Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Takeaways from an RSA expert panel moderated by eSentire’s Mark Sangster
RSA Conference 2021, one of the most significant events on the cybersecurity calendar, has come and gone. We know that keeping up with all the news and announcements surrounding RSA can be quite a challenge, so in case you missed it live, we wanted to provide a quick recap of Hooked by Phisherman: Quarterbacking Breach Response with Law Enforcement.
Moderated by our own Mark Sangster, this one-hour session tapped into the experience of a distinguished panel of experts who discussed the important factors that contribute to a resilient breach response.
To be clear, no short blog post can capture the detail and nuance of the session, so we encourage you to set aside some time to watch it (and be ready to take notes!) or to download and read this accompanying resource. To (very) briefly summarize, here are three major topics the experts examined and five ways you can get started to better position yourself to respond to a cybersecurity incident.
When a breach is detected (or, say, when you realize you’ve fallen prey to a Funds Transfer Fraud), everyone is immediately under enormous pressure to make high-impact decisions, quickly and correctly. Plus, while it’s often overlooked, the emotional strain cannot be underestimated and is a major contributor to detrimental delays. The only way you can you use the critical early hours effectively is to have an Incident Response (IR) plan in place ahead of time, capturing likely attack scenarios, defining team roles and responsibilities, prescribing timelines and describing in detail which third parties need to be contacted, how to contact them and when.
The consensus of the panelists is that attackers like to detonate ransomware on weekends, for maximum impact, which can create chaos if it’s difficult to get hold of key personnel. And for those who lack an IR plan, critical time is wasted simply building a team—which is a necessary precursor to actually working the problem (e.g., assessing technical impact, engaging with law enforcement, attempting to recover, etc.).
When you’re looking at how to prepare, be sure to consider how law enforcement (LE) agencies can assist. In many cases, they can help recover stolen funds or even paid crypto ransoms. While many people think of LE as reactive, in reality they are very proactive and agencies can assist with IR planning, conducting tabletop exercises, training, securing executive buy-in and so on. Plus, establishing these relationships ahead of time means you know exactly who to call in the event of an incident.
Another misconception is that LE assistance is limited to Fortune 500s, but that’s not at all the case—LE agencies work extensively with industry associations and chambers of commerce to reach the small and medium business (SMB) community.
Additionally, make sure you have cyber insurance, but also make you understand your cyber insurance coverage and recognize that it’s a tool but not a panacea. The right type of coverage depends upon the specific risks facing your business (tabletops can be a great way to expose these risks!). Cyber insurance is a complex domain in and of itself, so be sure to consult with experts and to update your IR plan with appropriate contact details, policy information, etc.
Finally, take care to understand your regulatory and contractual obligations as they relate to security incidents; at the same time, make sure you understand your vendors’ and suppliers’ obligations (and consider writing notification requirements into your contracts with them).
All the preparation in the world won’t prevent an incident—but it will put you in the best position to respond. One of the first responses should be engaging with law enforcement, ideally within 24 hours and certainly within 72 hours (especially if you want to have any hope of recovering lost funds).
Many LE agencies deal with cybercrime, including the FBI, DHS, and Secret Service—the key is to contact someone and to be prepared with information (i.e., don’t just sent an email that says, “We’ve got ransomware!”). Your IR plan should specify which agency/agencies to contact; ideally, you already worked with them to prepare your plan.
Unfortunately, many victims are hesitant to contact law enforcement out of fear that doing so will have unintended negative consequences. But these fears are misplaced: LE’s interest is in solving the problem, not publicizing the incident. In many cases, they will be able to provide valuable—perhaps vital—technical assistance, and in some ransomware instances they may even have decryptor mechanisms at the ready. LE agencies can also act on your behalf to coordinate with financial institutions to trace and recover funds.
Plus, engaging with LE might be required by your insurance policy and doing so can have a substantial mitigating effect on your own liability.
To underscore the main point, preparation is paramount. And part of preparation means having leaders who are sufficiently versed in cybersecurity concepts in general and who understand their specific responsibilities in the event of an incident.
All too often, part of the response team is speaking in technical and cyber terms, and part is speaking in dollars and cents. A crisis is no time to write a dictionary! When everyone understands the relationship between cyber incidents and business impact ahead of time, it allows the whole team to focus on coordinating and executing an effective response.
As noted above, proactively engaging with law enforcement is an effective way to secure support throughout the organization, but especially within the C-suite.
Additionally, tabletop exercises provide a safe space in which to learn, make mistakes, uncover surprises, assess risk, etc. These can go a long way to changing a perception from “I’m sure we’ll be fine…” to “We need an IR plan!”
Managing a data breach or ransomware attack demands that legal counsel, law enforcement, insurance and data forensics all bring their perspective to the coordinated effort to recover. Unfortunately, most companies are unprepared to deal with a cyber incident and rob themselves of valuable resources available from law enforcement because of perceived risks of public exposure, potential liability or a knock on their door by regulators.
We implore you not to repeat the mistakes already made by so many organizations. Instead, take the time to prepare a detailed incident response plan (we can help!), and proactively engage with law enforcement as well as your insurance carrier. Doing so will go a long way toward mitigating damages and positioning you to return to operations in a fraction of the time of going it alone.
Here’s how you can get started:
At eSentire we believe every business should have an incident response plan and incident response retainer. As the panel discussed, cybersecurity incidents can disrupt operations, and lead to the loss of services, data and assets. How quickly an incident can be contained and remediated is paramount. To learn more about eSentire’s Digital Forensics and Incident Response services, connect with an eSentire Security Specialist.
eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.