4.2 Summarize the importance of policies, processes, and procedures for incident response

  • Incident Response Plans
  • Incident Response Process
    • Preparation
    • Identification
    • Containment
    • Eradication
    • Recovery
    • Lessons Learned
  • Exercises
    • Tabletop
    • Walkthroughs
    • Simulations
  • Attack Frameworks
    • The Diamond Model of Intrusion Analysis
    • Cyber Kill Chain
  • Stakeholder Management
  • Communication Plan
  • Disaster Recovery Plan
  • Business Continuity Plan
  • Continuity of Operations Planning (COOP)
  • Incident Response Team
  • Retention Policies

Incident Response Plan

An organization must maintain an Incident Response Plan that is reviewed and practiced regularly.  The plan will include:

Documented Incident Types/Category Definitions

  • The organization should maintain a list of different types of incidents and categorize them based on the business lines that they affect

  • The plan should allow an administrator to determine the severity of an incident (Critical, Serious, Minor, etc.) based upon its impact to the business, human life, clients, etc.

  • Each category and severity should have a standard response procedure

    • Who should we notify (executives, customers, government agencies, 911)?

    • What does each person do?

  • Why do we do this?  When an incident occurs (and incidents will occur!), we don’t have to panic.  We categorize the incident based on its severity and impact, and then we follow the appropriate procedure.

Roles and Responsibilities

  • Each department is specifically tasked with a responsibility for each incident category

  • When an incident occurs, a team composed of each departments’ representatives is summoned.  Each person on the team will have reviewed the plan and knows exactly what to do.

Reporting Requirements/Escalation

  • Does the organization have to respond to the incident at all?  Do they have to report the Incident to a higher level in the organization (vice president, CEO, board of directors, shareholders, etc.)?  This depends on

    • The severity of the incident

    • How long it takes to resolve the incident

    • The impact to the business and its customers

  • Organization may have to report the incident to the government if it involves a

    • Data leak

    • Chemical spill

    • Public health matter

    • Contamination of a food product or pharmaceutical

Cyber-Incident Response Teams

  • An organization may maintain a Cyber Incident Response Team that is dedicated to responding to a cyber incident.  This team may travel to the physical of the incident or work remotely.

  • Other third parties also have cyber response teams.  The FBI has a cyber response team that can deploy to any cyber incident location within 48 hours.

Incident Response Process

The incident response process starts with preparation.  Preparation should take place well before any incident takes place.  The organization may not be able to respond to an incident that takes place if they are not prepared.  Preparation includes creating an incident response plan, training responsible individuals, and stockpiling tools and supplies necessary to respond.

Identification the process of identifying when a situation is not a normal operating condition (an incident).  Is this incident worth responding to?  To avoid false alarms and the unnecessary expenditure of resources, the organization may have a threshold for responding to an incident.  For example, if a server is unreachable for 30 seconds, the organization may wait to see if it comes back up.  If a server is unreachable for an hour, the organization will need to respond.

Containment is the process of preventing an incident from spreading.  In many cases, that means disconnecting an infected system from the rest of the network.  For example, if a computer is infected with a virus, it can be contained by disconnecting it from the network so that the virus does not spread to other machines. 

Eradication is the process of removing the threat.  Eradication may be a part of the containment process.  For example, if the incident is a fire, putting out the fire is both the containment and eradication process.  If the incident resolved itself, then eradication may not be necessary.

Recovery is the process of returning the organization to the state it was before the incident occurred.  A full recovery is not always possible because the incident may have caused financial or reputational loss that cannot be restored.  If the cause of the incident is covered by insurance, recovery can be obtained from the insurance company. 

The Lessons Learned process allows the organization to document the incident so that it never happens again.  It is literally as it sounds: what did we learn from this incident.  It also allows us to update our response plan.


Remember that no plan ever failed on paper.  The organization must test out the plan.  A tabletop exercise is a gathering of the organization’s senior leadership; a gathering where the leaders act out potential disasters and the organization’s response.

Employees who are trained to respond to disasters must have clearly defined roles (i.e. incident commander, communications, technical support, medical, etc.)

The exercise will not produce accurate results, because the participants know that they are not facing a real situation.  The stress level is much lower in an exercise than in a real disaster.  Nevertheless, it produces more accurate results than not having an exercise.

A better method is a “drill” where the organization creates real (but controlled) disasters and forces employees to respond.  When employees have no prior knowledge, their responses will be more accurate.  A drill may be illegal because it may cause physical or emotional harm to employees.  For example, if the organization creates a real fire, but people are harmed while trying to escape, the drill would be counterproductive.

The exercise must be repeated on a regular basis, and when the disaster recovery plan changes.

Some types of exercises

  • Tabletop.  A tabletop exercise is where each participant takes a seat at a table and assumes their role.  We produce a written summary of a disaster, which each person has. 

    Each participant verbally states the procedure that they will follow to respond to the disaster.  We might have a facilitator give regular updates to the disaster and see how participants respond.

    A tabletop exercise is the least expensive type of exercise.

    For example, if we are simulating a fire, the tabletop exercise would go as follows
    • Facilitator: announces that there is a fire on the second floor
    • Secretary: says that she will pull the fire alarm and tells people that there is a fire
    • Floor Fire Marshall: says that he is going to check the floor for any people
    • Secretary: says that she will call 911
    • Floor Fire Marshall: says that the floor is clear
    • Facilitator: announces that the fire department has arrived
    • Secretary: begins roll call to ensure that everybody is accounted for
    • Communications: puts out a press release

  • Walkthroughs.  A walkthrough is where each participant physically responds to a disaster.  Again, we produce a written summary of a disaster, but now each participant gathers the tools that they would use and demonstrates their response.

For example, if we are simulating a fire, the walkthrough exercise would go as follows

  • Facilitator: announces that there is a fire on the second floor
    • Secretary: goes into the hallway and pulls the fire alarm and tells people that there is a fire (we let the alarm monitoring company know that this is a drill)
    • Floor Fire Marshall: checks the floor for any people
    • Secretary: calls 911 and tells them that they are checking to make sure that the emergency response center can see their address
    • Floor Fire Marshall: determines that the floor is clear
    • Facilitator: announces that the fire department has arrived
    • Secretary: begins roll call to ensure that everybody is accounted for
    • Communications: puts out a press release

  • Simulations.  In a simulation, we create a real disaster and see how people respond.

For example, if we are simulating a fire, the simulation would go as follows

  • Facilitator: sets the floor on fire
    • Secretary: goes into the hallway and pulls the fire alarm and tells people that there is a fire
    • Floor Fire Marshall: checks the floor for any people
    • Secretary: calls 911 and tells them that there is a fire
    • Floor Fire Marshall: determines that the floor is clear
    • Secretary: begins roll call to ensure that everybody is accounted for
    • Communications: puts out a press release

We can’t really start a fire.  In the IT world, we can simulate many types of threats and see how users respond.  For example, we can create a fake phishing e-mail and send it to various users to see if they click on it.

Attack Frameworks

An attack framework is a knowledgebase of known threats that we can use to protect ourselves.  No framework is complete because attackers are always finding new ways to hurt us, but they are a good starting point.

  • MITRE ATT&CK.  A knowledgebase of attacks for developing threat models.  Created by MITRE.  It is divided into several sections.  I have summarized it below but beware because it is quite long.

    • Reconnaissance.  This is when the attacker gathers information about the target. 

      • This could include checking for vulnerabilities, IP scanning to see open ports and hosts, scanning for installed software applications, scanning for firmware versions

      • Gathering information about the victim such as passwords, employee names, hardware, software, firmware, configurations

      • Gathering network information including domain names, DNS, network topology

      • Gathering organizational information including physical locations, locations where resources are located, legal jurisdictions, business relationships, staff roles and hierarchies, departments and divisions, key employees and their privileges, operating hours, dates and times of purchases and shipments

      • Sending out phishing e-mails and messages to gather data.  Phishing may include spear phishing directed against key employees and social engineering

      • Searching closed sources for data about the victim including private intelligence and the dark web. 

      • Searching open databases including domain name databases, whois, digital certificates, content delivery networks, and other public databases.

      • Searching open websites including search engines, social media belonging to the organization, social media belonging to key employees and vendors, and corporate websites.

    • Initial Access.  This is when the attacker tries to get into the network.

      • Try to exploit a public website through a normal visit.  If an attacker can do this, it is bad.  Very bad.

      • Exploit a weakness in a public-facing database or other application.

      • Exploit a weakness in a public-facing remote service such as a VPN, Citrix, or a cloud access broker.

      • Introduce computer accessories that can be used to gain access.  Examples include USB keyboards with keyloggers and hidden cameras.

      • Send phishing e-mails with malware that allows them to gain remote access.

      • Introduce malware through removable media such as DVDs and external drives

      • Introduce malware and backdoors into software and hardware purchased the organization.  The attacker may do so by intercepting the hardware during the delivery, modifying it, and releasing it back into the supply chain.

      • Manipulate software destined for the organization while it is still under development.  Introduce backdoors into the software before it is digitally signed.

      • Steal valid user credentials for VPNs, e-mail, Remote Desktop, default accounts, cloud accounts, domain accounts, and local accounts.

    • Execution.  Now the hacker is in and can run some code to start the real attack.

      • Run PowerShell, AppleScript, Unix Shell, VB, Python, and JavaScript scripts

      • Execute commands within a container

      • Deploy a new container with malicious code

      • Exploit vulnerabilities in an existing application to remotely execute malicious code

      • Abuse the Windows Component Object Model (COM) to run code through the Windows API

      • Abuse Windows Dynamic Data Exchange to execute commands

      • Create scheduled tasks to run malicious code (Windows, Linux, Cron, Launchd, etc.)

      • Gain access to software development tools and insert malicious code

      • Execute malicious code inside launchctl, or Windows Services

      • Trick users into executing malicious code either by sending them phishing links or files

      • Attach a command to a user account that forces the account to run a script upon login

      • Trick a user into installing and executing a malicious image of a legitimate application in a cloud environment

      • Exploit Windows Management Instrumentation

    • Persistence.  If our defences are good, we might detect the attacker and kick him out.  Persistence is a technique that the attacker uses to stay in.

      • Manipulate multiple accounts including their credentials and permissions.  Preserve the life of compromised accounts by modifying their expiry dates and password policies.

      • Create additional accounts with the highest permissions including the Global Administrator role in Microsoft Office 365

      • Modify the SSH authorized_keys file in Linux to give the hacker remote access.  The authorized_keys file lists the public keys that are permitted to access a Linux host via SSH.

      • Attack Windows Background Intelligent Transfer Service

      • Configure the system to execute programs ro scripts upon boot or login.  These scripts can give or reinstate privileges to compromised accounts.

      • Create registry keys that run each time a user logs in

      • Modify login scripts to execute DLLs upon system boot or user login

      • Create new local, domain, and cloud accounts

      • Create and modify system processes to execute malicious scripts through a launch agent, system service, Windows service, or Launch Daemon

      • Execute scripts triggered by different events including a screensaver, or Windows Management Instrumentation events

      • Change the default file association to run a malicious program when certain file types are opened.

      • Modify the UNIX shell configuration to execute scripts

      • Install tainted binaries through LC_LOAD_DYLIB

      • Execute malicious content within Netsh Helper DLLs, accessibility features, AppCert DLLs, AppInit DLLs, Windows Application Shims, Image File Execution Options, PowerShell profiles, Emond, or Component Object Models

      • Use DLL Side-Loading to execute malicious files

      • Hijacking execution flows in DLLs

      • Side-loading DLLs

      • Hijack or manipulate binaries used by installers or services

      • Install a manipulated image in a cloud service

      • Modify or bypass the authentication process

      • Use Microsoft Office templates with malicious scripts

      • Use the Microsoft Office “Office Test” Registry Key to execute DLLs each time an Office application runs

      • Modify the UEFI or BIOS firmware

      • Modify component-level firmware

      • Install a bootkit that runs on a level below the operating system

      • Boot a system via a TFTP server

      • Schedule the execution of malicious code

      • Write a stored SQL procedure and keep it in a database and then execute when required

      • Abuse credentials of legitimate accounts

    • Privilege Escalation.  Once we are in, we try to gain more privileges.  How?

      • Try to perform a shell escape or exploit a vulnerability in an application that is running at a higher privilege

      • Bypass User Account Control

      • Use the AuthorizationExecuteWithPrivileges API to gain privileges

      • Modify operating system access tokens to make a malicious process appear like it is the child of a legitimate process, and gain the same privileges as the legitimate process

      • Impersonate a legitimate token

      • Create a new process with elevated privileges using a token

      • Spoof the parent process identifier

      • Execute a program during boot or logon to gain higher privileges

      • Add a malicious program to a startup folder or registry entry

      • Abuse time providers, Winlogon, security support providers, the kernel, plist files, LSASS drivers, or shortcuts to run programs.

      • Run scripts at login

      • Modify the domain policy through Group Policy Objects

      • Escape from a virtual machine or container to the host

      • Event triggered execution

      • Steal legitimate accounts

    • Defense Evasion.  After we compromise a system and gain privileges, we want to avoid defences.

      • Use sudo and sudo caching

      • Exploit setuid and setgid

      • Manipulate access tokens or duplicate access tokens

      • Create processes with tokens

      • Deploy containers

      • Modify Group Policy Objects

      • Add new domain trusts

      • Use guardrails to ensure that the exploit only attacks specific targets

      • Key payloads to specific environments

      • Modify file permissions to avoid detection

      • Hide artifacts that indicate malicious content

      • Set malicious files and directories to be hidden

      • Create a hidden file system within an existing file

      • Use NTFS to modify file attributes through Extended Attributes

      • Create hidden users

      • Create hidden windows

      • Run malicious content on a virtual instance

      • Hide VBA scripts inside an office document

      • Use email rules to hide malicious e-mail content automatically

      • Hijack DLLs as mentioned earlier

      • Disable user defences including firewalls, and antivirus

      • Disable malware detection tools

      • Kill security software processes

      • Delete registry keys related to security applications

      • Disable event logging

      • Disable command logging

      • Disable cloud logs and firewalls

      • Boot into safe mode

      • Downgrade the operating system to a feature that is more vulnerable

      • Delete files

      • Abuse command execution utilities

      • Masquerade the features of a malicious file to make it appear legitimate through a valid code signature, or a right-to-left override

      • Match a legitimate file name or file location

      • Change the extension of a file or add a space after the filename

      • Masquerade as a legitimate task or service

      • Add a double file extension (where the second extension is legitimate)

      • Modify the authentication process

      • Hardcode a password into the operating system through a patch

      • Create a snapshot of a cloud server and then revert to the original snapshot after the attack

      • Create a new virtual cloud instance and launch an attack from it

      • Delete an existing cloud instance after an attack

      • Modify the registry to hide malicious content

      • Compromise a network boundary by modifying a NAT configuration

      • Encrypt a file containing malicious content

      • Add junk data to a malicious file to make it appear different or to make it difficult to scan

      • Pack software inside a virtual machine or inside another file to make it appear different

      • Send the malicious file to the victim in the form of source code and have the victim compile and execute it

      • Hide malicious files inside HTML files

      • Modify the system firmware

      • Inject a DLL or portable executable into a process

      • Install a rogue domain controller

      • Use a rootkit

      • Execute a signed binary through a compiled HTML file, the control panel, CMSTP, InstallUtil, Mshta, Msiexec, Odbcconf, Regsvcs, Regsvr32, Rundll32, MMC, Mavinject, or Verclsid

      • Subvert Trust Controls to make a malicious program appear legitimate.  These can include removing the “downloaded” file attribute, digitally sign a malicious application by stealing a legitimate developer’s private key or install a root certificate that trusts the hacker’s signature

      • Inject malicious XML into Office templates

      • Use traffic signaling to hide open ports

      • Set up instances in unused cloud regions and use them to run malicious applications

      • Use stolen hashes (Pass the Hash)

      • Use stolen tickets (Pass the Tickets) to bypass Kerberos

      • Steal session cookies

      • Use valid stolen accounts

    • Credential Access.  How do attackers steal credentials?

      • Man in the Middle attack

      • NBT-NS Poisoning

      • DNS poisoning

      • ARP Cache Poisoning

      • Brute Force, Password Guessing, Password Cracking, Credential Stuffing

      • Credentials from Password stores such as the keychain, security memory, web browsers, Windows Credential Manager, and Password Managers

      • Forced Authentication

      • Forged Web Credentials

      • SAML Tokens

      • Web Cookie forgery

      • Credential API hooking

      • Web portal capture

      • Modify the authentication process

      • OS credential dumping from LSAAS Memory, the Security account Manager, NTDS, LSA Secrets, Cached Domain Credentials, DCSync, Proc Filesystem, /etc/passwd, or /etc/shadow

      • Stealing Kerberos tickets and using them to log in

      • Stealing or forging the Kerberos ticket-granting tickets

      • Stealing web session cookies and mimicking a legitimate user

      • Intercept 2FA tokens or smart cards

      • Intercept 2FA phone calls and SMS messages

      • Search and use unsecured credentials stored in plain text, in the registry, in the bash history, private keys, cloud metadata, group policy preferences, or container APIs

    • Discovery.  Now that the hacker is in, they need to figure out how the system works.  Then they can plan their next move.  What do they do?

      • Produce a list of local, domain, and cloud accounts and their attributes

      • Discover different applications

      • Discover browser bookmarks

      • Discover cloud infrastructure, objects, and containers

      • View the cloud dashboard

      • Determine domain trust relationships

      • Determine files and directories including network folders and shares

      • Determine the group policy and permissions

      • Determine services running on the network and the ports that they listen on

      • Sniff network traffic to determine the types of traffic

      • Determine the password policies.  This can assist with password cracking.

      • Determine peripheral devices in use

      • Determine software running on each machine, including security software

      • Determine system locations and languages

      • Determine network connections

      • Determine system owners and users

      • Determine virtualization and attempt to evade system checks, user activity checks, and time-based checks

    • Lateral Movement.  Now the hacker wants to move through the network.  How?

      • Internal spearphishing

      • Exploitation of remote services

      • Transfer malicious tools from one host to another

      • Remote session, SSH, and RDP hijacking

      • Remote access to RDP, SMB, DCOM, SSH, VNC, and WinRM

      • Replication through removable media

      • Replication through access to internal software tools

    • Collection.  The hacker needs to gather data and take it out of the organization.  How?

      • Man in the middle attack

      • Archival of collected data via a third-party utility, or a library

      • Audio capture

      • Automated collection

      • Browser session hijacking

      • Theft of clipboard data

      • Configuration dumps

      • Theft of data from Cloud storage, Sharepoint, Confluence, code repositories, local machines, shared drives, and removable media

      • Staging the collected data locally or on a remote server

      • Collect data from local email systems or remote email servers

      • Forwarding emails to an attacker’s server

      • Capture user inputs via keyloggers, GUI, web portals, or API hooking

      • Screen captures

      • Video captures

    • Command and Control.  Then the hacker needs to communicate and control the compromised system.  There are different protocols

      • Application Layer – transmit command over web, FTP, mail, and DNS

      • Transmit commands over Removable Media

      • Data Encoding – encode data via standard encoding, or non-standard encoding

      • Data Obfuscation – adding junk data to make detection difficult, or using steganography to hide the data

      • Dynamic resolution to allow the malware to communicate with rapidly changing IP addresses, domain names, and port numbers

      • Using Fast Flux DNS to hide the real location of the attacker

      • Use a Domain Generation Algorithm to dynamically identify new destination domain names and IP addresses for command and control

      • Encryption algorithms to hide the contents of the control traffic

      • Alternate communication channels when the primary ones fail

      • Use of a non-application layer protocol or non-standard port

      • Use a protocol tunnel such as a VPN or a proxy to hide the communication contents.  This can include an internal proxy, external proxy, multi hop proxy, or domain fronting in a CDN.

      • Hijack a legitimate remote access application such as team Viewer or LogMeIn

      • Use a legitimate web service to relay compromised data.  This can be a dead drop, a bidirectional communication, or a unidirectional communication.

    • Exfiltration.  Exfiltration is when the hacker needs to take the data out without being detected.

      • Use of traffic mirroring to capture traffic

      • Use of an alternate protocol

      • Exfiltration over an alternative network or Bluetooth

      • Exfiltration over a physical medium such as USB

      • Exfiltration to a cloud storage or code repository

      • Scheduled Transfer

    • Impact.  If a hacker wants to steal data over a long term, he will take actions to avoid detection.  But if a hacker wants to disrupt the business, then detection is an obvious by-product.

      • Removal or lock out of legitimate accounts

      • Data destruction including files, file shares, operating system files, network equipment configuration

      • Encryption of data

      • Manipulation or modification of data to disrupt the business process or decisions

      • Defacement of internal systems with offensive messages

      • Disk wipe

      • Denial of Service through OS Exhaustion, Service Exhaustion, Application Exhaustion, System Exploitation

      • Firmware corruption

      • Deletion of system recovery partitions, backups, volume shadow copies, and automatic repair

      • Network denial of service through network floods or reflection amplification

      • Disruption of services

      • System shut downs

      • Resource hijacking

  • The Diamond Model of Intrusion Analysis.  We can draw a diamond for every incident.  The four corners of the diamond are

    • Adversary – the guy trying to hurt us.  Who is he?

    • Capability – what is the adversary capable of?  What kinds of tools and techniques does he have access to?

    • Infrastructure – what can the attacker damage?

    • Victim – who is being hurt?

We use the diamond model to identify areas where our knowledge is lacking.  We can also use the diamond model to take a victim-centered approach, an adversary-centered approach, a capability-centered approach, or an infrastructure-centered approach when analysing a threat.

Each point on the diamond is connected to the other points.  We can move from one point to another when analysing an event.  This is called analytic pivoting.

For example, if we know who the Adversary is, then we can pivot a database to identify the capabilities of that adversary.  What does he know how to do?  What types of victims does he like to attack?  What type of infrastructure does he like to attack?

If we start at the infrastructure side, we can pivot to the capabilities.  We can ask who has the capability to attack our infrastructure.  From there, we can think about the adversaries who like to attack this type of infrastructure and have the capabilities.

  • Cyber Kill Chain.  The Cyber Kill Chain was developed by Lockheed Martin’s Intelligence Driven Defense®.  It has seven sections that categorize an Advanced Persistent Threat.  It was based on a military kill chain.

    • Reconnaissance – the hacker is spying on you

    • Weaponization – based on the reconnaissance, the hacker develops some exploits

    • Delivery – the hacker delivers the exploit to the victim

    • Exploitation – the exploitation begins

    • Installation – the malware is installed

    • Command and Control – the hacker takes over

    • Actions on Objectives – the hacker takes action to achieve his goals

The problem with the cyber kill chain is that it does not take insiders into account.  Also, the first two stages (Reconnaissance and Weaponization) take place outside of the organization.

Mr. drs. Paul Pols developed an 18-stage threat model called the Unified Kill Chain, which combines the Cyber Kill Chain, MITRE, and other models.  The steps are

  • Reconnaissance – The hacker spies on the target

    • Weaponization – The hacker creates an exploit

    • Delivery – The hacker delivers the exploit to the target

    • Social Engineering – The hacker uses social engineering to trick the target into executing the exploit

    • Exploitation – The malware is executed through vulnerabilities

    • Persistence – The malware finds a way to stay without being deleted

    • Defence Evasion – The malware avoids detection

    • Command & Control – The attacker takes over remotely

    • Pivoting – Now that the attacker has a stable footing, he switches to the next stage of the attack

    • Discovery – The attacker begins discovering the workings of the victim’s network

    • Privilege Escalation – The attacker gains elevated privileges

    • Execution – The attacker executes commands on the victim’s network

    • Credential Access – The attacker gains additional credentials

    • Lateral Movement – The attacker moves to other systems within the network

    • Collection – The attacker collects data

    • Exfiltration – The attacker removes data from the network

    • Target Manipulation – The attacker causes damage to the network

    • Objectives – The attacker has achieved his goals

Stakeholder Management and Communication

What is a stakeholder?  A stakeholder is somebody that has an interest in our company.  They include

  • Customers

  • Employees

  • Vendors

  • Investors

  • The different levels of government (local, state, federal), senate committees, and state & federal regulatory agencies

  • The local community

We want to keep our stakeholders happy and informed during a crisis.  We need to create a stakeholder management plan. 

The first step is to identify all the stakeholders, and their degree of influence.  For example, a regulatory body might have a high degree of influence on our operations.

The second step is to figure out how to communicate with each one.  That is, what medium do they communicate with (in person, e-mail, press release, etc.)?  How much do they need to know?  We should have a different plan for each scenario

For example, ff we have a data breach, we might do the following

  • Cooperate with the government investigation and assist in determining exactly how the breach took place.  Provide the government with full details.

  • Notify employees via internal e-mail about the breach.  Provide only relevant information and instruct them not to speak with the media.

  • Notify each customer about the data breach via a letter.  The letter will inform them about the breach and the type of data that was compromised.

  • Issue a press release to the media about the breach and the actions that the company is taking to investigate it.

  • Issue a letter to investors about the financial impact of the breach.

The organization should have a dedicated communications person to talk to the media via official channels.  The first goal of crisis management is to make sure that people don’t panic.  It is more important than solving the crisis.  It should be clear that employees and contractors should not speak with the media. 

The communications plan should address how the organization can communicate with its employees and vendors in the event that regular forms of communication are disrupted.

Disaster Recovery Plan

Disaster Recovery is a process where an organization can resume normal operations in the event of a disaster (natural disaster, strike, data loss, fire, war, ransomware attack, or protest).  An organization must

  • Plan out a cost-effective disaster recovery plan considering all the different causes of disruption.  For example, an organization located in Florida should consider hurricanes, but an organization in Wyoming should not.

  • Identify the amount of downtime the organization can accept before having to resume normal operations.  An organization such as an insurance company may not accept any disruption to its operations.  A retail store may accept a disruption of one or two weeks.  The shorter the disruption we can tolerate, the more expensive the recovery plan.

  • The organization should practice the disaster recovery plan, holding regular drills with the key responders.

  • The organization should review and revise the disaster recovery plan to take advantage of new technologies and consider new threats.

  • The more effective the disaster recovery plan, the more it will cost.  The disaster recovery plan may cost the organization money, even when no disaster has taken place.  For example, maintaining a second office for emergency use may cost the organization tens of thousands of dollars per month.  Is the potential harm caused by the disaster (multiplied by its likelihood) more expensive than the cost of maintaining the office?

If there is a disaster, how can the business restore operations?  How fast can it restore operations?  It is not enough just to restore data.  Questions to ask

  • What does the organization do?  What products or services does it provide?

  • What equipment is required to manufacture the products or provide the services?  Where can this equipment be sourced or does the organization have spares?  What does it require to operate?

  • Where can the organization operate from?  Does it have a secondary location?  Can employees work from home?

  • Who are the key leaders?  What kinds of skills are required to restore the organization’s operations and which employees, or contractors possess those skills?

  • How can the organization communicate with its customers and employees?  Does the organization maintain a back up forms of communication in case the normal communications systems are disrupted?

Alternative Business Practices

An alternative business practice is one that can be used when the primary business practice is unavailable due to the unavailability of something

The organization must plan a response.  It is not always possible to have a cost-effective alternative business practice.  Organizations that source raw materials cannot always resume operations.  Examples include oil wells, mines, and farms.

We can develop a Business Continuity Plan instead.  This is a plan for keeping our business operating in the event of a disaster.  It can include the following.

Continuity of Operations Planning (COOP)

COOP or Continuity of Operations Planning is a US federal government program that encourages organizations to plan how they will continue operating essential functions in the event of an emergency disruption.

It should include

  • Providing essential functions

  • Allow for good decision making when key management is unavailable

  • Planning for general scenarios instead of specific ones

Retention Policies

How long should an organization store data for?  The short answer is for as long as necessary, and no longer.  Storing more data than necessary can increase the risk that data is inadvertently disclosed.

  • When an organization collects personal information from a customer it should tell the customer how long it will store the data for.  It should also tell that customer why it is collecting the data, how it will be used, and who it will be provided to.

  • An organization may be required by law to retain data for a minimum period.  For example, Sarbanes-Oxley requires an organization that is publicly traded to keep data for at least seven years.

  • Some jurisdictions have laws prohibit an organization from storing data for a long time.

  • Some professional organizations (engineers, lawyers, pharmacists) may require their members to store client records for many years or decades.  For example, if an engineer designed a bridge, the records may need to be stored for the lifetime of the bridge (100 years).  A doctor or lawyer may need to store data for at least ten years.

  • When a professional (doctor, lawyer, engineer, accountant, pharmacist) stops practicing, there is a procedure for the disposition of those records.  The guidelines are issued by the professional’s organization.  The clients have a right to those records.