Editorial

Cyber breach: 5 Steps to a rapid business recovery

Rob Floodeen, VP of consulting, Mitiga on what you need to build resilience against cyberattacks.

Posted 18 August 2022 by Christine Horton


Cyberattacks are constant and security breach incidents inevitable. The National Cyber Security Centre offers guidance for public and private sector organisations to help minimise harm from breaches, while the UK’s data watchdog, the Information Commissioner’s Office (ICO) is focused on addressing the issues in the public sector that result in avoidable data breaches by raising data protection standards and preventing harm from occurring. A critical part of achieving those goals is increasing resilience to cyber breaches. To do that, you need to build competence in these five areas today, so you can recover quickly from a hack that could hit you tomorrow.

Communicate

Effective breach response is impossible without a solid communication plan. A robust communication plan will help you increase your organisation’s resilience, even to critical cyber incidents. Take these four steps today to ensure that your communication capabilities are in working order —in casean incident occurs tomorrow:

  1. Include diverse types of stakeholders, including internal response team members, regulators, outside legal firms, your PR firms and the public. Develop communication plans for each type of stakeholder and template standard communications where possible.
  2. The timing, message and medium for each of your stakeholders is different. Understand those differences and maintain an overarching communication timeline.
  3. Be clear, concise and factual. If you are not, chances are it will reflect poorly on you and your organisation. Examples of great and bad breach communications are available online; work with general counsel and PR prior to an incident to understand the differences.
  4. Do not over-share. Communicate relevant information, ensure it is validated and do so only when necessary.

Inspect Your Environment

Gather the information you need to evaluate and inform decision making:

  1. Ensure visibility into your environment
  2. Retain relevant forensic artefacts
  3. Develop the skills needed to lead an investigation

Exercises can help you build these skills and ensure that each team impacted has the time necessary to think through the steps of an investigation and response.

Evaluate Incident Impacts

Evaluate incident-related information and how it impacts your organisation. Ask yourself these five questions to ensure you have the information you need to make an informed decision rapidly:

  1. Ask yourself these two questions first: What are your critical assets? Are you collecting relevant data if these assets were impacted in an incident?
  2. Can you compare the current state of your environment to earlier states that you know were good? You need a baseline to compare to for your operating systems, scripts, functions and so on.
  3. What are the potential impacts to key business functions if a breach occurred?
  4. Can you identify abnormal changes in your environment? Do you understand what these changes mean?
  5. Have you built threat scenarios for each of the preceding items to put them into context in your organisation?

Make Decisions with Confidence

During an incident, the leadership team’s primary role is to make complex decisions with limited information. Part of building your cyber resilience is increasing your own ability to make tough decisions quickly and confidently. That sounds easier said than done, but if you use a process that helps you prioritise your efforts and understand when and how you can get the available information, you will be well on your way.

Sounds great, but what does such a process look like?

  1. Identify two to four key objectives of the response.
  2. Establish supporting actions for each objective (these are called Lines of Effort or LoEs). Each LoE is composed of LoE name, the status of the effort, next steps, a leader for each LoE and the current answer for the LoE.
  3. Next you need to assign confidence levels (low, moderate, high) to the current answer and the future answer within a specified time (not longer than 30 days).
  4. Finally, assemble the confidence levels, answers and time period into an estimate for the objective. An example table of three objectives might look like this:
ObjectiveCurrent ConfidenceTime to CompleteConfidence When Completed
Root Cause AnalysisLow8 daysLow
Identify scope of data takenLow3 daysModerate
Build Recovery PlanLow11 daysHigh

Respond

The preceding phases do not occur linearly. Most of the major response actions happen during the prior phases. Six critical response capabilities that will help you build an effective response plan include:

  1. Agree on list of possible incident commanders, based on the type of breach. Your incident commanders must have comprehensive knowledge of downtime impacts to the business, your customers and key systems.
  2. Define (in advance) a set of actions an incident commander can take.
  3. Harden your environment. This will make it easier for you to evict threat actors or shut down the attack surface(s).
  4. Ensure that you can rapidly isolate critical application(s), data, or system(s).
  5. Learn how and plan for the eviction of threat actors.
  6. Understand the threat actor’s common techniques to manage a monitoring function (especially for your strategic assets) focused on associated suspicious or known re-entry activity.

Plan for attacks

These five steps will help you reduce the risk of a breach escalating into a crisis for your organisation and build resilience to cyberattacks within your organisation. The time you take now to build and test yourself in these areas will save you time, money and considerable stress if a serious cyber breach occurs.

Rob Floodeen is VP of consulting at Mitiga.