"The truth is simple: when you've suffered an attack and you've been damaged, the sooner you accept it, the sooner you can restart." Lorenzo Bernini (Managing Director Middle East for HWG) is as clear as ever in getting to the heart of Incident Response, an activity that involves not only taking technical measures to restore the situation compromised by a cyber attack, but also-if not primarily-thoughts that intersect with Crisis Management and with psychological implications that are anything but negligible. In this talk, Bernini especially addresses these two aspects.
Incident Response: what is it all about
The essential starting point for a complete analysis is to ask what exactly is meant by the term Incident Response. "We mean the activity that is carried out following the breach of enterprise information systems," Bernini answers. And so far, clarity is utmost. And it remains so even when we go deeper: "This activity brings together several aspects: the focus on containing the breach, understanding how it happened, identifying the compromised systems, enabling the company to continue business in the healthiest way possible, sanitizing the compromised environment. Last, but no less important than the rest, is the so-called lesson learn activity, which is critical to making the necessary improvements on the cybersecurity strategy."
The technical detail varies from case to case, depending on the type of attack (ransomware, business mail compromise, and so on), and is the responsibility of the experts. Who, however, cannot be just the ones to be asked to fix the problem once it occurs. Incident Response, in fact, starts the moment a company relies on the HWG SOC: already from the so-called onboarding, an attack response process is defined, in which the customer plays a decisive role.
"He has to be there, he has to participate in the decisions," Bernini continues. "He can't just say, 'I have the SOC, he'll take care of it.' That's why Incident Response is an issue of awareness, of readiness. If the company does not have a ready process for it, we help it draft it starting with identifying the key stakeholders to bring to the table in case of an incident. Those stakeholders must be on call 24/7 at all times, and if asked, they must give decision feedback. If there is ransomware, one must immediately isolate the impacted network segment, and totally disconnecting from the Internet should not be ruled out, to prevent the attacker from keeping active control channel."
The psychological aspect
Decision-making feedback must be immediate. However, it often happens that the IT manager, CIO or CISO has to confront the CEO and higher levels before he can proceed. The step is tricky and can create non-negligible problems, as Bernini recounts based on his own business experience: "We had a customer who after the attack, with 70 percent of the systems compromised, did not agree to disconnect from the network, resulting in a further systems breach. The point is that if a CEO keeps saying that he needs email to work, you have to make him understand that he cannot expect to have the same situation as before the attack. You have to persuade him to trust, but it's not easy."
This is where the psychological aspect comes in. Accepting that the company's business operations have been destroyed or severely impacted is not easy at all. Explains Bernini, "What makes the difference at this stage is managing the emotional part. As a consultant, you have to understand who you are dealing with, you have to take into account that you are dealing with people whose jobs have been completely destroyed, with employees who can no longer work, who are in danger of losing their jobs. From this empathy must come the creation of a customized plan: the company communicates its priorities to start again with its business processes, and we support it to sanitize the environment and reactivate the IT system in complete safety."
Awareness is again the key word in the story, starting with what is heard now from many quarters: "it is not so much if you will be attacked, but when." "This is why," Bernini concludes, "we are working to offer moments to simulate a crisis and the related response, not so much to train specialists on processes and procedures, but to ingrain awareness of business continuity, cyber resilience and all that is needed to mitigate the effects of attack and allow the company to get back on track.