the first step toward realizing you need an incident response plan.
2. If you had a breach, would you detect it?
On the same panel, Kevin Mandia’s second recommended question was: “If you had a breach, would you even detect it?”
The answer to this question can help a CEO or Board member assess whether a CISO realizes they need to invest in detection as well as prevention.
The recent Mandiant M-Trends threat report states that in 2014, 69% of organizations were notified of a breach by an outside entity, such as law enforcement. Clearly detection—early detection, by the organization itself—is an area that needs improvement.
3. When did you last test your Incident Response plan?
Once you assume that a breach is inevitable (what some call an “assume breach” mindset), the next step is to figure out what to do to get ready.
Of course, you need a plan. An incident response plan.
And once you have the plan, how will you know that it is complete? That you have all the bases covered?
More and more organizations are doing war games simulations to find the gaps in their incident response plans, to see what works well, what only sort of works, and what is broken or altogether missing from the plan.
So, when did you last test your incident response plan?
You do not want to be testing your incident response for the first time when you’re under attack.
The latest reports indicate that many cyber intrusions are present on a victim’s network for weeks or months before detection. Mandiant ‘s 2015 M-Trends threat report states that the median time between the earliest evidence of compromise and detection was 205 days. And the 2014 Verizon Data Breach Investigations Report (DBIR) stated that the time between intrusion and discovery was on the order of months in 41% of web app attacks and 62% of cyber-espionage incidents.
What this means is: attacks that do get through your defenses have often had more time to do more damage, complicating the investigation. And every day in a cyber investigation costs money.
Which is why it’s important to run war games simulations, to find and fix gaps in your incident response plan, in advance of an attack.
4. Does your Incident Response plan include Network Forensics?
When you’re evaluating your organization’s incident response plan, another question to ask is whether you’re collecting the telemetry data you will need to investigate. The type of data that is most helpful in understanding what happened is network traffic data. It’s a record of what systems communicated when, and what data was transferred between them.
Network Forensics (sometimes referred to as ‘packet capture’) is the capture, storage, and analysis of network traffic data. Every incident response plan should include network forensics, so you have the data you need to investigate. So you can “look back in time” to figure out what happened.
If you don’t have the data about what information moved back and forth through your network—about what IP addresses were involved—it will be difficult to figure out how the attacker gained access, how they maintained access, and what data was stolen.
Without the data to investigate, you may never get answers to your questions.
In 2014, the CIO of the State of Montana’s Health and Human Services Department said this about a cyber incident they had experienced: “The state doesn’t know and may never know what the hackers did once they gained access.”
If you’re a CISO, you probably don’t want to have to say something like that. Ever.
5. How quickly can you analyze your Network Traffic data?
Assuming you have been collecting and storing the network traffic data, the next questions are: how quickly can you analyze it? How long does a query take? How long do queries take when run at the same time as the ongoing capture of network traffic?
Some network forensics solutions have performance challenges attempting to capture traffic and respond to queries concurrently. The solution drops packets. Or worse—some solutions silently drop packets. Dropped packets mean you may not have the data you need to investigate.
This is yet another reason to do war games simulations—so you can measure how long it takes you to run queries, to assess if your current network forensics solution will meet your needs.
6. How far back in time can you look to investigate?
Of course, the network traffic data is only useful if you have it when you need to investigate. If you captured it in the first place, in advance of the attack. And if you haven’t thrown it away.
As I said earlier, many attacks that make it through an organization’s defenses have been present in the network for weeks or months before detection. JPMorgan Chase reported that the attackers were present on their systems for two months before they discovered they intrusion.
So, how far back in time can you look to investigate?
How many days of network traffic data are you capturing and storing for future forensic analysis?
7. How far back in time do you need to be able to look?
More and more, security teams are looking to increase the amount of network traffic data they store.
We believe this is because of the growing awareness of the delta between the time of intrusion and time of detection. Organizations want to be able to look back further in time to figure out what happened.
If it takes you two months to discover you’ve been breached—will you have the data you need to investigate?
Do you have good answers to the questions about Incident Response?
CISOs have an important job, and in the face of today’s cybersecurity threats, a challenging one. I don’t presume to tell CISOs how to do their jobs—they are the security experts. But I do believe in the importance having a solid incident response plan. So that when (not if) you get breached, your organization is prepared to investigate and resolve the attack.This post was originally published on LinkedIn on April 9, 2015, based on a presentation given by Claire Giordano at the FireEye Tech Connext event in Dallas, Texas on March 17, 2015.