CYBERSECURITY
response should begin before a breach ever takes place,” he said. “The worst incident re- sponse plan is no incident re- sponse plan, and any organi- zation’s first step should be to create one.”
Ellis echoes the iconic advice from “The Hitchhiker’s Guide to the Galaxy” by telling infor- mation security professionals: “Don’t panic.”
“You can’t control which burglar shows up at your house,
but you can control
careless or naive mistakes. Em- ployees all too often click on malicious links that appear to be credible, and these phishing attacks are one of the easiest ways cybercriminals get into an organization’s network.”
Henderson recommended creating a crisis or disaster plan “that touches every criti- cal function in the organiza- tion.... Get everyone in a room and talk about what you’d do when a breach hits. After an incident, talk about what you learned...and how your teams responded. What could they have done better? Use every incident as a learning experi- ence, and learn from it.”
“Assessing the situation calm-
ly will help ensure nothing gets missed during the next steps
and avoids the silly mistakes
that can happen under pres-
sure,” he said. Next, organiza-
tions should assess the damage
and, after that, “piece together events, weaknesses and the various pieces of evidence you’ve collected and try to determine what happened. This is a necessary step toward mitigating the damage and remediating against future threats.”
But Nir Polak, co-founder and CEO of behavioral analytics services firm Exabeam, said trying to control a pest problem without getting rid of the pests is a flawed approach. “After a hack, the focus should be first on completeness of remediation...in other words, fully kicking the hacker out of the network,” he added.
He acknowledged that complete re- mediation can be difficult because or- ganizations often do not know the full extent of the hacker’s reach. For exam- ple, a hacker who gains access by steal- ing credentials on an employee’s laptop can use those credentials to jump into the network and create new accounts. The IT team might see the malware, wipe the employee’s machine and think all is well without realizing that the contagion has spread, Polak said.
Andy Vallila, leader for Americas sales and marketing at One Identity, the security business under Quest Soft- ware, said government information
48 GCN MARCH/APRIL 2017 • GCN.COM
whether or not you
lock your door. ”
— CASEY ELLIS , BUGCROWD
security teams should also determine “the who, what, how and why of the incident. Without these details, they cannot stop or prevent future damage.”
That level of detailed analysis is impossible without an audit trail to determine the root cause of a breach and establish appropriate next steps — a capability many organizations lack when it comes to security, he added.
FOCUS ON THE FUTURE
After information security teams effectively suck out the worst of the poison and determine the species of hacker “snake” that has bitten them, what comes next?
James recommended that agencies designate a department that will notify all employees and third parties who might be directly affected by the breach and make required disclosures to regulators.
In addition, educating employees at every level should continue to be a priority. “All organizations must realize that technology alone won’t prevent a breach,” James said. “User education remains a critical and undervalued prevention method, as most cyberat- tacks stem from employees making
Assessing who in the organization has access to privileged credentials is critical, too.
Nick Nikols, chief technology officer for cybersecurity business at CA Tech- nologies, said 80 percent of breaches involve privileged credentials.
“An agency may identify that privi- leged accounts must be protected and implement privileged access manage- ment software to protect accounts and use analytics to detect a potential breach,” Nikols said.
After the hacker has been booted off the network and the system sealed off, checked, double-checked and restructured (if need be), Ellis said, “then, and only then, should you try to figure out who did it.” He added that rather than finding the culprit, government agencies should stay focused on the “real issue: how to prevent vulnerabilities.”
“The most important thing to focus on is how to prevent future attacks,” Ellis said. “You can’t control which burglar shows up at your house, but you can control whether or not you lock your door. You can’t control your threat actor, but you can control where you are vulnerable.” •