Technology, by itself, is hardly ever the solution to our challenges. It’s more about shifting culture. Resilience is the practice of bending technology to the will of a culture that helps us solve the challenges of protecting + empowering our business when it is impacted by unplanned events of all kinds, including natural disasters, cyber attacks + data protection initiatives, like the GDPR.
While Resilience can only truly be tested during + in the hours, days + weeks following a cyber attack, for example, simulations can help define its strengths + weaknesses in quantifiable ways, saving precious time, money, resources + reputations. It also builds less quantifiable but critical assets like trust, morale + confidence in your team(s).
What follows are some insights gained from a recent live exercise I designed in which I performed some lateral movement on an internal corporate network, giving the response team a unique opportunity to test + build deeper fluency + familiarity with the Resilience Strategy we designed + implemented. While there are alternatives to live exercises (a superb synthesis of a tabletop exercise, written + shared by my friend Claus Cramon Houmann, lives here), any type of these exercises are valuable in the context of practical + memorable learning to teams in the wild world. The particular exercise I’m writing about here was carried out in collaboration with a client in regulated industry who will remain anonymous for the sake of discretion.
What follows are some insights gained from a recent exercise in collaboration with a client who will remain anonymous for the sake of discretion. It is appropriate to say, however, that groups often literally celebrate how elevated they became during + after these exercise, both as teams and as individuals, more confident in their understanding of how their business operates, its vulnerabilities, crown jewels + how to protect their livelihoods when something unplanned happens in the context of security + privacy.
This particular exercise was quite an experience for me, too, having been trusted enough by them to empower them back. I trust some of you will find value in what I’ve shared below.
Insight #1: It is an understatement to say that these insights are rare. Sharing these with organizations in preparation for incidents cannot be overstated. The task of researching post-mortems on attacks isn’t easy. Most organizations choose to remain anonymous + not share their lessons learned for obvious reasons (ie doing so can also make them more vulnerable to further attacks).
While I cannot argue with the merits of discretion, unfortunately this obscures much of the insights + specifics that could be gained, including most common attack vectors, defensive and offensive hardware and software in place during attacks, business impact and the outcomes and lessons learned from these inputs. While there is a significant amount of general information available on the internet about theoretical scenarios, it is unusual for organizations to be transparent about these types of situations. Research is often fruitful only in a general or vague sense. For this reason, it can take some real time to begin to synthesize an approach that aligns with your specific culture.
Keep in mind, though, that being tight-lipped about breaches + how we handle them is becoming more + more challenging as the laws are changing, requiring more + more transparency. Be prepared to be open about real breaches. It will serve you well in the end, especially if you’re prepared. Not to mention, openness can also be a most powerful PR tool that creates opportunities that even the most elaborate, globally integrated marketing strategy cannot rival.
On the one had, these exercises need not be so transparent in the context of publishing them in any detail. It’s not advisable. Doing so may reveal the kind of specifics about an organization’s technology environment that may be used against them. Exercises are their own rewards by elevating + uniting teams arguably like no other activity can.
Which leads me to discuss yet another context + arguably the most important part of this number 1 item: be transparent about these exercises with partners, vendors + clients. Include as many of them as you can. Make them feel invested in the process in intentional ways. Doing so will build trust + confidence. Pure gold. Because when the real show comes to town, the first things partners, vendors + clients want to do is post blame. They want accountability. So, if you include these components of your ecosystem in your live or tabletop exercises, they not only find a quick win in the value of such work but have some fluency built-in when it matters most + see you as a victim + not part of the problem in the midst of an incident. My clients are sick of hearing me say it: trust cannot be built in any better way in this day + age of privacy + security breaches. Include the people who power your business in these exercises. Always. You will only regret it if you don’t.
Meanwhile, I have worked with organizations that have gone through exercises without proper guidance and found only frustration with too much ambiguity and/or a too rigid, highly-technical focus. It is important to know there are some optimal ways to carry out these exercises and some less-optimal ways. It’s important the team feels successful in their efforts, too, in order to foster a sense of achievement and an elevated understanding of the environment they are being trusted to protect and respond on behalf of when things happen.
It is helpful to have some great tools for the team to use. For example, there are many great frameworks available, such as NIST’s ‘Computer Security Incident Handling Guide’, which provides a friendly balance of technical guidance and communication strategy that will be useful to organizations of any size or level of complexity.
Insight #2: Keep in mind that it is not essential that you or anyone on your team is a specifically a cybersecurity expert. Cyber attack exercises are about building familiarity with the processes and procedures of handling incidents. The more familiarity + confidence your + your team have, the more effective you will be when the real show comes to town. Resilience is about empowerment. It’s about identifying tools + strategies that make us feel empowered + confident to be prepared for anything.
During this particular exercise, there were more non-technical people than technical ones + everyone was elevated in their understanding of how the business uses technology, not just the engineers, developers + IT support staff.
If you are the business leader, your focus during the first 24 hours of an incident will be about strategic leadership. All the hidden machinery, the technical components of these exercises, will be carried out by your technical team, so let them focus on those details. Your focus won’t be about the attack itself or describing how it happened as much as the potential consequences of it. The rest will come but it’s important not to release inaccurate information too soon by making presumptions before facts can be verified. Conversely, it’s also important to be prepared enough in advance that you’re not releasing information too late to make it look like you’re dragging your feet. It’s a delicate dance, which is why these exercises are so valuable. And advisable.
Insight #3: Resilience promotes good data protection. Period. It is crucial to prepare in advance to present what information security your organization had in place, including any specific standards that guide your due diligence, such as ISO 27001, GDPR, HIPAA, NIST, etc. That way, during a potential breach, you and your team will be quick to expedite the processes required to gather necessary forensic data, respond to external stakeholders and internal teams. Such preparation makes it much easier to illustrate how your organization takes data integrity and information security very seriously, that your Resilience program is audited internally and externally following industry practices.
During our exercise, teams uncovered ways they could quickly improve processes + workflows in simple, friendly ways. Some of these even made sense from a productivity context, too, reducing complexity + time-to-deliver.
Insight #4: It is critical to visualize how news of a data breach will be disseminated within your organization. How will you notify + brief the response team? Keep in mind: people will talk + spread misinformation. There is always a threat to morale when leadership mishandles such sensitive incidents. What tactics, tools + strategies will be used to make sure complete + accurate information with a positive voice is quickly available to those responsible for managing the incident + that they are empowered with enough latitude to make decisions based on that information in a timely manner? Who within your organization is responsible for response to a cyber attack + are IT + senior management aware of how an incident would be managed? What components of a successful response are likely to be overlooked the first time?
These questions + more came up during this particular exercise and will likely come up during your first one, too. They always do. Answer them now, rather than in the midst of a crisis.
Insight #5: Let’s imagine your organization’s confidential personnel data was compromised, such as salary information, bank routing + account numbers, birth dates and other Personally Identifiable Information (PII) or Personal Information, as per the GDPR. This is something we will want to be sure to prepare for ahead of time by authoring communication information to your staff regarding the breach + what the next steps will be. Next steps will include informing them of your commitment to helping them minimize their risk of identity theft/fraud + giving them useful advice + even tools/resources to assist them.
During our exercise it was clear this information/communication needs to be poised, packaged in friendly, bundled ways, ready to go because it takes some time to collect the information + put a package together that is accessible they can use right away. The longer you wait after discovering a breach, the greater their risks of identity theft + additional liability, too, that you do not want.
Insight #6: Even if only a small part of your technology infrastructure is hosted +/or managed by a third party, think through how you, your technical + operations teams will collaborate with those service providers to respond to some of the most common incidents + perhaps some less common ones. For example, if your Dev Team uses a hosted code repository solution that gets breached, what is the contingency plan? If the breach is related to a third party provider of identity access management, what resources are poised to work around a situation wherein your Directory Services are not available? What happens if a hosted environment (UTA, QA or live production) is compromised? How much fluency do your Dev, Sec (if you have one) + Ops teams have to quickly mitigate these scenarios + get back to work?
Figuring these scenarios out step-by-step in the midst of an incident is not awesome or optimal. During our exercise, coming up even with just some suggestions took an unacceptable amount of time, let alone planning out step-by-step checklists to act upon. When time is of the essence and getting third parties up to speed isn’t always easy, that combination can make or break a successful outcome, especially where your clients may be impacted by systems that are not directly under your control. Thinking these things through is a big focus of every Incident Response Exercise.
Insight #7: What information security strategies, tactics + tools does your organization have in place? Do you have a socialized Resilience Strategy? Is it accessible? Do you have lists of hardware, software + training materials, etc? Are you + your team working to adhere to good data protection standards, such as ISO, GDPR, HIPAA or NIST?
In case of a breach or potential breach, you will want to immediately expedite incident response processes in accordance with your Resilience Strategy, aligned with these laws + their definitions + expectations. This is where Resilience is pure gold + goes beyond mere compliance to any of these frameworks.
When we protect our data using good Resilience practices, our due diligence will stand up to any framework it is measured against. It will be easy for you to illustrate how data integrity + information security is taken very seriously by your organization when you can quickly provide these details demonstrating how your Resilience Strategy is designed to protect your data as well as that of your clients + partners + that it is revisited on a regular, periodic basis to ensure it’s ongoing value to do just that.
Insight #8: In the midst of an incident you will need to inform your stakeholders who may be affected. It is advisable that you author general communication ahead of time that transmits a clear message that an incident has occurred, while showing some restraint about details. The goal is to keep communication flowing but not make any presumptions before the facts can be verified + conversely, make sure not to downplay the breach in case it’s worse than initially understood.
On the flip-side, if you wait too long to author + send something it can appear as if you are not being transparent, which can foster more distrust and tendencies towards blaming before all the facts are in.
This is another reason why these exercises are great platforms to have strategic discussions with your teams + even your clients rather than during an incident. It demonstrates initiative, is a differentiator from a competitive perspective + builds confidence + trust all around. Who would you prefer to hire? An organization that shows no sign of pro-actively preparing for cyber incidents? Or one that takes you on a friendly journey to understand how to respond ahead of time so that, when something happens, everyone is in it together? Incidents, regardless of size or scope, are stressful enough without adding the additional stress of being completely unprepared, untrusted + blamed by partners, vendors + clients. As I’ve already said, all of that adds to the stakes by putting your culture’s overall morale at risk.
The team in this exercise hadn’t thought this through, yet. Get ahead of it. Have these messages prepared ahead of time in template format. Get ahead of it.
Insight #9: It’s easy to overlook +/or neglect to consider insider threats. For example, technical contractors (Developers, Designers, IT Staff) who have direct access + work directly on your critical systems are always potential threats. Something happens to them, well, it happens to you. If their device(s) get malware on a public network at an airport or from a home wireless network, they then, in turn, deliver it to your infrastructure, too. There’s also the occasional disgruntled worker who maliciously destroys data. Be prepared for this because many of these nightmare scenarios are avoidable.
Be sure to vet your contractors + keep detailed records of who has had access to what, when + for how long. Make sure that, in addition to on-boarding procedures, your off-boarding procedures are comprehensive + designed with your + your clients’ best interests in mind in the context of protecting your data + that of your partners, vendors + clients. It will count.
It’s also a competitive differentiator.
Insight #10: Communication during a real cyber incident is key. Make sure your plans don’t only deal with the technical side of things or only communicating with stakeholders. Your communication plan will need to deal with an incident from many angles, including contexts like insurance, legal, technical, internal/external communication, etc . In our exercise, the technical teams had great tools + processes in place but left most everyone else out of the loop.
Make sure to consider them all as each organization’s culture is unique + often overlooks at least one or two key things, as was the case in our exercise. Imagine yourself as one of your clients. What would make you feel most comfortable + confident in the midst of such a crisis? Make that your guiding principal.
Insight #11: Last but not least, remember that prevention is valuable on so many levels. It’s always easier, cheaper + less stressful than cure. Often, something as simple as correct hardware or software configuration (such as a properly configured firewall, wireless network or hosting environment) can prevent incidents before they occur. In our exercise, an improperly configured network device led to a breach that could have otherwise been very easily avoided. Invest in training your staff. They will thank you for it and one day, when something happens, your clients will, too.
Most importantly: being pro-active is the best cultural armor. Being unprepared always puts morale at risk. That’s even harder to recover from than a data breach.
Two things are crucial to minimizing your organization’s risks. Number one is building awareness in your organization’s personnel that reduces the likelihood they are going to click on something they shouldn’t, configure something incorrectly or otherwise make a mistake that puts the entire organization at risk. Resilience needs to be integrated into everything we do. Period.
A close second is a comprehensive understanding of your organization’s technology environments, by defining + prioritizing the biggest risks + most valuable components by establishing a well thought out Resilience Strategy. When your teams have a complete + accurate understanding of exactly how your business uses technology, its risk + priorities, you will be able to determine your organization’s tolerance for risks of all kinds. From this, your Resilience Strategy will be as effective as it can be, able to adapt to your business as it grows + the threat landscape continues to evolve.
Thanks for reading.