When a cybersecurity breach occurs, operational security law will require an appropriate incident response and the priorities can be succinctly described as being containment, recovery and mitigation. In practical terms, containment requires the incident responders to identify and understand the intrusion, prevent the movement of the attacker through the network, stop unauthorised operation of resources and processes, block data access and exfiltration, exclude the attacker from the network and block re-entry (etc.). Recovery means restoring impacted services and data and getting wider business processes back up and running. Mitigation means the reduction or prevention of harm that flows directly and indirectly from the attack. There isn’t a bright line test that separates the priorities from one another, as they overlap and are interwoven; mitigation can also encompass preventing further unauthorised actions by the threat actor, which overlaps with containment, for example.
These narrow, technical aspects of incident response do not constitute the full set of priorities that need to be addressed, however. As I’ve mentioned before, security operations and security law are twinned, in the sense that where there a security operational duty arises, a security legal duty is highly likely to arise and, conversely, where there’s a legal duty there’s always an operational one. So we have to look at the priorities of incident response through a legal lens also.
In fact, there are multiple lenses that we have to apply. These include ethical ones, as arise from business purpose commitments and ESG agendas, for example, and often there is a need for reputation management. The point of substance here is that we should not define our incident response priorities – and, therefore, our incident response plans and procedures – simply from the perspective of the technical ideas of containment, recovery and mitigation. In fact, it’s my experience that single-dimension incident response often causes unforeseen problems in serious situations. I am not saying that a single-dimension is as bad as not having any response plans whatsoever – of course not – but if you don’t want to make things unnecessarily hard or risky for your organisation, you will apply multiple lenses when you formulate your priorities. This is true across many other dimensions of operational security.
A smart approach to the application of multiple lenses will also identify and understand the tensions between competing priorities that arise through different lens. A good example is records keeping. International Standards for operational responses, such as the ISO/IEC 27035 family, strongly emphasise that records of actions taken and decisions made should be kept. This is to ensure that the response follows a consistent and logical pathway to the achievement of the desired objectives and to provide contemporaneous and complete information for correlation to other problems and for performing reliable lessons-learned exercises so that the correct controls adjustments can be made, where necessary.
If we look at the same issue through the legal lens, we find rules such as the “accountability” principle in the GDPR and the duty of regulatory cooperation, or document preservation and disclosure rules in litigation, or material disclosure duties in contracts of insurance – there are many more examples.
Side by side, these lenses are compatible with one another, which is another example of the twinning effect of operational security and security law. However, look at the picture from a different angle and you start to identify tensions between those requirements and the legal right to secrecy and confidentiality that can arise in various situations, which we sometimes refer to as “privilege”.
Another example is breach communications. They may be helpful for the operational response (e.g., as Maersk utilised after NotPetya, to drum-up operational support and assistance from technology companies and professional services firms), or compulsory from a legal perspective, or desirable from a reputation management perspective. So we see a range of priorities in breach communications that are not fully equivalent – helpful, compulsory, desirable. When written on paper, the point does not carry the same impact of a lived experience, but in a real, stressful incident response, a huge amount can turn on how we rank these priorities and which we give preference to. Apply this thinking to the idea of paying ransoms after a ransomware attack and the point should land.
So successful incident response is all about priorities, but success cannot come through a single lens, or through a peremptory application of multiple lenses. Instead, it needs the considered application of multiple lenses during incident response planning. Leaving this discussion until a serious incident occurs isn’t the way to go. Many organisations that have been through the rinser will agree – of that, I am sure.