I participate in a LOT of cyber incident responses. Sometimes, I lose count. And while categorical rules are often restricting, one rule established about 3 years (worth of responses) ago remains golden: “Do not rush into any conclusions, statements, or actions.” Any temporal advantage comes at the cost of more valuable, but lost opportunities. Sun Tzu famously said "He will win who, prepared himself, waits to take the enemy unprepared.”
So many noticeable or announced cyber events are immediately and often inaccurately labeled “cyber attacks” or “breaches.” Third-party commentators, whether journalists or purported industry professionals, rush to issue speculative and ill-informed comments. In-house communications officers face pressure to release informative public statements to satisfy journalists, the public, and twitter trolls. However, this pressure to comment and rush a response only serves to increase the leverage of any malicious actors over their victims.
For simplicity purposes, consider the following analogy: there is a car fire on the interstate. Passing travelers “rubberneck,” causing traffic disruptions and even more accidents, both minor and otherwise. The ability of emergency responders to provide effective and timely services to vulnerable parties is hindered, and the condition of the original event victims worsens. The same is true for cyber events.
With cyber insurance coverage becoming increasingly elusive and the pressure from current and emerging legislation to notify various governmental agencies of cyber incidents within 24-48 hours, the added pressure from speculative comments does not support the overall effort to combat cyber events. Rather, the knee-jerk panicky response leads to mistakes, increased costs, and contributes to the leverage held by the “bad guys.”
Many cyber events begin with a noticeable incident (examples: blank screens, an anomaly in system logs, application failure) or a warning message from a third party (examples: law enforcement message or findings by security researchers). Events that begin subtly, before encryption occurs or a message from the attackers appears, present an opportunity to eradicate threats and remediate the security failure (if one exists) before data is exfiltrated, crypto-mining starts, or an escalation in infiltration occurs.
However, the opportunity to minimize damage may only be exercised if the impacted entity can exercise operational security --- in short, “be quiet and patient.” Allowing security professionals to examine logs and collect evidence in minimally noticeable manner avoids letting the “bad guys” know that they are busted. These simple measures allow forensic teams to study the “bad guys’” behavior to determine intent, (better guess at) attribution, previous activity, and (later) confirm eradication of persistent threats. With so many cyber-crime groups deleting logs or using skeleton keys, jumping to unplug or make unnecessary announcements not only notifies the criminals that their presence is known, which hastens the encryption process, but often forfeits the ability to determine what, if anything, was stolen. And unlike tangible objects, data can be stolen but still exist within the victim’s custody.
Succumbing to pressure to use invasive forensic tools (often proffered by the less-savvy breach counsel), issue notifications before a complete story is discovered, sanctify the truth of a cyber-criminal's online boasting (psst…criminals lie!), or issue statements with unconfirmed information and buzzwords like “breach” and “attack” sacrifice the value of any intel previously held by the impacted entity, increase harmful speculation and hysteria, and frustrate mitigation efforts.
Notifying and protecting individuals from identity theft is of paramount importance. Young people are at risk of starting their adult lives with ruined credits score while senior citizens risk losing critical social security benefits. The impact of identity theft is not minimalized by this article. But despite the current culture of championing false dualities, the best way to approach the 360 degrees of concern during a cyber incident is patience – both within the impacted entity itself and as a potential data theft victim.