10 Cyber Incident Response Tips From Those Who've Had a Breach and Lived to Tell About It

SAN FRANCISCO -- RSA CONFERENCE -- Cybersecurity leaders who have seen a cyberattack from the inside shared their best advice and cautionary tales, here Monday. Their recommendations had very little to do with technology -- no suggestions about the latest bells and whistles available on the expo hall -- and very much to do with crisis communication, process documentation, and friendship.

Patricia Titus, chief information security officer (CISO) of Booking Holdings Inc., moderated the panel "Life After the Breach: A Survivor's Guide." The panelists included Tim Crothers, CISO of Mandiant; Russ Ayres, SVP and deputy CISO of credit bureau Equifax; and John Carlin, a partner at Paul, Weiss.

The panelists have extensive experience dealing with the aftermath of a cyber incident. Previously, Crothers worked for Target, joining in 2014 to help rebuild their security reputation shortly after their legendary 2013 data breach. Ayres was with Equifax during its 2017 data breach, which exposed the personally identifiable information of 143 million US consumers and 240,000 US consumers' credit card numbers. Carlin served in the US Department of Justice as Acting Deputy Attorney General, developing DOJ's ransomware taskforce, and contributing to the response to the incidents at SolarWinds and Colonial Pipeline.

Related:Why Cyber Resilience May Be More Important Than Cybersecurity

Here are some of the key pieces of advice they gave to CISOs and other IT leaders who may find themselves having their worst day ever:

1. What seems funny today...isn't

John Carlin: "You and your people are going to be working 24/7. That's when people get punchy. You're going to be using all these real-time communications -- they get preserved, they legally have to be preserved. Make sure you do refresher lessons on 'smart comms' to remind everybody: What seems funny now, does not look funny two years from now when you're in a deposition or up in Congress. That little reminder can save you and your company so much pain."

2. Establish 'privileged communications' with incident responders

Tim Crothers: "If you're a CISO, general counsel should be your best friend."

Carlin: "You think originally it's going to be a small incident, so you bring in the incident responder without [legal] privilege. And it turns into a big mess. And now you want to protect some of those early communications, but you didn't bring them in originally through [legal] counsel, so you can't protect those communications."

3. You've got a friend in cybersecurity

Russ Ayres: "You're going to think that you're likely not going to get through this. The first thing to consider is: You have friends in this group. This group is a very close-knit community. Reach out to your community ... The reality is if you reach out to somebody, they've been through it before and they're going to have all the answers you need and give you all the help you need."

Related:Apparel Giant VF Corp. Discloses Cyberattack Under New SEC Rules

4. Meet your crisis comms now

Crothers: "Why is comms important? Because everybody wants to know if you're under control."

Carlin: "Think about who the third-party crisis communications firm is that we're going to bring in. Let's meet them beforehand so they know our values and make sure they are not the same people we go to for good news days."

5. Prepare your seconds-in-command

Patricia Titus: "What happens if your CSO or CISO is unavailable? Are you practicing to make sure your second, third, fourth tier down have the competency to pick up the reins if it happens?"

Ayres: "You look at our situation [before the Equifax breach], the CEO left, CIO left, the CSO left … At the same time three of our business leaders were locked in a [Securities and Exchange Commission] inquiry. … Six of our major leaders who you would have depended on for wargaming were gone. … You have to think about your seconds."

6. Rebuilding trust takes more time than you think

Related:Cyberattack Disrupts Operations at Johnson Controls International

Crothers: "The biggest thing that you probably won't anticipate is just the sheer lack of trust. So with a significant breach, if you've not handled the comms well, and/or you've got a well-loved brand and folks feel betrayed (because again you didn't handle the comms as well) you've got essentially all these organizations that you have to deal with -- auditors, etc. -- who really aren't believing you … One of the things that, prior to dealing with these breaches, that I didn't anticipate was how much work you're going to invest to regain that trust, regain that credibility for that organization, in order to just conduct business."

7. Make wargames realistic

Crothers: "On the wargaming front, do it without your CISO … You're on a plane from Paris to Minneapolis, so on the first 10 hours of the incident, they've gotta go without you, and see how it unravels."

Carlin: "Don't have the answers. Do an exercise in which they ask you: 'How long will it take to get back up?' 'I don't know' 'How did this happen?' 'I don't know, and I may not know for weeks, maybe months, maybe ever.'"

8. Document your risk decisions

Carlin: "As the regulator, as the lawyer, as the person investigating the event, they tend to work the chain backwards. They'll ask what system was this, and who was in charge of having control of this system? And so often, in the major incidents I've responded to, it was something outside the purview of the CISO. So for whatever reason, the business made an exception, or it wasn't properly inventoried, and that's what gets hit. It's the surprise.

"...'yes, but this system was an exception, or we just acquired this system, or this was a system that a key business exec really needed to use at the time, or we had tech debt.' These are real issues. But the problem is that the problem wasn't memorialized in a way with a risk register, with a compensating control where you can show that you thought about that issue and it was a conscious choice at the time."

9. Expect the unexpected

Carlin: "We found wargames so effective that the president of the United States and the Cabinet participated in them … We war-gamed for years what it would look like if a rogue nuclear-armed nation attacked the US through cyber means. I don't know if you remember what that first attack was -- we thought it would be electric, or the water grid -- but no, it was a movie about a bunch of pot-smoking journalists." (Carlin, referencing the North Korean state-sponsored attack on Sony Pictures Entertainment, in response to the movie "The Interview")

10. Get back to basics

Ayres: "Know what you want to patch, how often. … Inspect what you expect. I can't tell you the number of things that were just running that we thought were working, but when you dig into it, it doesn't work like you think."