Breach response – preparing for the inevitable

The need to conduct a breach response can strike at any time, and there are many steps that an organisation can take to be prepared.

Michael Trevett, Mandiant Director UKI at FireEye


When an enterprise-level incident transpires, and a breach response is initiated, the success and accuracy of the investigation relies upon having complete and consistent visibility for all systems and network communication paths throughout the enterprise environment. Through the years of conducting cyber breach responses, Mandiant has observed common challenges that can impact the ability to perform a comprehensive investigation as part the cyber breach response. These challenges represent specific areas that all organisations should focus on ahead of time - to minimize the number of roadblocks and delays that could impact the success of an investigation.

  • Asset Management and Inventory
  • Network Architecture
  • Privileged Accounts and Credential Management
  • Visibility and Logging
  • Playbooks to support breach response activities

When the need for a coordinated cyber incident response occurs, it can be a stressful and impactful situation for any organisation. Mandiant has observed that organisations that take the time to formulate and plan for an breach response are better able to remain focused, prioritize and allocate resources to support critical milestones and functions, minimize coverage gaps, and ensure that optimal visibility is achieved and maintained throughout the engagement.


Want to learn more about Mandiant Services? Please click here to find out more.


Video transcript:

Hello. And welcome to Business Reporter's breach response campaign. I'm Alastair Greener. And I'm talking to Mike Trevett from Mandiant, a FireEye company.

Good morning.

Good morning.

In an ideal world, what should data breach response look like?

Ideally it should look as if it's happening to an organisation that is entirely resilient, that is able to detect and contain a breach very quickly whilst the rest of the business carries on as usual. It's hard work getting there. It requires commitment from the very top of the organisation to embed a security culture. And it requires an investment fairly frequently in technological solutions. But together, it brings exactly what you need so that your brief response is both swift, decisive, and very well contained.

It's interesting you say swift, because that's often the problem, isn't it? That organisations are not swift enough. And in those situations, what's really behind that? Why are they slow to respond?

There are several drivers behind the scenes. Foremost amongst these are probably the security posture of the organisation and the security culture. And both of these tend to be driven from the top. Because programmes of work generally are shiny and more attractive if they don't have the word security in the title. And so executive sponsorship can be critical. Without that, things don't happen as they should. And it can lead to vastly prolonged time scales.

What's the difference between doing that yourself in-house versus bringing in a team of professionals from outside?

So quite honestly, in-house is expensive. Managing information security breaches and running a breach response is really difficult. It takes very highly skilled individuals. And it takes the sorts of skills that need to be kept up to date and the sorts of skills that decay quite quickly if you're not using them. So to have a team on the bench waiting for the worst to happen is probably not particularly productive.

More likely they will be diverted into other regular IT tasks and then called back to handle breaches as and when they happen. Because that's unpredictable. Almost certainly there'll be something within their training or their experience which won't be up to date, and they will suffer as a consequence. An external organisation has the opportunity to bring in expertise on demand.

So we have consultants working on some of the largest breaches around the globe 24/7, 365 days a year. They're continually honing their skills against the most advanced attackers. They're learning as they go. To coin a phrase, they are perhaps considered battle hardened. And because we can offer expertise on demand, you can turn us on and off like a tap. So when the worst happens and your organisation suffers a breach, we can be with you very quickly with some of the most experienced and highly skilled responders in the world.

Let's say that I'm a CEO of an organisation, and I'm contemplating bringing in Mandiant to help me with my breach response. Talk me through the process. What's actually going to happen when we started working together?

So in the first stages, what we would do is take a look at your organisation and your environment and determine whether or not you had a live attacker working against you at the moment. Because if that's the case, then it's something we would want to sort out. At the same time, we can see whether perhaps there's been a previous attack that's left any footprints.

And again, we can identify what that might have been and ensure that any gaps are closed before we move forward. We can run simulations then where we can simulate the tools and the techniques of advanced attackers and in essence, pretend to be one of the bad guys and try and breach your organisation.

And this can tell you two things. One, how good your defences are in the real world against a real world attack compared to the theoretical barriers that you may have put up. And secondly, it exercises your own breach response plans. Because what's written on paper and what happens in reality frequently can be quite different. And it gives an opportunity to understand how those behaviours change and how they're different.

I would always suggest that an organisation that is aspiring to be resilient in this way runs that sort of exercise, that sort of simulation regularly simply so that those on the crisis management team or the response team become used to the process and it becomes natural and it becomes something with which they're familiar. So when bad stuff does happen, instead of working through the process, they've got bandwidth to spare to deal with the incident itself rather than worry about what it's going to say they have to do on the next page.

How do you assess an organisation's preparedness and agility in the case of a cyber attack?

It's a similar process, to be honest. I said that we can run an exercise that tests your response processes. Equally we can work through the documentation around that and speak with key individuals in the organisation and judge how your own response preparedness matches up against others in a similar industry or of a similar scale and use that information to run similar exercises, perhaps a tabletop exercise, to really put it to the test and see whether all the high pressure thinking you've done in the low pressure environment where you've been preparing for this actually philtres through in the real world.

You also alluded earlier on about culture within an organisation and how that can make a massive difference to response time and ability. How do you help with an organisation with their culture, to change and improve that culture?

We can bring experience of what we know works in other organisations. It's like all of these things. Sometimes a second pair of eyes is the most helpful thing at all when you're trying to prepare and build something. And we can be that independent pair of eyes that can give honest appraisal and feedback and suggestions on what you might do, positive steps you could take to improve the culture within your own organisation.

For CSOs and CEOs and people watching, what would your key three takeaways be when it comes to making sure that you are as protected as you possibly can be?

The first of these is things change really, really quickly. And keeping up to date is hard. One of the advantages that we have is we're playing in this space all of the time. And so we're naturally up to date. The second is it's critical to have resilience within your organisation. You cannot build technological walls that are sufficiently high to guarantee that you won't get breached. Well, you can. But you then can't operate your business.

There is always a point where a particularly motivated or committed attacker will get through. And having resilience in your organisation means that your technology identifies the breach and contains it very quickly to minimise the impact whilst the rest of your organisation is able to continue with the business that generates cash for you everyday. Finally, maintaining an in-house team and to keep them up to the standards of expertise and speed of response that you could gain from an external provider is really, really expensive.

Expertise on demand that you can turn on and off like a tap that's at the very peak of its ability has to be the more cost effective way in the long term than having your own salaried staff on the bench in the hope that you can draw them in and that they're up to date when the worst should happen. And of course, we stand here ready to help.

And it's interesting you said that we're in a rapidly changing environment. And that's certainly true when it comes to cybersecurity and the vulnerability of organisations today when it comes to cyber attacks. It's probably higher than it's ever been. So it's really interesting to see how an organisation could and can actually respond. So it's been great to find out more. Mike Trevett from Mandiant, thank you very much indeed.

Thank you.