Before the breach:
The best offense is a good defense

Before the breach: The best offense is a good defense

In this section:

Incident response requires the formation of cross-company plans and teams with every stakeholder department represented.

Only 9% of companies update their incident response plan at least twice a year.10

Bottom line: The ability to quickly mitigate the effects of a breach requires a strategic, dynamic, fully tested incident response plan.

Successful incident response programs begin well before a breach occurs. We're not suggesting, however, that response planning trumps defensive measures such as intrusion prevention and detection. As we underscored in our first Cybersecurity Insights report, organizations must be proactive in setting up a strong line of defense to mitigate cyberrisk.

Tools such as automated threat response systems are increasingly critical for speeding threat identification, isolation, and resolution activities. Such tools form an important bridge between threat prevention and incident response.

"The last thing executives want is to be informed by law enforcement or another third party that their data has been leaked," says Bindu Sundaresan, practice lead for Security Consulting Services at AT&T. "That's where a sophisticated incident response program comes into play."

Beyond putting the tools and systems in place to identify and respond to attacks, an incident response program requires two other core components: a cross-functional team and frequent testing.

Putting the team together

Building an incident response team is no simple task, as it should include representatives from a broad array of stakeholders, including the C-suite, IT, information security, legal, compliance, and public relations, among others. The members of these cross-functional teams play various but equally vital roles in developing the incident response plan and the written incident response playbook.

A company’s legal team and its compliance officers, for example, can provide critical counsel on privacy laws, federal and industry regulations, and other requirements that could come into consideration after systems or data are compromised. Legal can also help create templates for post-breach legal notifications or programs to redress any parties injured by the breach.

Often, the CSO will serve as the primary team leader and coordinator. However, the CEO must be a visible and vocal proponent to help facilitate the creation of incident response plans and teams and to back them with the authority they require.

Incident response team structure

External stakeholders also play a critical role in incident response planning because they can bolster your response skills and capabilities. Among others, those outside partners can include law firms, cyberinsurance companies, computer forensic consultants, service providers, communications professionals, crisis management specialists, and law enforcement agencies.

Forensic tools are a must-have for progressive companies

Forensic tools are a must-have for progressive companies

CEOs need to assess the strengths and weaknesses of their in-house incident response team and supplement it as necessary with outside experts — before a breach occurs. Companies that wait until they're in post-breach fire-drill mode to seek outside help have likely already fallen behind in their response. It's much more effective to develop relationships with strategic partners before their services are required.

Many companies, in fact, place critical strategic partners on retainer to confirm their availability and rapid response should a cyberbreach occur. These partners can provide tools and expertise to assist with complex yet critical tasks such as forensics. Investing in forensic tools is particularly important, not just for identifying the cause of a breach, but also for helping to thwart future attacks (see "A key factor in rapid analysis"). Every progressive organization in the AT&T Global Cybersecurity Readiness survey has invested in forensic tools, compared with just 28% of passive companies.

A key factor in rapid analysis

A key factor in rapid analysis

When a breach occurs, it must be quickly identified and contained, which may mean taking some infected or suspect systems offline or isolating specific network segments. Putting the right security management and tracking tools in place ahead of successful attacks is critical to the rapid analysis and mitigation of those breaches, and the investigation of how they occurred.

Companies in heavily regulated industries, such as health care, already have stringent requirements for collecting and retaining log data. But log data is critically important for any organization that suffers a security breach, because it helps forensic experts perform post-breach investigations.

Despite the value this log data holds, forensic consultants at AT&T often find that it doesn't exist when customers call them in to help diagnose and mitigate successful cyberattacks.

"We consistently go in and find that the evidence data we need just isn’t there or readily accessible,” says Todd Waskelis, executive director of Security Consulting Services at AT&T. “This makes it difficult for us as we try to figure out what happened."

Education and testing

Having a written incident response plan and a cross-departmental team in place is of little value unless all involved parties are crystal clear about their respective roles and responsibilities — and how they're expected to work with other team members. These roles should be reinforced through regular testing and simulations. The goal is to eliminate the guesswork and uncertainty that can arise in a potentially chaotic situation.

The most common form of an incident response test is the tabletop exercise. Tabletop tests can help team members meet to practice their roles in a variety of different scenarios. Through these scenarios, the team can gain greater familiarity with incident response workflows and communications. The tests can also help reveal any flaws or gaps in the incident response plan and processes.

Know the term:


A liability policy that insures against damage from cybercrime.

Members of the leadership team — up to and even including the CEO in some cases — should participate in the portions of the tabletop practice sessions that involve reporting structures, executive decision-making, and external communications. Even if every exercise doesn't demand executive leadership's direct participation, they still must stay informed about the results and authorize improvements when the tests identify areas of incident response weakness.

Tabletop exercises should also incorporate real-world events. For example, the team can use small-scale incidents that were easily contained as practice for larger events. Ask questions such as: What if the incident was bigger or went further? What if we didn’t find it? What if a team member wasn’t available when the incident occurred?

"It's important to work with real-world scenarios," says Todd Waskelis, executive director of Security Consulting Services at AT&T. "If someone from the media calls, how is that handled? Are they routed to the authorized PR contacts? You're trying to gauge how well people understand the plan, how well they're working together under pressure, and where the gaps are that need to be reinforced."

Tabletop exercises are critical, but they also have their limits, at least from a technical response perspective. IT and security teams can take their incident response planning a step further with more realistic tests such as simulation exercises and full-scale testing, during which one or more systems are shut down and brought back up at an alternate site. Often, these exercises are done as part of a broader business continuity program.

Part of a healthy routine

In this new world of cyberbreaches, organizations are often surprised when their incident response plans fail to deliver. Consider the all too possible scenario of an employee at a health plan provider falling for a phishing email scam. The results could be devastating for the organization as well as the clients, with the potential loss of highly sensitive health records and social security numbers. Without a practiced, effective incident response plan, an organization could quickly find itself vulnerable and unprepared.

Minimizing the damage from a phishing scam or similar breach requires regular tabletop exercises to rehearse potential scenarios and an up-to-date response playbook that accommodates advances in the field, such as electronic medical records for health care companies.

Part of a healthy routine

While every response plan is unique, a robust tabletop exercise should answer these questions:

  • Has the breach been contained?
  • Have the affected systems been isolated?
  • Who will lead forensic evaluations?
  • Was company or customer data exposed?
  • How many records were accessed?
  • Have regulators been notified?
  • Will the public be notified?
  • What is our post-breach messaging?

Regularly reviewing and practicing your incident response plan is vital to the success of your overall cybersecurity plan. Otherwise, you won’t know what you don’t know until a crisis hits.

What's in your incident response playbook?

Get a quick, effective, and orderly response to security breaches with a thorough and regularly tested incident response playbook. AT&T recommends including the following incident management scenarios and procedures.

"CEOs must make sure that cybersecurity and incident response are part of their business continuity and disaster recovery planning," says Mike Paradise, vice president of Global Operations and Infrastructure Services at AT&T. "Companies may have to shut down critical systems, move operations to backup sites, and do all they can to minimize downtime and its associated costs."

Tabletop and other exercises should be conducted regularly — at least twice a year, if not quarterly. An incident response plan will get stale if it sits on the shelf. Just as business models and cyberthreats continuously evolve, so must incident response plans and preparations.

In this area, there’s plenty of room for improvement, because companies clearly are not doing enough. Fewer than 10% of organizations in one recent study review their incident response plans two or more times a year.11 More than one-third said they had not reviewed or updated their incident response plans since they were initially developed. Another 36% said they have no time period set for reviewing and updating their plans.

Barring direct experience with a serious cyberbreach, too many companies are prone to let incident response remain a back-burner issue. In doing so, however, CEOs are playing a high-stakes game of security poker in which the odds ultimately favor the cyberattacker.

"You're trying to gauge how well people understand the plan and where the gaps are that need to be reinforced."

Todd Waskelis
Executive Director,
Security Consulting Services

"Preparation is the key to all of this," says Brian Rexroad, executive director for Technology Security at AT&T. "When you learn of a potential breach, it should not be the first time you're thinking about a response. You need to hit the ground running."

You also need to be flexible. No matter how well prepared you may be, no matter how many different scenarios you lay out, assume that something unexpected will come up at some point and you'll need to improvise to some extent.

What happens if your data is held hostage?

Ransomware is just what it sounds like: an attack in which criminals hold data assets hostage until the victimized organization pays a fee. Companies must pay the ransom to receive a file decryption key or free up their locked computers. And ransomware's threat to business is rising. Researchers tracked more than 4 million samples of ransomware in the second quarter of 2015, up from 1.5 million just two years earlier.12

So what should you do if hackers slip past your defenses? As with any ransom situation, there's risk that even if you pay, the criminals will continue to extort the business.

If you are unable to remove the virus, your immediate responses should be:

  • Disconnect the infected system from the network
  • Restore compromised data from backups
  • Evaluate how long the affected systems can be offline before your business is affected
  • Decide if forensic experts have time to counter the attack
  • Notify law enforcement
What happens if your data is held hostage?

Considering the cost of downtime in dollars, ransomware response is a necessary — but complex — addition to any incident response playbook.