Lessons learned from high-profile data breaches
Equifax. Colonial Pipeline. Sony. Target. All are high-profile data breaches, and all offer key lessons to learn that prevent your organization from falling victim to an attack.
At RSA Conference 2024, representatives from some of the most infamous breaches in recent history joined forces to share their stories of being on the frontlines of a cyberattack.
The panel members included Russel Ayres, current deputy CISO at Equifax and interim CISO during its 2017 data breach; John Carlin, chair of the cybersecurity practice at law firm Paul and Weiss, who oversaw the Justice Department during several breaches, including the Sony Pictures hack, the SolarWinds attacks and the Colonial Pipeline attack; and CISO Tim Crothers, who was hired at Target after its 2013 breach and then at Mandiant after the SolarWinds attacks.
The two most important steps to prepare for and respond to a data breach, they agreed, are having good communications plans and conducting war gaming.
Communications is key
Because public perception is greatly based on how quickly an organization responds to a breach, it means CISOs must play out all potential scenarios, often before even they know what happened.
Referencing ransomware gang LockBit's false claim that it breached Mandiant in 2022, Crothers recommended creating communications plans for multiple outcomes. For Mandiant, this meant having a plan for if it had been breached or if it had not, which Crothers knew was true. This let the company have a quick response to the public regardless of outcome.
"Everyone is trying to assess whether you have things in control; that's the bottom line," Crothers said. "Whether it's regulators, customers, partners -- all of them are trying to make a judgement call. Are we on top of it? Do we know what's going on? Or are we behind the eight ball and at the mercy of the adversaries?"
Internal communications, especially about business risk and risk acceptance, are also vital.
"The number one mistake that ends up with a CISO losing their job and having personal consequences is failure to have communications across business and legal pre-incident," Carlin said.
CISOs usually have good intentions for not sharing how systems work and what their risks are, Carlin said, often to prevent needless worry as well as not create friction among colleagues and departments. But after a breach occurs, most constituents wish they had known the risks beforehand, he said. Many on the business side often don't truly understand the risks they are taking, he added.
War gaming drives home the risks
The number one way to translate business risk and risk acceptance to business leaders is war games, Carlin said. "Use a scenario that starts small and builds into a full-company catastrophe that is not a security issue anymore but a business-risk issue."
War games involve gathering C-level executives, general counsel and other staff members to role-play attacks and disaster scenarios. The goal is to ensure everyone knows their part during breach response.
Reluctant participation is a major barrier to war games, however. This is often because people are confused about the point of them, Crothers said. He stressed that the muscle memories war games build help executives, who are used to being in charge all the time, understand when they should sit back during an attack, when they should make decisions, and what types of decisions they should make.
Carlin added that many executives incorrectly believe the CISO will be in charge in the event of a cyberattack and know exactly what to do. He recommended conducting tabletop exercises that are realistic, that the CISO doesn't have the answers to and that require participants to make key decisions without the CISO's help.
Crothers took it a step further, suggesting organizations conduct exercises without the CISO involved. "You're on an airplane from Paris to Minneapolis and out of comms for 10 hours," he said. "For the first 10 hours of the incident, they have to go without you."
Ayres stressed the importance of testing multiple scenarios, no matter how unlikely they might seem. Equifax was unable to quickly respond to customers during its 2017 breach because a hurricane hit its primary call center, and two days later, a separate hurricane hit its failover call center.
"In their defense, had somebody done a tabletop like that, I probably would have fired them," Ayres said. In retrospect, he added, they should have war gamed such scenarios.
War gaming surprises, mishaps and successes
Mandiant's Crothers said he conducted surprise war games with Target's team. He recalled one exercise where, unbeknown to him, a new CMO started that day. The new CMO went through the entire day, Crothers said, believing he was experiencing a real Target data breach.
Carlin suggested letting teams know during an exercise that it is, indeed, an exercise. He referenced the nuclear war tabletop exercise in which a member who didn't realize it was an exercise messaged someone outside the organization, causing a stir of false news of a nuclear attack in Hawaii.
Carlin also recalled a scenario he had war gamed with the President of the United States and the Cabinet for years: a nuclear-armed nation targeting the U.S. in a cyberattack. The games all assumed it would be an attack against critical infrastructure, such as electric or water grid. It ended up happening against Sony Motion pictures.
"Although we had the scenario wrong, we did have the muscle memory right of who we'd be needing in the situation room to respond to a national security event," Carlin said.
Other breach preparation and response tips
The panelists also offered the following advice:
- Get back to basics. Patching, scanning, asset management. They aren't exciting, but going back to cybersecurity basics prevents breaches.
- Become friends with your general counsel. Your general counsel should be your best friend, Crothers said. After any event, incident or not, call the general counsel to get it under privilege. First, this ensures general counsel is aware if it does turn into a breach. Second, it ensures any messages around the event are secured.
- Consider your backup and your backup's backup. What happens when key leaders aren't around? In Ayres' experience during the Equifax breach, the CEO, CIO and CSO left, and three other business leaders were locked in an SEC inquiry, unable to assist. When it comes to communications and war gaming, "involve as many people as possible," he suggested.
- Keep everyone informed. An organization has many brand ambassadors inside the company, Ayres said -- people he left in the dark during his breach experience while he focused on keeping customers and consumers informed. "It's going to be fixed by people. It's done for people. It's going to be implemented through people," he said. "The key denominator is people. Think about those people, who are your most important asset, and keep them in the loop as much as you do everyone else."
- Talk to someone who has been through it. If you're going through a breach, chances are someone has gone through the same thing before you. "It's a small community," Ayres said. "If you reach out and talk to somebody who has been through it before, everybody is likely going to give you all the information and help you need."
Sharon Shea is executive editor of TechTarget Security.