What We Do
How We Do
Get Started

Hooked by Phisherman: Quarterbacking Breach Response with Law Enforcement

Takeaways from an RSA expert panel moderated by eSentire’s Mark Sangster

BY eSentire

July 14, 2021 | 6 MINS READ

Incident Response

Cybersecurity Strategy

Want to learn more on how to achieve Cyber Resilience?


RSA Conference 2021, one of the most significant events on the cybersecurity calendar, has come and gone. We know that keeping up with all the news and announcements surrounding RSA can be quite a challenge, so in case you missed it live, we wanted to provide a quick recap of Hooked by Phisherman: Quarterbacking Breach Response with Law Enforcement.

Moderated by our own Mark Sangster, this one-hour session tapped into the experience of a distinguished panel of experts who discussed the important factors that contribute to a resilient breach response.

To be clear, no short blog post can capture the detail and nuance of the session, so we encourage you to set aside some time to watch it (and be ready to take notes!) or to download and read this accompanying resource. To (very) briefly summarize, here are three major topics the experts examined and five ways you can get started to better position yourself to respond to a cybersecurity incident.

Preparation is paramount to executing an effective breach response

When a breach is detected (or, say, when you realize you’ve fallen prey to a Funds Transfer Fraud), everyone is immediately under enormous pressure to make high-impact decisions, quickly and correctly. Plus, while it’s often overlooked, the emotional strain cannot be underestimated and is a major contributor to detrimental delays. The only way you can you use the critical early hours effectively is to have an Incident Response (IR) plan in place ahead of time, capturing likely attack scenarios, defining team roles and responsibilities, prescribing timelines and describing in detail which third parties need to be contacted, how to contact them and when.

The consensus of the panelists is that attackers like to detonate ransomware on weekends, for maximum impact, which can create chaos if it’s difficult to get hold of key personnel. And for those who lack an IR plan, critical time is wasted simply building a team—which is a necessary precursor to actually working the problem (e.g., assessing technical impact, engaging with law enforcement, attempting to recover, etc.).

When you’re looking at how to prepare, be sure to consider how law enforcement (LE) agencies can assist. In many cases, they can help recover stolen funds or even paid crypto ransoms. While many people think of LE as reactive, in reality they are very proactive and agencies can assist with IR planning, conducting tabletop exercises, training, securing executive buy-in and so on. Plus, establishing these relationships ahead of time means you know exactly who to call in the event of an incident.

Another misconception is that LE assistance is limited to Fortune 500s, but that’s not at all the case—LE agencies work extensively with industry associations and chambers of commerce to reach the small and medium business (SMB) community.

Additionally, make sure you have cyber insurance, but also make you understand your cyber insurance coverage and recognize that it’s a tool but not a panacea. The right type of coverage depends upon the specific risks facing your business (tabletops can be a great way to expose these risks!). Cyber insurance is a complex domain in and of itself, so be sure to consult with experts and to update your IR plan with appropriate contact details, policy information, etc.

Finally, take care to understand your regulatory and contractual obligations as they relate to security incidents; at the same time, make sure you understand your vendors’ and suppliers’ obligations (and consider writing notification requirements into your contracts with them).

If you become the victim of a breach, contact law enforcement right away!

All the preparation in the world won’t prevent an incident—but it will put you in the best position to respond. One of the first responses should be engaging with law enforcement, ideally within 24 hours and certainly within 72 hours (especially if you want to have any hope of recovering lost funds).

Many LE agencies deal with cybercrime, including the FBI, DHS, and Secret Service—the key is to contact someone and to be prepared with information (i.e., don’t just sent an email that says, “We’ve got ransomware!”). Your IR plan should specify which agency/agencies to contact; ideally, you already worked with them to prepare your plan.

Unfortunately, many victims are hesitant to contact law enforcement out of fear that doing so will have unintended negative consequences. But these fears are misplaced: LE’s interest is in solving the problem, not publicizing the incident. In many cases, they will be able to provide valuable—perhaps vital—technical assistance, and in some ransomware instances they may even have decryptor mechanisms at the ready. LE agencies can also act on your behalf to coordinate with financial institutions to trace and recover funds.

Plus, engaging with LE might be required by your insurance policy and doing so can have a substantial mitigating effect on your own liability.

Ensure your C-suite is familiar with cybersecurity in general and their specific responsibilities in the event of an incident

To underscore the main point, preparation is paramount. And part of preparation means having leaders who are sufficiently versed in cybersecurity concepts in general and who understand their specific responsibilities in the event of an incident.

All too often, part of the response team is speaking in technical and cyber terms, and part is speaking in dollars and cents. A crisis is no time to write a dictionary! When everyone understands the relationship between cyber incidents and business impact ahead of time, it allows the whole team to focus on coordinating and executing an effective response.

As noted above, proactively engaging with law enforcement is an effective way to secure support throughout the organization, but especially within the C-suite.

Additionally, tabletop exercises provide a safe space in which to learn, make mistakes, uncover surprises, assess risk, etc. These can go a long way to changing a perception from “I’m sure we’ll be fine…” to “We need an IR plan!”

How you can get started

Managing a data breach or ransomware attack demands that legal counsel, law enforcement, insurance and data forensics all bring their perspective to the coordinated effort to recover. Unfortunately, most companies are unprepared to deal with a cyber incident and rob themselves of valuable resources available from law enforcement because of perceived risks of public exposure, potential liability or a knock on their door by regulators.

We implore you not to repeat the mistakes already made by so many organizations. Instead, take the time to prepare a detailed incident response plan (we can help!), and proactively engage with law enforcement as well as your insurance carrier. Doing so will go a long way toward mitigating damages and positioning you to return to operations in a fraction of the time of going it alone.

Here’s how you can get started:

  1. Connect with law enforcement: including local municipal and state police, FBI and US Secret service. Federal authorities have specific task forces and local representation.
  2. Consult with your cyber insurer: understand your policy, minimum standards, what’s covered, and rules of engagement.
  3. Identify and inventory privileged data: know what data you have under management, map its flow through your internal and vendor systems, and document your privacy, industry, regulatory and customer obligations.
  4. Build your incident response plan: including team roles and responsibilities, contact information, top 10 incident scenarios, triggers and notification strategies.
  5. Conduct incident response scenarios: Gather your team and test specific scenarios. Ensure you include executives, owners or managing partners.

At eSentire we believe every business should have an incident response plan and incident response retainer. As the panel discussed, cybersecurity incidents can disrupt operations, and lead to the loss of services, data and assets. How quickly an incident can be contained and remediated is paramount. To learn more about eSentire’s Digital Forensics and Incident Response services, connect with an eSentire Security Specialist.

Are you experiencing a security incident or have you been breached? Call us now at 1-866-579-2200 or (0)8000443242.


eSentire, Inc., the Authority in Managed Detection and Response (MDR), protects the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats by providing Exposure Management, Managed Detection and Response and Incident Response services designed to build an organization’s cyber resilience & prevent business disruption. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire's award-winning MDR services and team of experts help organizations anticipate, withstand and recover from cyberattacks. For more information, visit: www.esentire.com and follow @eSentire.

Read the Latest from eSentire