12 After the hack

 

This chapter covers

  • Working through real-life breaches to understand how events unfold
  • Who we can turn to for help during a security incident and how to derive the information we need to capture and share
  • Using critical thinking skills and root-cause analysis
  • Applying agile techniques to a security breach
  • Distilling key actionable data that can be used to improve and enhance our security strategy

As mentioned in previous chapters, we will all get hacked. What’s important is how we prepare for that, how we mitigate the risks we face, and—most important of all—how we recover after a successful attack. In this final chapter, we look at how to prepare to fail. Because we know that we will eventually face a security breach, we can use this “failure” to improve our organization’s security.

Failing (i.e., having a security breach) should be a good thing. If approached in the right way, this failure can have big benefits. Let’s see how.

12.1 Responding to a breach

So, the hackers have finally gotten in. Our security operations team has responded to the security incident and has recovered our systems and applications. Does that mean it’s all over? What do we do next?

First, let’s revisit a model we first looked at back in chapter 1: the OODA loop (figure 12.1). The OODA loop has four stages:

  1. Observe—What is happening?
  2. Orient—Based on what I know, analyze the situation.
  3. Decide—What happens if I do this thing?
  4. Act—Let’s do that thing.

12.1.1 Asset ownership

12.1.2 Business continuity process

12.1.3 Data/system restore

12.1.4 PR/media communications

12.1.5 Internal notification/communication groups

12.1.6 Customer communications policy

12.1.7 Cyber insurance policies