What We Do
How we do it
Resources
SECURITY ADVISORIES
Oct 19, 2021
Hackers Infect Employees of Law Firms, Manufacturing Companies, and Financial Services Orgs. with Increasingly Pervasive Infostealer, SolarMarker
SolarMarker Infects 5X More Corporate Victims Using Over a Million Poisoned WordPress Pages Key Takeaways eSentire has observed a fivefold increase in SolarMarker infections. Prior to September, eSentire’s Threat Response Unit (TRU) detected and shut down one infection per week. Beginning in September, TRU averaged the detection and shutdown of five per week. SolarMarker is a…
Read More
View all Advisories →
Company
ABOUT eSENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Oct 12, 2021
eSentire Launches MDR with Microsoft Azure Sentinel Extending Response Capabilities Across Entire Microsoft Security Ecosystem
Waterloo, ON – Oct. 12, 2021 -- eSentire, recognized globally as the Authority in Managed Detection and Response (MDR), today announced the expansion of its award-winning MDR services with Microsoft Azure Sentinel, as part of its integration with the complete Microsoft 365 Defender and Azure Defender product suites supporting Microsoft SIEM, endpoint, identity, email and cloud security services.…
Read More
Partners
PARTNER PROGRAM
Partners
Our award-winning partner program offers financial rewards, sales and marketing tools and personalized training. Accelerate your business and grow your revenue by offering our world-class Managed Detection and Response (MDR) services.
Learn about our Partner Program
PARTNER RESOURCES
Apply today to partner with the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jul 14, 2021

Hooked by Phisherman: Quarterbacking Breach Response with Law Enforcement

Takeaways from an RSA expert panel moderated by eSentire’s Mark Sangster

RSA Conference 2021, one of the most significant events on the cybersecurity calendar, has come and gone. We know that keeping up with all the news and announcements surrounding RSA can be quite a challenge, so in case you missed it live, we wanted to provide a quick recap of Hooked by Phisherman: Quarterbacking Breach Response with Law Enforcement.

Moderated by our own Mark Sangster, this one-hour session tapped into the experience of a distinguished panel of experts who discussed the important factors that contribute to a resilient breach response.

To be clear, no short blog post can capture the detail and nuance of the session, so we encourage you to set aside some time to watch it (and be ready to take notes!) or to download and read this accompanying resource. To (very) briefly summarize, here are three major topics the experts examined and five ways you can get started to better position yourself to respond to a cybersecurity incident.

Preparation is paramount to executing an effective breach response

When a breach is detected (or, say, when you realize you’ve fallen prey to a Funds Transfer Fraud), everyone is immediately under enormous pressure to make high-impact decisions, quickly and correctly. Plus, while it’s often overlooked, the emotional strain cannot be underestimated and is a major contributor to detrimental delays. The only way you can you use the critical early hours effectively is to have an Incident Response (IR) plan in place ahead of time, capturing likely attack scenarios, defining team roles and responsibilities, prescribing timelines and describing in detail which third parties need to be contacted, how to contact them and when.

The consensus of the panelists is that attackers like to detonate ransomware on weekends, for maximum impact, which can create chaos if it’s difficult to get hold of key personnel. And for those who lack an IR plan, critical time is wasted simply building a team—which is a necessary precursor to actually working the problem (e.g., assessing technical impact, engaging with law enforcement, attempting to recover, etc.).

When you’re looking at how to prepare, be sure to consider how law enforcement (LE) agencies can assist. In many cases, they can help recover stolen funds or even paid crypto ransoms. While many people think of LE as reactive, in reality they are very proactive and agencies can assist with IR planning, conducting tabletop exercises, training, securing executive buy-in and so on. Plus, establishing these relationships ahead of time means you know exactly who to call in the event of an incident.

Another misconception is that LE assistance is limited to Fortune 500s, but that’s not at all the case—LE agencies work extensively with industry associations and chambers of commerce to reach the small and medium business (SMB) community.

Additionally, make sure you have cyber insurance, but also make you understand your cyber insurance coverage and recognize that it’s a tool but not a panacea. The right type of coverage depends upon the specific risks facing your business (tabletops can be a great way to expose these risks!). Cyber insurance is a complex domain in and of itself, so be sure to consult with experts and to update your IR plan with appropriate contact details, policy information, etc.

Finally, take care to understand your regulatory and contractual obligations as they relate to security incidents; at the same time, make sure you understand your vendors’ and suppliers’ obligations (and consider writing notification requirements into your contracts with them).

If you become the victim of a breach, contact law enforcement right away!

All the preparation in the world won’t prevent an incident—but it will put you in the best position to respond. One of the first responses should be engaging with law enforcement, ideally within 24 hours and certainly within 72 hours (especially if you want to have any hope of recovering lost funds).

Many LE agencies deal with cybercrime, including the FBI, DHS, and Secret Service—the key is to contact someone and to be prepared with information (i.e., don’t just sent an email that says, “We’ve got ransomware!”). Your IR plan should specify which agency/agencies to contact; ideally, you already worked with them to prepare your plan.

Unfortunately, many victims are hesitant to contact law enforcement out of fear that doing so will have unintended negative consequences. But these fears are misplaced: LE’s interest is in solving the problem, not publicizing the incident. In many cases, they will be able to provide valuable—perhaps vital—technical assistance, and in some ransomware instances they may even have decryptor mechanisms at the ready. LE agencies can also act on your behalf to coordinate with financial institutions to trace and recover funds.

Plus, engaging with LE might be required by your insurance policy and doing so can have a substantial mitigating effect on your own liability.

Ensure your C-suite is familiar with cybersecurity in general and their specific responsibilities in the event of an incident

To underscore the main point, preparation is paramount. And part of preparation means having leaders who are sufficiently versed in cybersecurity concepts in general and who understand their specific responsibilities in the event of an incident.

All too often, part of the response team is speaking in technical and cyber terms, and part is speaking in dollars and cents. A crisis is no time to write a dictionary! When everyone understands the relationship between cyber incidents and business impact ahead of time, it allows the whole team to focus on coordinating and executing an effective response.

As noted above, proactively engaging with law enforcement is an effective way to secure support throughout the organization, but especially within the C-suite.

Additionally, tabletop exercises provide a safe space in which to learn, make mistakes, uncover surprises, assess risk, etc. These can go a long way to changing a perception from “I’m sure we’ll be fine…” to “We need an IR plan!”

How you can get started

Managing a data breach or ransomware attack demands that legal counsel, law enforcement, insurance and data forensics all bring their perspective to the coordinated effort to recover. Unfortunately, most companies are unprepared to deal with a cyber incident and rob themselves of valuable resources available from law enforcement because of perceived risks of public exposure, potential liability or a knock on their door by regulators.

We implore you not to repeat the mistakes already made by so many organizations. Instead, take the time to prepare a detailed incident response plan (we can help!), and proactively engage with law enforcement as well as your insurance carrier. Doing so will go a long way toward mitigating damages and positioning you to return to operations in a fraction of the time of going it alone.

Here’s how you can get started:

  1. Connect with law enforcement: including local municipal and state police, FBI and US Secret service. Federal authorities have specific task forces and local representation.
  2. Consult with your cyber insurer: understand your policy, minimum standards, what’s covered, and rules of engagement.
  3. Identify and inventory privileged data: know what data you have under management, map its flow through your internal and vendor systems, and document your privacy, industry, regulatory and customer obligations.
  4. Build your incident response plan: including team roles and responsibilities, contact information, top 10 incident scenarios, triggers and notification strategies.
  5. Conduct incident response scenarios: Gather your team and test specific scenarios. Ensure you include executives, owners or managing partners.

At eSentire we believe every business should have an incident response plan and incident response retainer. As the panel discussed, cybersecurity incidents can disrupt operations, and lead to the loss of services, data and assets. How quickly an incident can be contained and remediated is paramount. To learn more about eSentire’s Digital Forensics and Incident Response services, connect with an eSentire Security Specialist.

Are you experiencing a security incident or have you been breached? Call us now at 1-866-579-2200 or (0)8000443242.

eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 1000+ organizations in 70+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.