The phone rings in the middle of the night. It’s the Security Operations Centre and a server containing vital data has been hacked. It isn’t known how the attackers got in, how long they’ve been active, or what else might have been compromised. In the heat of the moment emotions and adrenaline are running high, and a well-rehearsed Incident Response Plan helps keep heads calm and avoids knee-jerk reactions with unforeseen consequences.
Vital first steps are followed precisely and immediately: key stakeholders are engaged, log files are pulled, and lawyers are mobilised. At this point, cyber incident responders face a difficult fork in the road: monitor the situation, or lock everything down while you still can? Each approach has benefits and drawbacks, and as this year’s major cyber security incidents have shown, the most difficult decisions are those that are often the most challenging to plan for.
Monitoring a live attack invariably helps an organisation gain a better understanding of an incident, including compromised accounts, lateral movements, and the data being targeted or accessed. However, this approach can be fraught with legal and reputational risk, due to the potential for further data loss or compromise. Further, this approach requires the collection, analysis and reporting of intelligence, which takes valuable time that is in short supply after a breach.
With the benefit of hindsight, such a course of action can appear complacent or downright irresponsible. Even still, sometimes this risk is acceptable, especially where attribution is critical or where state actors may be present and national security is at stake.
On the other hand, while cauterising an incident as soon as it is detected appears more sensible on the surface, it is not without its own dangers. Containing an incident by isolating the affected network may impact customers, drastically reduce operational effectiveness, or worse still, alert the adversary they’ve been sprung, potentially causing them to cover their tracks by destroying data or infrastructure. If information has already been compromised, it is also possible a panicked attacker might react maliciously and disseminate data.
This year, the German Federal Office for Information Security received public condemnation for not notifying politicians and officials of an incident that ultimately resulted in the public disclosure of hundreds of their personal records. Whether notifying the victims earlier could have allowed affected individuals to better prepare themselves or would have simply compromised an ongoing investigation is an open question.
In the wake of this year’s hack against Australia’s Parliament and major political parties, the head of Australia’s Cyber Security Centre, Alastair MacGibbon, highlighted exactly this dilemma faced by cyber responders. His statement that a calculated decision to take ‘overt action’ to secure the system, at the cost of forensic evidence, underscores the ‘cauterise or collect’ predicament following a major incident.
Myriad variables impact the better path to follow, such as the type of data potentially affected, the risk tolerance of the organisation, the nature of the suspected threat actor (including potential extortion attempts), and the duration and method of compromise. Identifying such variables in advance, mapping out responses, and frequent rehearsals means security professionals can react quickly and effectively, freeing up vital time and resources to ensure a bad situation isn’t made worse.
The increased regulatory pressure from the Privacy Amendment (Notifiable Data Breaches) Act has only compounded the necessity for organisations to be prepared for a cyber incident, as well as the pressure placed on first responders. While such schemes have been a huge step in the right direction for increasing accountability and bringing the reality of cyber threats to the public eye, there is a real risk of organisations focussing on self-preservation rather than meaningful remediation. This has only amplified the stakes of the post-breach dilemma.
An unfortunately common story for technical staff navigating an increasingly complex regulatory environment is being forced to wait for the legal team to determine culpability prior to undertaking technical remediation. In at least one case, this delay has resulted in the exfiltration of data hours after the detection of compromise.
It is only by planning for when, not if, a breach occurs that cool heads can prevail in a time of crisis. Nonetheless, organisations must be aware of growing complacent in an ever-changing threat environment. Through workshopping and planning, and informed investment in security technologies, businesses can proactively prepare for the edge-cases that test our assumptions or break our response plans. Deciding whether to collect or cauterise following an incident is a delicate balancing act that defines the lives of security analysts. Armed with a comprehensive and well-rehearsed incident response plan, it is a tightrope that can at least be walked with a safety net.