In July 2019 we published our inaugural blog post titled “The Next Phase in Cyber Insurance.” At that time, the lost laptops and basic malware incidents of earlier years had morphed into complex situations involving destruction and business interruption. That article shined a spotlight on an increasingly complex landscape that the existing approaches were ill equipped to handle. We introduced the MOXFIVE Technical Advisor concept: a role that is positioned to deliver better outcomes to clients and carriers alike.
Fast forward two years; MOXFIVE is deeply engaged in the proverbial trench. Our Technical Advisors have provided a steady voice of experience. As we expanded into incident coordination and business recovery, we and our partners’ engineering teams have helped hundreds of clients get back on their feet quickly.
Reflecting on the road behind us, we humbly offer the following observations and recommendations.
The following technical capabilities are critically important to prevention, detection, and failing that, to enact a swift response. If you only take away one thing from this article – implement these capabilities starting today. These represent the minimum pillars necessary for an effective security capability; learn from our clients’ pain.
“I need as many people as I can get engaged right now!” exclaimed the senior executive on the first day of the incident response effort. While it is an understandable reaction to a crisis, more people involved early on can be counterproductive and delay recovery. Rather than focus on more, it is vitally important to accomplish the following at the outset of the response effort – before scaling up the number of doers executing the work.
Once lanes are defined, additional resources can be added to turbocharge some workstreams. But not all processes benefit from more people. For example, if you are only able to restore one virtual system image from backup per hour, adding 10 more people to that workstream won’t make it go faster.
Even still, sometimes one may be tempted to add additional people, regardless of a real need, to improve the optics of the situation. While it may feel good in the short term, I have seen this approach degrade teams by creating more (unnecessary) meetings and increased coordination challenges. This increases risk when multiple, well-intentioned people are trying to do their part but lack clearly defined lanes and coordination. For example, if two engineers independently start restoring servers from backups and causing IP address collisions, this will cause more trouble as other efforts will need to stop to troubleshoot unusual errors that stem from this avoidable mistake.
There is also a cost component to consider. Insurance carriers are increasingly scrutinizing recovery costs, so if you plan on filing a claim, keep in mind that the reasonableness of costs-versus-impact will be reviewed as part of their processing the claim.
While a neurologist may be an extremely capable physician in their field, when you have a heart condition, you need the expertise and experience of a cardiologist. In the field of incident response, when you need to make decisions about how to proceed with investigation and recovery, you need a Technical Advisor.
Back in 2019, we said that a Technical Advisor is “best suited to identify possible investigative rabbit holes, inefficient business recovery activities, or potential technical items / tasks that may not be aligned with the policy coverage.” Looking back two years later, we’ve helped many clients avoid these sand traps.
For example, several clients initially planned to reimage large numbers of systems affected by ransomware. After assessing those situations in collaboration with the investigative teams, we successfully executed containment plans that avoided the large time and financial costs of massive reimaging projects. A combination of EDR tooling to block known and unknown malware and some (automated, scripted) elbow grease to decrypt and clean up systems en masse often does the trick.
Many voices are heard around the table during an incident response situation. Find advisors that have extensive experience in incident response within their domains of expertise: legal, investigative, recovery, communications. It’s best to establish these relationships before you need them. You’ll sleep easier knowing that you have someone to call.
Jim is a leader experienced in a variety of cybersecurity domains and adept at aligning diverse stakeholders ranging from technical specialists to executive leadership with business objectives. His pragmatic perspectives on IT and cybersecurity result from years of in-the-trenches experience attacking networks as a penetration tester and responding to targeted security breaches as an incident responder. Jim earned his Private Pilot Certificate in 2013 and has enjoyed exploring the skies of sixteen states.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our Technical Advisors serve as an Incident Coordinator to clearly define the incident, the action plan to be executed, and manage the incident response efforts.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.Learn More