Breach Preparedness: Don’t Wait Until it’s Too Late

Published by
thomas_corey

Corey E. Thomas

“It’s not if, but when.”

This phrase has become rote within the security community, where the unfortunate reality is that breaches are inevitable, regardless of an organization’s industry or size. In acknowledging that a determined attacker can almost always get in, the focus becomes detection and containment in addition to prevention. A strong security strategy shouldn’t just ensure that your organization is difficult to compromise—it should also include plans for threat detection and incident response that maximize opportunities to detect a compromise and minimize fallout in the event of a breach.

Lay the Groundwork.

By nature, incident response requires high accuracy and swift investigation at each step: starting at the initial scoping stage and continuing all the way through to remediation. But when the clock is ticking, mistakes are more likely—and a single mistake can have a ripple effect that carries across the entire incident response lifecycle.

Preparation is key, so lay out your incident response strategy before disaster strikes. Times of chaos are not when you want to be bogged down with untangling processes or determining the best way to communicate crucial information.

Start by selecting an external incident response service provider, if you don’t already have one on retainer. This team will supplement in-house expertise and provide much needed support before, during, and after a breach. The ideal service providers will coordinate planning and map out an investor relations strategy within the first 30 days, which significantly lightens the resource burden placed on your own team. To maximize your investment, confirm that you’re enlisting people who are well versed in responding to compromises of varying size and severity.

Once you’ve locked in your investor relations firm, establish an incident response team and identify the key players so you can tackle the actual planning.

Planning Ahead.

A comprehensive investor relations plan should outline the key stages of an incident investigation  from analysis and detection through containment, remediation, and cleanup. Here are four best practices to keep in mind as your plan comes together:

  1. Understand the data you want to protect. Is it financial data, such as credit card numbers or transactional information? Is it personally identifiable information or personal health information related to employees or customers? Is it intellectual property that your company keeps under digital lock and key?
  2. Factor in regulatory, policy, or legal drivers that will impact investor relations decisions. Most organizations exist in a regulated industry, and knowing the parameters can make the difference between failure and success (HIPAA or PCI compliance mandates, for example). A breach response hasn’t been successful if, at the end of the investigation, fines are levied against the business.
  3. Think about communication requirements. How do you communicate with employees? Your customer base? Will the executive team be anxious for updates, and what’s the appropriate frequency for those updates? What are the actions you want people to take? For example, victims of a spear phishing attack may want to warn against clicking certain links or opening certain attachments.
  4. Consider who needs to be involved in the communication itself. Do you want to bring your corporate communications team on board? What about human resources or legal? These entities should be notified in advance and involved in the planning, so they know their role and can act efficiently when it counts.

Real-Life Threat Simulation.

Practice makes perfect, and the world of incident response is no exception. Scheduling time to “kick the tires,” so to speak, means you won’t discover outdated technology or untrained staff when you’re down to the wire with no time to spare.

A product doesn’t go to market without undergoing extensive testing. In the same vein, a dress rehearsal can expose vital gaps in an incident response plan. The fundamental goals of a rehearsal are to practice and optimize. It allows the players to understand exactly how to behave in the wake of a security incident, so that come show time, the team operates like a well-oiled machine.

Once the team has established how it will react to a threat scenario, practice executing the plan. Schedule a walkthrough and decide on the initial infection vector. This can be anything from a spear phishing attack to lateral movement via a third-party vendor, which is how many notable breaches have happened, including Target. To make this scenario as real and as high-stakes as possible, the attacker’s end goal should be exfiltrating your company’s most valuable data (see the first bullet point, above).

Next, pinpoint when and how people and technology will identify and locate the threat. From there, focus on the attacker’s level of sophistication. In other words, are they using advanced techniques or basic ones? How are they moving around the network? Is data escaping through a steady trickle or a large blast? Technical staff should attempt to chase the attacker through the network and, depending on the maturity of the organization, provide feedback on the evidence uncovered along the way.

The rehearsal should end with a sharing of lessons learned. An incident response service provider can certainly help with this piece by proactively identifying areas for improvement. Everyone involved should offer feedback on the tools that were used, as well as on the group’s overall level of communication and effectiveness.

Confidence, not Chaos.

Once someone discovers a breach or flags a suspicious security incident, the wheels are set in motion. Time is of the essence. The attacker needs to be stopped before they can do substantial damage; meanwhile, the targeted company must communicate the threat to the appropriate parties while still capturing necessary evidence in the event of an investigation.

Incidents can, of course, vary in scale. But regardless of whether it’s a small malware outbreak or a targeted attack on a client environment for the purpose of financial gain, the reality is that if you have a plan in place you’ve already gone a long way towards setting your business up for success. Your team can act quickly and confidently without second-guessing a decision or wasting precious hours determining next steps, instead focusing efforts on where they’re most needed: rapid response, investigation, and remediation.


Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,500 organizations, including 30 percent of the Fortune 1000. From the endpoint to cloud, we provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. To better understand how Rapid7 can help you assess your organization’s security give us a call at 866-7-Rapid7or visit their website.

Comments are closed here.