I’ve Been Hacked, Now What?

“The hacker didn't succeed through sophistication. Rather he poked at obvious places, trying to enter through unlock doors. Persistence, not wizardry, let him through.”

-Clifford Stoll (The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage)

For those just starting to build a cybersecurity program the challenges seem daunting. There are several cybersecurity frameworks that you can choose from, and they all have their benefits to help you on your journey to building a successful program. Most frameworks start with the basics: inventory your assets, protect your data and endpoints, and get a hand on your user account security. Once those things are in place, then you get to focus on proactive security measures such as vulnerability management, security monitoring, and penetrations testing. These are all things that need to be addressed to secure your organization’s data, employees, and public reputation, but what happens if you have a major security event at the beginning of your journey? That’s where the interim incident response plan comes in.

For organizations that do not have a well-seasoned cybersecurity program and are still working on discovering what all their risks are and are still in the asset discovery phase, you need something in place in case you have a security incident while you’re working to get your program off the ground. If something happens today, do you know who to call and does your staff know what they are allowed to do?

An interim incident response plan is just the beginning of your overall Incident Response Plan (IRP) and it’s a living document that you keep revising as you go along. To get started you need to have the basics down, short and to the point.

Who needs to be contacted if we have major security event? You need to have these contacts in place before hand, so you don’t waste valuable time figuring it out during a crisis. Contact your supervisor and have a list of who else should be contacted in your organization and how often you need to give updates. Your initial list doesn’t have to be extensive; it should focus on letting your organization’s leadership and response team know what happened. You need to have these contacts easily accessible and shared with the team before an event occurs.

After creating your contact list, you need to ensure all the members of the response team (internal and external) know that they are part of the team. You’d be surprised how often a plan is put in writing, but team members are not informed of their role. Ground rules also need to be set to empower the response team to make decisions during an event that will not cause them negative consequences. Be sure to include what actions responders can take without asking for approval. Examples would be granting permission to disable a user account, cutting off internet services, or interrupting operations by shutting down an application server. You do not want a team member waiting on a response for permission to act while your organization is still bleeding.

While an interim incident response plan is only the beginning of a mature IRP, it will help to give your team and management peace of mind by letting everyone know what their role is if a breach occurs while you’re building your cybersecurity program.

Good luck on the never-ending cybersecurity journey,

-TAGITM Cybersecurity Committee, Lindsay Rash - CGCIO