WASHINGTON, D.C. – MIRCON – Organizations understand the importance of incident response planning, but they remain woefully unprepared when it comes to giving investigators the information they need to deal with a breach.
Considering the venue—MIRcon is Mandiant’s (now part of FireEye) annual conference—it makes sense that the overarching focus was on incident response. However, just having an incident response plan is not enough if the organization is not sufficiently prepared to execute all the steps in the plan, said Marshall Heilman, a consultant with FireEye’s Mandiant, and Craig Hoffman, a partner at BakerHostetler.
CISOs face a difficult landscape, as they have to deal with evolving security threats, operational challenges, emerging technologies, and budgetary constraints, Heilman said. There are some things CISOs can do—Security 101—which reduce risk as well as to make sure the organization is “compromise-ready,” Heilman said.
“I don’t believe you can prevent all breaches. I do believe that all breaches can be mitigated,” Heilman said.
Preparation is key, as organizations have to consider beforehand how they will react to a breach and how they will work with investigators, Heilman and Hoffman said. This includes understanding what kind of questions the investigators will ask, having necessary pieces of information readily available, and planning how to communicate with law enforcement, victims, regulators, and the media. CISOs have to identify beforehand who would be responsible for managing incident response, as well knowing the external contacts and internal employees who will be part of the investigation. Running simulations and drills will help organizations figure out the answers and close gaps beforehand. While this level of preparation won’t prevent breaches, it can minimize the damage and speed up the investigation, they said.
“You may be in the media for being breached, but you don’t have to be fore not knowing what you are doing,” Hoffman said.
One of the first things investigators will ask for is information about the network, but many organizations don’t have an accurate and up-to-date network diagram. “I need to learn the network as fast as humanly possible,” he said, noting that when he has to map out the environment on his own, it is a “waste of time” that would be better spent actually investigating the breach.
“Understand the types of questions the investigators are going to ask, and can you give the answers,” Heilman said.
Organizations frequently don’t have logs investigators can use, or the logs are missing some critical elements. One client Heilman worked with had hundreds of internal DNS servers and four external servers, but was logging only external DNS traffic. The organization thought it had logs, but as Heilman discovered, there was no way for the investigators to pin down which computer made a particular DNS request, making it difficult to trace which machine was communicating with the malicious network.
While DHCP make it easier to network many computers, it also makes things difficult for investigators unless the organization is diligent about capturing hostname and IP address information. For example, if there is no detailed list of which IP addresses have been assigned to which hostnames, investigators are stymied trying to track down which endpoint device was implicated in the attack. The situation gets even more challenging if NAT is in use, and only external IP addresses are being logged. Even with the IP address in hand, investigators can’t easily identify which computer is compromised unless this level of information is logged somewhere.
“Simple questions; Not so easy to answer,” Heilman said.
Organizations need to be able to figure out where the malicious file currently is stored, how it came in to the network, and what other machines on the network it has spread to. This requires knowing all the systems a user account can authenticate to, what IP addresses a computer has communicated with, and which systems performed a DNS query.
“Most organizations cannot easily do that. And time is one thing you don’t have in an investigation,” Heilman said.
Finally, organizations should be talking about how they will communicate with regulators, law enforcement, victims, and press. They shouldn’t go as far as preparing a canned statement because the best approach is to customize what they say to include specifics related to the incident. “There is some advantage in thinking about what you’ll say, when you’ll say, and how you’ll say it,” Hoffman said.
It’s also important to say only what the organization definitely knows to avoid overpromising. For example, if the organization at first says financial information wasn’t compromised without any proof and then realizes later the data was exposed, it hurts the organization. “If you have to change that message, that will affect your credibility,” Hoffman said.
Ideally, the organization should know four things before going public about the breach: “What happened, how it happened, what you are doing to prevent it from happening again, and what you are doing to protect people affected by the incident.”