When the victim of a cyber incident realises that they have become the target of an attack, every action feels urgent and the team on the ground often feel vulnerability, a loss of control, and stress. This is the first hurdle cyber incident responders face, understanding and responding to the emotions in the room. The most successful responders are not just technically savvy, they are experts in rapidly building constructive relationships with people under pressure. In S-RM’s experience, the success of this hinges on building trust and understanding how to speak the language of different stakeholders, from executives to external counsel and local IT teams.
In this article, S-RM’s cyber incident responders discuss their approach to handling incidents and provide their insight into how relationships are crucial to a successful response.
Joining the dots: Cyber, Insurance & legal
Q: How do you work together with brokers and insurers?
If an organisation in the midst of an incident has not met our team before, the first call they make will probably be to their external counsel, broker, or claims advisor. If that call is to a broker or claims advisor, and we are linked to the victim’s cyber insurance policy, those representatives will call on our team to support the response immediately after receiving a call on their hotline.
We invest a lot of time in our relationships with brokers and insurers; the combination of technical skills and insurance expertise allows us to collectively present much better solutions to clients for transferring, mitigating and responding to cyber risks.
Even before a call is made, we work side-by-side with claims teams to share our understanding of the threat landscape, and get to know each others’ ways of working. This makes for a more effective, immediate response, but also means we understand the procedural details that can improve the overall service to a client. For example, a good responder can positively impact the process of claiming back response costs. Taking simple measures like approving budgets with the insurance representative and appropriately tracking work so it can be applied against policy coverage can significantly support the claims process. These close working practices help develop the trust which means we often go on to work with the same clients post-breach to improve their broader cyber security.
Q: How important is your relationship with legal counsel?
More often than not, our team is brought in and instructed by the target’s legal counsel. We maintain close relationships with law firms outside of live response cases to ensure that when calls come in, we are already on the same page. We know the people we’re working with, we understand their processes, and this saves invaluable time when responding to incidents.
This has never been more critical, with the advent of strict new data protection regimes like Europe’s GDPR and California’s CCPA. These regimes mean that risks to personal data and the possibility of litigation are at the forefront of senior management’s mind when a breach happens. To navigate these risks, liaise with regulators and avoid fines, firms need pragmatic legal advice to accompany technical support.
We work closely with counsel to ensure that our support addresses not just the technical but also the legal risks involved in a breach. This arrangement often results in a three-party agreement between the law firm, their client and the responder, and it ensures that sensitive forensic investigation findings can be protected under privilege. This latter consideration is becoming increasingly important in Europe as the first GDPR class action lawsuits are making their way through the courts.
It is also legal counsel’s responsibility to interact with the authorities and regulators. We recently worked on a case, for example, where the authorities showed up on site unannounced. As we operate under legal privilege, we do not communicate with the authorities in instances such as this, redirecting any questions to the target’s legal representative.
Becoming part of the target’s team
Q: When an organisation suffers a breach, what do you do first?
At the outset of a cyber-attack, the incident responder is most likely to get on a scoping call with the target as quickly as possible. The first thing a responder should do on this call is triage what the target has already done to contain the threat so far and then help fill in the gaps. Sometimes, the target will have done most of the work on containment. In these cases, the responder’s role is to validate the target’s approach and conduct a forensic investigation to gather additional information required to manage regulatory and/or litigation risks.
Other times, the target’s security teams are at a total loss and need external responders to get on site and walk them through every stage of the response process. In our experience, when this happens, we typically provide three crucial things to targets: expertise, extra hands and structure. For smaller organisations or those with a less mature IT capability, this last point is more important than you might expect in the initial stages. Often the first thing we do is help establish priority workstreams, to ensure that short-term critical services are recovered as soon as possible (e.g. setting up a temporary cloud-based system to allow a school district to provide minimal services for the first day back at school), while preserving evidence for the investigation.
Q: Which of the client’s internal teams do you work with when you are responding to an incident?
The relationship between the target of a cyberattack and their cyber incident responders works best when the responders can speak to two levels of internal stakeholders: senior management and technical teams.
Senior management are often in urgent need of experience and expertise to help them take key decisions with their legal and insurance teams, such as whether or not to pay a ransom or whether they need to think about notifying regulators.
By contrast, technical teams working at the coal face of the response often have very different immediate needs. They will typically be under-resourced and facing substantial pressure to show progress in completing tasks that are outside of their core expertise, such as forensically preserving evidence and threat hunting in the midst of a recovery. That’s where the incident responders who work on these types of tasks day in, day out can bring valuable insight to the table and make a big difference. Sometimes, the technical teams also just need an extra pair of hands to get time-critical services back up and running.
The best response teams manage these two equally important sets of needs by bringing in responders with a mix of skills - expert engineers and forensics specialists, seasoned investigators and crisis managers – to provide the full breadth of support that an organisation under attack needs.
Q: Does your relationship with the target of the attack change depending on the type of breach?
The nature of a response – and a responder’s relationship with the target – will vary based on the type of attack in question and several target-specific considerations.
We have responded to several ransomware attacks where the outcome has varied significantly depending on how the target was set up internally. In simpler cases, when the target has safeguards or backups in place, there is no need to even consider paying a ransom, and the responder’s role is limited to restoring the data from backups and facilitating the resumption of business operations. However, when backups don’t exist, the response process can be protracted, involving ransom negotiation and data decryption before the target can return to business as usual. As these types of attacks typically result in the immediate cessation of operations, they naturally elicit panic and anxiety on the part of the target. In such cases, the responder will usually take on more of a leadership role, overseeing the response and often coordinating between in-house teams and other stakeholders directly. A ransomware attack is a “fire” that’s ongoing, and the responder needs to balance getting the target back up and running as swiftly as possible, with the need to preserve important pieces of evidence.
On the other end of the spectrum, we have also dealt with cases where the target has refused to pay a ransom on ideological grounds, in which case our role has been to rebuild their entire network again from scratch – typically a very long, deliberate and drawn out process.
With an email compromise attack, the response tempo is quite different. In these cases, a threat actor will have infiltrated the target’s network through a compromised mailbox, can view internal communications and is most likely intent on targeting financial teams with fraudulent invoice requests. These incidents tend to be far more contained compared to ransomware attacks. Oftentimes responders are brought in after the fact to investigate how the compromise happened in the first place and identify any systemic vulnerabilities that need to be addressed. Here the response team is not so much in “firefighting mode”, rather taking the time to conduct a detailed investigation.
Understanding the threat actor
Q: How often do you have direct contact with a threat actor?
Incident responders can have both direct and indirect interactions with cyber threat actors. Direct interactions usually occur during the negotiation phase of a ransomware attack, which is typically the closest responders get to communicating directly with cybercriminals. Ransom payments can be negotiated with threat actors on the other end of anonymous mail accounts with relative ease. It’s not uncommon to explain that your client cannot afford the ransom and hear back that the threat actor is consulting with their boss to ‘see what I can do’ before receiving a discount of anything up to 40%.
Q: How do you build an understanding of the threat actors you are dealing with?
The indirect “relationship” between threat actor and responder is more nuanced. Responders need to be constantly learning, researching and intuitively responding to how threat actors and the cyber threat ecosystem are evolving. A good responder does this by constantly monitoring hacker discussions on targets, tools and methodologies, and spending time testing the hackers’ own tools to see how they operate. This helps responders know what activity to look for on systems and how to quickly stop it. It also provides vital context around threat actors’ motivations and what actions they might take if publicly antagonised or engaged in negotiation, for example.
Simultaneously, though, cybercriminals are doing exactly the same thing: monitoring cyber security and response trends, reviewing guidance on best practice and figuring out ways to get around it. Overall, the relationship is similar to that between intelligence and counterintelligence units – each constantly seeking to get ahead of the other. For responders, then, maintaining relevance is integral to their ability to do their job, ensuring that their skills, experience and intuition does not become obsolete.
The right team for the job
Q: What kind of people work in incident response teams?
By necessity, incident responders form part of multidisciplinary teams. They need to bring a diverse – but complementary – set of skillsets to the table, and know how and when to apply them through the course of an incident. Maintaining relationships with various stakeholders that make up the incident response “ecosystem” is a core part of this role.
Our consultants support technical teams with immediate containment and recovery, while seasoned investigators build a detailed picture of the threat actor’s activities, and crisis managers help support discussions at the executive and board level.
Cyber Incident Responders
Support in-house technical teams with immediate containment and recovery
Build a detailed picture of the threat actor's activities
Support discussions at the executive and board level
Q: Beyond having the right experience and skills, what are the key characteristics of an effective response team?
As demonstrated in the above, to successfully navigate the cyber risk ecosystem and the diverse set of stakeholders that form a part of it, cyber incident response teams need to combine strong technical skills with creative thinking and compassion. We summarise these key attributes below:
1. Technical capabilities
Core technical competencies are needed to detect, contain and eradicate a threat, and enable recovery after an attack. These include forensics, networking knowledge and environment specific experience among others.
2. Empathy & Trust
Empathy and trust are the pillars of an effective response.
The ideal relationship between an organisation under attack and their incident response team is built primarily on trust. Oftentimes, responders have to earn trust quickly, drawing on their experience to provide immediate useful advice to the target. This trust is the foundation for enabling an incident response team to advise senior management and technical teams.
Working with empathy is vital to establishing trust. Responders will frequently be dealing with people who are having one of the worst days of their lives. As a responder, you have to show them that you care about getting them through this crisis – and you have to be genuine about it. People pick up very quickly if your empathy is insincere.
A good response team relentlessly focuses on the target’s priorities and provides constant visibility of their activities and progress. Nothing makes senior leadership and external stakeholders more nervous than being in the dark about a response, particularly when the business’ survival could be at stake. Delivering your evidence and findings clearly and in the right way is key.
Responders must also remember that they are operating in a very charged atmosphere. Especially in cases where they are leading in-house teams, responders must direct them in a way that does not come off as overly authoritative, while still remaining focused on the tasks that need to be completed. It takes leadership skills to manage in-house teams in the right way.
5. Critical thinking
Frequently in incident responses you have to think outside the box to find solutions to the problems you are tackling. In many incidents we have responded to, we have had issues with lack of evidence of what led to the incident in question. In such cases, the responder has to think creatively to determine how we got here, find solutions, and respond accordingly.
Understanding how to prioritise workstreams based on what the organisation needs to recover securely with the least disruption is critical in a response. Pragmatism is also critical to providing a useful set of findings out of a forensics investigation. Often it is not clear cut whether data exfiltration occurred, for example. However, it is still possible to state the facts based on the evidence and give an assessment of likelihood.