Staying Connected During a Cybersecurity Incident
We is all communicationknow important. Anyone who's ever been married, had a friend, or held a job knows that's true. While good communication is pretty much universally beneficial, there are times when it's more so than others. One such time? During a cybersecurity incident.
Incident responders know that communication is paramount. Even a few minutes might mean the difference between closing an issue (thereby minimizing damage) vs. allowing a risky situation to persist longer than it needs to. In fact, communication -- both within the team and externally with different groups -- is one of the most important tools at the disposal of the response team.
This is obvious within the response team itself. After all, there is a diversity of knowledge, perspective and background on the team, so the more eyes on the data and information you have, the more likely someone will find and highlight pivotal information. It's also true with external groups.
For example, outside teams can help gather important data to assist in resolution: either technical information about the issue or information about business impacts. Likewise, a clear communication path with decision makers can help "clear the road" when additional budget, access to environments/personnel, or other intervention is required.
What happens when something goes wrong? That is, when communication is impacted during an incident? Things can get hairy very quickly. If you don't think this is worrisome, consider the past few weeks: two large-scale disruptions impacting Cloudflare (rendering numerous sites inaccessible) and a disruption in Slack just occurred. If your team makes use of either cloud-based correspondence tools dependent on Cloudflare (of which there are a few) or Slack itself, the communication challenges are probably still fresh in your mind.
Now imagine that every communication channel you use for normative operations is unavailable. How effective do you think your communication would be under those circumstances?
Alternate Communication Streams
Keep in mind that the middle of an incident is exactly when communications are needed most -- but it also is (not coincidentally) the point when they are most likely to be disrupted. A targeted event might render critical resources like email servers or ticketing applications unavailable. A wide-scale malware event might leave the network itself overburdened with traffic (impacting potentially both VoIP and other networked communications), etc.
The point? If you want to be effective, plan ahead for this. Plan for communication failure during an incident just like you would put time into preparedness for the business itself in response to something like a natural disaster. Think through how your incident response team will communicate with other geographic regions, distributed team members, and key resources if an incident should render normal channels nonviable.
In fact, it's often a good idea to have a few different options for "alternate communication channels" that will allow team members to communicate with each other depending on what is impacted and to what degree.
The specifics of how and what you'll do will obviously vary depending on the type of organization, your requirements, cultural factors, etc. However, a good way to approach the planning is to think through each of the mechanisms your team uses and come up with at least one backup plan for each.
If your team uses email to communicate, you might investigate external services that are not reliant on internal resources but maintain a reasonable security baseline. For example, you might consider external cloud-based providers like ProtonMail or Hushmail.
If you use VoIP normally, think through whether it makes sense to issue prepaid cellular or satellite phones to team members (or to at least have a few on hand) in the event that voice communications become impacted. In fact, an approach like supplementing voice services with external cellular or satellite in some cases can help provide an alternate network connectivity path at the same time, which could be useful in the event network connectivity is slow or unavailable.
Planning Routes to Resources and Key External Players
The next thing to think through is how responders will gain access to procedures, tools and data in the event of a disruption. For example, if you maintain documented response procedures and put them all on the network where everyone can find them in a pinch, that's a great start… but what happens if the network is unavailable or the server its stored on is down? If it's in the cloud, what happens if the cloud provider is impacted by the same problem or otherwise can't be reached?
Just as you thought through and planned alternatives for how responders need to communicate during an event, so too think through what they'll need to communicate and how they'll get to important resources they'll need.
In the case of documents, this might mean maintaining a printed book somewhere that they can physically access -- in the case of software tools, it might mean keeping copies stored on physical media (a USB drive, CD, etc.) that they can get to should they need it. The specifics will vary, but think it through systematically and prepare a backup plan.
Extend this to key external resources and personnel your team members may need access to as well. This is particularly important when it comes to three things: access to key decision-makers, external PR, and legal.
In the first case, there are situations where you might need to bring in an external resources to help support you (for example, law enforcement or forensic specialists). In doing that, waiting for approval from someone who is unavailable because of the outage or otherwise difficult to reach puts the organization at risk.
The approver either needs to be immediately reachable (potentially via an alternate communication pathway as described above) or, barring that, have provided approval in advance (for example, preapproval to spend money up to a given spending threshold) so that you're not stuck waiting around during an event.
The same is true for external communications. You don't want to find your key contact points and liaisons (for example to the press) to be MIA when you need them most. Lastly, it is very important to have access to legal counsel, so make sure that your alternative communication strategy includes a mechanism to access internal or external resources should you require their input.
The upshot of it is that the natural human tendency is to overlook the fragility of dependencies unless we examine them systematically. Incident responders need to be able to continue to operate effectively and share information even under challenging conditions.
Putting the time into thinking these things through and coming up with workarounds is important to support these folks in doing their job in the midst of a cybersecurity event.