eguide: Designing a Continuous Response Architecture Breach Preparation: Plan for the Inevitability of Compromise

Transcription

1 : Designing a Continuous Response Architecture Breach Preparation: Plan for the Inevitability of Compromise

2 Summary You can t open a newspaper or visit an online news site these days without some mention of a cyber attack or data breach. These activities are becoming more prevalent, and as a result, the reporting of these activities is also on the rise. Bit9 + Carbon Black reached out to a series of experts to collect their thoughts and advice on dealing with data security incidents or breaches. This eguide includes observations from a data forensics expert, an attorney who works closely with board-of-directors-level management, a crisis communications professional, and an incident responder and technical expert. These viewpoints deliver a comprehensive insight into the best practices, technologies and solutions that are used to try and avoid or mitigate the effects of cyber attacks. One theme that came through in each conversation was preparation. All of the experts suggested that companies not only must have an incident response (IR) plan in place, but must regularly rehearse the plan as part of a best-practices policy. The preparation plan should cover large strategic issues such as making sure the board is advised as soon as the company discovers a breach, as well as tactically understanding how a breach is identified within an organization and by whom. Other questions the plan should answer include: + + What solutions are or should be put in place? + + When and how should we communicate to customers and the public? + + Should we hire outside consultants? + + Does the board have visibility into this plan? + + How would the response team communicate in the event of a company network outage? + + Who should be on the response team? One point was very clear: compromise is inevitable. Each expert shared suggestions and observations based on first-hand experience. Our interviews showed that one pillar of a good response plan is the assumption that all response and investigative activities should take place with the expectation that potential legal action will follow a breach. This can shape the response team and investigative process. Two of our experts emphasized that any investigation or IR activities should be conducted by outside legal counsel to ensure the information and data discovered are covered under attorney-client privilege. This protects the company s interests in the long run while ensuring public responses are fully vetted and accurate. While this may not always make for a transparent investigation, it does ensure some protection for the company. Our crisis communications expert suggested the need to temper response speed with accuracy, and reminded us that a company s response to its customers needs to reflect the customers concerns and worries, not the company s. This eguide should help your organization build an IR plan and team. 2

3 PHOTO of Gus If there is one overarching success that we in the cybersecurity community can claim over the last year to 18 months, it s that the mantra this is not a server room issue, it s a boardroom issue has finally started to take hold. There are a multitude of reasons for this important mindset change: first, the proliferation of high-profile attacks, including J.P. Morgan Chase and Target; second, the realization that the costs of a successful attack can be high, not just on the balance sheet but on a company s reputation, stock price, and willingness of customers to continue doing business with it; and third, the swirl of government agencies flexing their muscles to regulate and investigate breach victims, not to mention breach-related lawsuits. For all of these reasons, boards are appropriately focused on cyber security as an enterprise risk. But what should they be doing? To understand what it is a company has and what s important to protect, Coldebella recommends a top-to-bottom risk assessment of the type that his former agency, DHS, would conduct. Think about risk, vulnerability and consequence. As far as risk goes, the bad guys are well known: criminals seeking money, payment card data, and identities; state-sponsored attackers seeking secrets or network control; and hacktivists, seeking to deface or embarrass. When he was the general counsel at the U.S. Department of Homeland Security, part of Gus Coldebella s job was helping to lead the effort to improve security of the federal government s.gov computer networks. Now that he is back in private practice as a partner at Goodwin Procter LLP in Boston and Washington D.C., Gus is doing the same for his clients: companies, both public and private, that have experienced apparent cyber incidents, or are planning for the inevitable attack. Gus sat down with us to discuss how and why boards of directors and the C-suite should plan for cybersecurity incidents. This is not a server room issue, it s a boardroom issue. To assess vulnerability, the company must, in light of the digital assets that it has, ask high-level strategic questions: What data might the attackers be interested in? How is it safeguarded? What systems are in place to let the company know that that data has been exfiltrated or tampered with? And if the data is stolen or altered, who will be affected, and how can the company recover? Companies are starting to realize that the bad guys aren t just interested in personally identifiable information. For too long, companies have focused on, and probably overinvested in, PII security, because PII generally requires some disclosure under various states laws. This seems to have resulted in underinvestment in the security of other digital assets such as intellectual property, executive communications about sensitive matters such as M&A transactions, other important business and financial information, and even private conversations that could be embarrassing or worse if disclosed all of which could cause more harm to a company s reputation, value, and future prospects than even a PII breach could. 3

4 And, given that attackers are highly skilled and persistent, and every company has a bull s-eye on its back, perhaps the most important element is being able to bounce back from a successful attack. Boards of directors should make sure the company not only has an incident response plan, but practices it, because you don t want to be feeling your way through all of the important, time-critical steps necessary for successful incident response after the attack is discovered. Incident response plans aren t set it and forget it ; instead, once they re written, they ve got to be trained on, exercised regularly, and modified as circumstances warrant. Tabletop exercises with the company s decision makers (including the CEO, general counsel, board of directors, CIO and CISO) and third-party consultants (including outside legal counsel, crisis PR firm, and forensics team) are key. And the first call should be to experienced outside counsel, to investigate what happened. An attorney experienced in cyber incident response can effectively quarterback the investigation, including hiring the forensics and crisis PR teams, and can give the investigation the greatest chance of being considered privileged and confidential, which is an important consideration as the legal and regulatory consequences of cyberattacks continue to grow. Experienced outside counsel can also call their colleagues in law enforcement on the company s behalf if circumstances warrant. And lawyers who are also well-versed in securities laws can assist in determining whether public companies should take additional actions, such as closing a trading window in the company s stock, filing a disclosure on Form 8-K, and the like. Boards of directors also should be thinking about corporate governance and regulatory compliance issues. Now that the Securities and Exchange Commission has issued guidance suggesting that companies disclose cybersecurity-related risks in their public filings, CEOs, CFOs, general counsels and boards of directors need to focus on whether the company has engaged in a robust process such as the one described above to understand and disclose its cyber risks. This is not a one-and-done board meeting. Boards of directors must remain vigilantly focused on security of a company s digital assets, given that the threat is always changing and the adversary is constantly improving. Under the Caremark standard (after Caremark Int l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996)), members of boards of directors could be found to have violated their duty of loyalty and could be held legally liable if they fail to oversee management s approach to cybersecurity, so from a corporate governance point of view, it is better for the board of directors to act than not to act. Boards are carrying out this obligation in different ways: some are assigning oversight to the audit committee (some even expressly adding risk to the audit committee s name); others are establishing special committees to oversee the issue; or even dealing with it at the full board level. Experienced outside counsel can help the board of directors create the appropriate tone at the top and document its record of oversight and compliance, both to help the board in its stewardship of the company s security, and to protect the company in case the board s activities are reviewed later with 20/20 hindsight. Bottom line: In an environment where even the most reasonably secured company can fall victim to a sophisticated attack, it is the responsibility of the company s management, with the oversight of the board of directors and the help of outside counsel, to take strategic, risk-appropriate steps to secure all of a company s digital assets, and to make sure the company is resilient when an attack is successful. Gus Coldebella can be reached at gcoldebella@goodwinprocter.com and is on 4

5 Mark shared some of his thoughts and recommendations for responding to a security breach or cybersecurity event. Many companies have crisis or incident response plans in place in the event of a storm or accident, but a security breach requires a different level of planning and response. PHOTO Mark Seifert Mark Seifert co-leads the privacy and data security practice at Brunswick Group LLP and has advised clients on various issues, including crisis, government affairs, corporate communications, financial-related communications work, media relations, and issues management. Mark has extensive experience within the government based on more than a decade at the Federal Communications Commission, as well as his service in all three branches of the federal government. Immediately prior to Brunswick, Mark oversaw a $5 billion broadband infrastructure program at the U.S. Department of Commerce. In addition to his time as a regulatory lawyer at the FCC, Mark also served as counsel to the House Committee on Energy and Commerce on telecommunications and technology matters. Mark has led retained accounts, projects and transactions with public and private clients, which have included EADS (Airbus), Novo Nordisk, GE, AT&T and Facebook. This issue continues to grow in importance and is now at the Board level in most large organizations. If it is not yet in your organization, it will be soon. You ve got to assume you ll be hacked or already have been attacked. We ve seen how clumsy responses have led to management changes, and most C-level employees recognize that. Board members and audit committees are asking for response plan reviews, and as the reporting requirements develop, a tested response plan will become more critical. Currently, the Securities and Exchange Commission (SEC) requires reporting of material breaches, and while the nature of that requirement may still be in development today, it is likely to be more stringent in the future. Once you have public documents on file, with breach details, you have the attention of all management, especially board-level executives. This trend is continuing, and as a result, a crisis or incident response process will become more critical going forward. While there are many steps a company can take to prevent a breach, one step for planning is to assume you will be breached. As part of that planning, company executives need to know what types of information the company has as well as the disclosure requirements for each type. Requirements for disclosure vary by country and industry. You need to take into account what type of information was lost or exposed, and what could be done with this data. Who could use it and how? As you can imagine, while credit card numbers are important, other information such as health care status, marital status or information about children, are also really critical if exposed. Because of the especially sensitive nature of health records, the HIPAA requirements for notification are very strict. An additional wrinkle is that a multi-national company may face regulatory processes and disclosure requirements that are in conflict based on the customer s country of origin. These variations highlight how critical it is to plan for potential events and know what responses are required and by whom. For most companies, if someone asks management to trace the money in their organization, they could tell you where the revenue centers are, where their costs are highest and how any given activity affects their bottom line. However, data is now the coin of the realm: it underscores how valuable a company truly is, directs corporate decision making and drives growth. Yet if asked, many management teams cannot tell where data travels inside their organization. Questions like: How is it captured? Where is it stored? Who can access it and when? Without the ability to know this flow, it s nearly impossible to react to a breach effectively. Managers must know what data the company holds, how that data is used, monetized and secured, and how to further maximize its potential. Knowing what you have and how you protect it will help you respond accurately and efficiently in the event of a breach. 5

6 As part of the preparations mentioned earlier, it is imperative that management teams and everyone involved in a response have an understanding of where and how data flows inside an organization. Having an understanding of the services and solutions used to safeguard this data is a critical part of the process as well. This knowledge allows for a more informed response. Preparation is the key to planning for a breach or incident response. Companies must conduct planning meetings and rehearsals prior to any event. Recall that many security events happen at odd hours of the day or week, and in many cases purposely happen over holiday or weekends where staffing may be minimal and response times delayed as a result. Prepare for those probabilities by mapping out your war room : the key people in the company charged with making quick decisions as details develop and media scrutiny increases. At the very least, senior people from legal counsel, communications and IT should be part of any war room. Additional basic items would be to set up a conference call bridge for remote access to urgent meetings, as well as knowing war room members personal phone numbers and addresses. These are the basic logistics. After that, the need to focus on the content of the response is critical. [Companies] risk the chance of suffering a double breach the first being the breach of data, the second being the breach of customer trust. There will be a variety of views represented by each participant in the group. To help navigate these difficult decisions, put yourselves in your customers shoes and respond with that perspective in mind. Customers are the lifeblood of any company and you need to keep that in mind as you respond. A company shouldn t sound defensive or suggest it s not our fault. A customer cares about what the event means to them, not how it affects the breached company s reputation or bottom line. If a company doesn t have that mindset, it risks the chance of suffering a double breach the first being the breach of data, the second being the breach of customer trust. To prevent a double-breach, share information as it becomes available. It is important to be transparent, but it is most important to be accurate. Don t disclose information that is not fully vetted. It s worse to change a story later than to say you don t know and taking the time to verify and validate that the information is accurate. With cyber security events, it is very difficult to quickly discern what happened, when it happened, who did it, and how. These answers take time to uncover and you do not want to risk having to walk back information that was shared erroneously in a rush to say something. Don t take this as an excuse to not comment or not respond publicly to an event you need to acknowledge the issue, not hide behind legal jargon or no comments. It is important to share information that is most helpful to the customer. Inaccurate, or jargon-filled information can lead to further fragmentation of customer trust. The major takeaways I would share in the event of a response are (1) preparation, transparency and accuracy; (2) know your data, and (3) use the customers perspective when communicating about the incident. We ve seen in past investigations that attackers have calendars with major holidays and long weekends marked, this is for a reason. They know that more junior people with be in charge, and management will be on vacation or enjoying a long holiday weekend and, therefore, responding and recovering will take longer. Plan ahead, have the meetings now, know the logistics and process ahead of time. While it may be nearly impossible to plan for the whole spectrum of potential attacks, smart organizations will have the basics covered and ready to go when the attack does occur and it will occur. Aim for transparency and accuracy, but don t sacrifice one for the other. A transparent but inaccurate response does not help, neither does a response cloaked in jargon or legal-speak. Find a balance and recognize that it is acceptable to say: we don t know at this point. Understand your company s most critical asset the data, know the data flow, the process for the way it moves within the organization, and know where and how it is vulnerable. Lastly, your customers are your lifeblood use their perspective as you communicate. There may be valid business concerns that you need to address as part of the process and by all means do, but your external communications should reflect your customers perception of your company. Don t risk the potential of a double-breach a data breach and a breach of your customer s trust. 6

7 PHOTO Tim Ryan Timothy P. Ryan is a managing director with Kroll s cyber investigations practice based in New York. He joined Kroll after a distinguished career as a supervisory special agent with the Federal Bureau of Investigation (FBI), where he supervised the largest cyber squad in the United States. Tim is an adjunct professor at Seton Hall University School of Law where he teaches cyber crime and cyber security to law students, prosecutors, defense attorneys and homeland security professionals. Tim has been interviewed and quoted by numerous media outlets such as The Wall Street Journal and USA Today. Before joining the FBI, Tim was an accomplished attorney in private practice in Arizona. Prior to practicing law, he served in the military police with the U.S. Army during Operation Desert Shield and Desert Storm, for which he was awarded multiple commendations for service and actions on duty. An expert in responding to all forms of computer crime, attacks and abuse, Tim has led complex cyber investigations involving corporate espionage, advanced computer intrusions, denial of service, insider attacks, malware outbreaks, Internet fraud and theft of trade secrets. From 2009 through 2010, Tim served as acting director of the FBI s New Jersey Regional Computer Forensics Lab, one of the nation s largest, state-of-the-art digital forensic laboratories. Tim also conducted computer forensic examinations as a member of the FBI s elite Computer Analysis and Response Team. Tim has provided cyber expertise to state and local law enforcement on investigations of crimes including homicides, stalking, missing children, cyber-bullying and internal affairs. A certified FBI instructor, he developed cyber-based curriculum and trained hundreds of law enforcement and private professionals in evidence acquisition, security policy and implementation, breach response and mitigation, hacker methodology and employee Internet safety. There are many elements to a successful incident response plan, but the critical part in my mind is to draft and implement the plan not as a technical response, but as a strategic response. In my experience the most successful plans and responses that I have seen are those that look across an organization, and respond accordingly. If a plan focuses too much on the technical elements and not on the event as a whole, and what it means to the company, its customers, its reputation and legal posture, it will not drive an adequate response in the event of a breach. That said, there must be technical elements to any response and the details captured in that part of the plan are critical to helping with a strategic response. The Verizon Data Breach Investigations Report stated that in 69 percent of breaches, the company is notified via a third party 1. This points to one element of a plan or organizational behavior that is often overlooked: How is a breach or attack identified and how is that information transferred within an organization? Careful consideration of how an event is observed and reported is an important piece of the plan. Are observations and reports pushed from the bottom up? The top down? Who responds to a third-party notification, and what do they do? What if you re notified via a social media outlet? Having these procedures in place ahead of time is key to getting information on the event and forming a credible response. One reality any company now faces as part of a response is the need to assume there will be legal action as a result of the event, and therefore the response, investigation and any action plans or communications need to be evaluated in that light. An outside attorney is a good point person to coordinate an investigation and response. A company will want as much of the investigation as possible protected under attorney-client privilege. In addition, while technical resources will be a part of the investigation and response, they need to be under the direction of the attorney for these same reasons. Many companies will have experts who are good at digging through files and other technical activities, but they need to be under the direction of the lead investigator. This is not to slow down the investigation, but to ensure that what is discovered is clearly understood in the context of the overall response Verizon Data Breach Investigations Report 7

8 By controlling... when [information] is fully vetted, a good response is much more likely, which can help minimize potentially negative media coverage. The protected information resulting from the investigation can be shared when it most makes sense and not dribbled out to the media and other audiences. This reduces a company s chance of appearing in multiple news cycles/stories each time a new piece of information comes out. By controlling the reports and sharing information only when it is fully vetted, a good response is much more likely, which can help minimize potentially negative media coverage. An experienced crisis communications person is a critical part of the response team and can help to manage this aspect of the investigation and external communications. Lastly, there is another critical part of the investigative process: ensuring the credibility of the evidence chain. This is where a carefully structured response that includes a forensics expert can really help in the long run. There are many bright, experienced and thoughtful technical people who can be a part of an investigation. These resources are critical to discovering issues or abnormalities in logs, databases and other data sources. However, if the proper protocol for searching these sources is not followed, the evidence can become compromised. Obviously, compromised evidence is not helpful in any legal environment and well-meaning but untrained experts can do just that. A forensics expert can provide the framework for investigating data sources in a way that preserves the integrity of the evidence in the event of legal action down the road. For instance an IT responder who moves critical files or changes the access times of those files may create doubt as to what the attacker did versus what the responder did. In today s environment, a company must assume that there is the prospect of legal action as a result of any major breach or attack. To help mitigate potentially damaging events, it is critical to have the investigation and response under the direction of an attorney and employ experienced forensics experts as part of the process. These practices can help reduce exposure for a company and limit the ultimate cost of an incident. 8

9 PHOTO Photo Mark JJ Guy Seifert Information security is changing. Traditionally, attackers gained value from the computing resources they compromised: for botnets, click fraud or spamming operations. The attacker does not care where the computers are, as long as they have access to lots of them. More recently, attackers began to seek value not in the computers themselves, but the data on those computers. They target credit card numbers, Social Security numbers, and intellectual property. Unlike the traditional attackers that compromised any computer given the opportunity, these new attackers specifically target organizations that process the data they desire. Traditional detection... results in two compromises: users only have visibility into future activity, and then only for the suspicious event itself. Jeffrey (J.J.) Guy is a senior director of product management for Bit9 + Carbon Black. He joined the company when Bit9 merged with Carbon Black in February At Carbon Black he was customer advocate and support lead. He spent 12 years in federal cyber operations, including an active duty tour with the Air Force s Information Warfare Center and as director/general manager of one of the top providers of federal computer network operations (CNO) R&D services, with about 100 kernel programmers, reverse engineers and vulnerability researchers supporting a dozen different federal programs. Historically, information security programs focused on protecting their networks. Investments in detection were limited to signature-based antivirus and network detection systems. Response was often ad hoc, usually with the support of external consultants. For the first time, focused, knowledgeable attackers are testing the defenses of our networks and those defenses are failing. The increasing volume of targeted attacks repeatedly demonstrates the inevitability of compromise, painfully exposing the shortfalls of detection and high cost of incident response. Simultaneously, our networks are evolving. Mobile workforces and increased use of cloud services are degrading the traditional corporate network perimeter. As a result, the network-based defenses we depend on for our security are becoming increasingly irrelevant. This cannot continue. Detection must improve, response must get faster and our security technologies must shift from the network to the endpoint. Any next-gen security solution that does not address all three is incomplete. There is one foundational technology that addresses all three of these key issues: continuously recording all endpoint activity, transmitting to a central server and indexing for rapid search and retrieval. Traditional detection technologies require the user to define in advance the characteristics of activity about which they wish to be notified. This approach results in two compromises: users only have visibility into future activity, and then only for the suspicious event itself. Unfortunately, it is impossible to know in advance all possible bad activity and, especially in the midst of an active investigation, future-only visibility results in an iterative investigation cycle of hours to days. Furthermore, the event itself, usually evidence of attacker compromise, is only marginally interesting. The most valuable information happens both earlier and later: how the attacker compromised the system and what they did with the illicit access. 9

10 : Designing a Continuous Response Architecture Continuously recording promotes collection over detection: it recognizes we can never describe all malicious activity in advance, and thus can only collect everything. By collecting everything, it enables detection analysis to be completed at the central server, highlighting interesting events in the stream, versus filtering them out. This enables an investigator to review interesting events in context and explore as much earlier or later in time as needed. We also can improve the continuous data collection by layering threat intelligence over that recording. This enables responders to design better detection, which can be customized for their specific organization. It also enables them to prioritize actions and improve investigations. The collaboration of both continuous recording and the application of threat intelligence can further automate and accelerate a response. This enables even entry-level staff to answer complex incident response questions in seconds. The result is an enterprise that can respond at the moment of discovery, understand the full scope of an attack, reduce the dwell time of targeted attacks, and recover from advanced threats before data is lost or destroyed. Summary Data breach is inevitable it is only a matter of when. Therefore, preparation is key. Every organization needs to have a well thought out and rehearsed plan. This plan should include everything from the most mundane to the most serious elements of a response. It also should factor in the strategy moving forward, when to get legal counsel involved, what solutions should be in place before a breach occurs, and how to respond publicly to the event. It is essential that organizations build teams designed to deliver fast, effective response, and they also must invest in solutions that can prepare them for a breach. This will enable them to more conclusively answer complex incident response questions as well as recover before data exfiltration. If compromise is inevitable, then preparing for these threats must be a priority. ABOUT BIT9 + CARBON BLACK Bit9 + Carbon Black offers the most complete solution against the advanced threats that target your organization s endpoints and servers. This makes it easier for you to see and immediately stop those threats. Carbon Black s lightweight endpoint sensor, which can be rapidly deployed with no configuration to enable detection and response in seconds, combined with Bit9 s industry-leading prevention technology, delivers four key benefits: + Continuous, real-time visibility into what s happening on every computer + Real-time threat detection, without relying on signatures + Instant response by seeing the full kill chain of any attack + Prevention that is proactive and customizable More than 1,000 organizations worldwide from 25 Fortune 100 companies to small enterprises use Bit9 + Carbon Black to increase security, reduce operational costs and improve compliance. Leading managed security service providers (MSSP) and incident response (IR) companies have made Bit9 + Carbon Black a core component of their detection and response services. With Bit9 + Carbon Black, you can arm your endpoints against advanced threats Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners Second Avenue Waltham, MA USA P F