When cybercriminals get busy, businesses must be increasingly resilient

Cisco Talos' Brad Garnett shares his thoughts on creating a resilient incident response program in a hybrid work world.


Another holiday season is behind us, and with it a period of peak shopping, peak travel, and yes, peak cybercrime.

The end-of-year holidays are open season for cybercriminals. Last month, a particularly worrisome computer bug known as Log4J became the latest in a series of high-profile exploits. 

How should organizations battle these challenges, particularly in the event of such an emergency when the bad guys may already have a foot in the door?

If you’ve teamed up with Cisco to help you prepare for and respond to cyber incidents, you call Cisco Talos Incident Response.

In this interview, Brad Garnett, general manager of the global CTIR Team, shares practical insights into resilient incident response, the role of relationships, and why you shouldn’t wait for a cybersecurity emergency to prepare for the worst. CTIR was recently recognized by IDC MarketScape and Forrester for its prowess in incident response, defined as the steps used to prepare for, detect, contain, and recover from a data breach.

Q. How was 2021 different in terms of CTIR engagements?

A. In 2020 we saw organizations in a purely reactive mode, responding to incidents after the fact. In 2021, in this new world of hybrid work and remote users, we saw customers taking a more proactive approach. They were updating their incident response plans, doing table-top exercises, and assessing their personnel capabilities and their investments in security technology instrumentation to protect their environment. 

This is a good thing. We would much rather show up to support a customer doing a table-top exercise to test their incident response plan than show up on the worst day of their career because they’ve experienced a ransomware attack.

Q. Is it fair to say the message is getting through of necessity due to the pandemic?

A. I think that’s true of a lot of the customers we have an ongoing relationship with. Relationships and resiliency are the key. For example, there’s one manufacturing customer that’s had us on retainer for several years. We’ve done proactive table-top exercises together and really built that relationship. So, they feel very comfortable escalating things to us on a routine basis. 

Building those relationships — building that muscle memory — and working with a trusted IR retainer provider is critical because the threat landscape is always evolving and the ability to tap trusted IR expertise is critical for business resiliency. The Log4J exploit is a great example of that. 

It comes down to vigilance. One of the things I advocate is resilient incident response. This means finding ways in a hybrid world of removing single points of failure from our processes and in how we prepare for and respond to incidents. That’s what resiliency is about.

Q. What are your primary goals when you get called in to investigate an incident?

A. There are three. First, our incident command team asks, “What is the current impact to the business? For example, are business critical systems down?”

Second, we want to find out what the customer’s IR capabilities are. Are we augmenting their IR team, or do they not have that trained IR expertise so that we’re the tip of the spear taking the lead as their IR team?

And third, what type of data do they have and what’s the risk for exposure? Are we talking about ePHI (electronic protected health information) in healthcare? Are we talking about GDPR (the EU’s data protection law) in Europe? Is that hourglass moving, and if so, how fast? Is it a small, contained incident where the customer wants to determine the root cause, or is there a large unknown as in the case of Log4J that makes the threat surface huge?

Q. What are the most exploited attack vectors and what are the best practices for keeping these channels safe?

A. Just about every incident starts with an email phish. In our last quarterly analysis of incidents that impact our customers, we saw a slight downtick in ransomware, but an increase in business email compromise. So, email continues to be a risk. We publish our quarterly IR Trends on our blog, which has become increasingly popular with readers and the industry.

We also see adversaries taking advantage of a lack of multi-factor authentication in a public-facing service. Maybe the service was unintentionally exposed to the Internet as it was undergoing change management, and someone failed to implement a mitigating control. 

Q. In May you wrote an article about how incident response is a relationship-driven business. Is it necessary to have the relationship first before an emergency arises?

A. Building a relationship and rapport with an IR provider before a breach occurs will save on incident response costs and potential heartbreak. Incident response brings out the good, the bad, and the ugly in people, but at the end of the day everyone must come together for a common purpose. In my experience, organizations that forge strong relationships across business units are the most successful during a business impacting incident.

I like to do after-action reviews with clients where we talk about what went well and what we could tweak in our response. One of the things I find is that clients appreciate the transparency in how our organization works, the rapport that we build, and the way we forge relationships with them and with other third parties.

There’s been a slew of major attacks in the past year, from ransomware threats in healthcare, to the SolarWinds and Hafnium attacks, and now Log4J. IR teams around the globe are tired, so it’s critical to have that IR expertise retained before an incident occurs that you can tap to meet service-level objectives.

Q. If an organization must call in an incident response team, what steps should they then take to ensure rapid mitigation? How does an organization work best with an IR team?

A. It’s the business impact that defines the mitigation strategy. In defining the business impact, I think about the three Ws: Workforce, Workloads, and Workplace. 

What is the workforce? What does it look like and how is it distributed? After an incident, a customer may need to move people around to give them access to workplaces in different buildings. That can be a challenge, especially if you haven’t planned for it.

For workloads, I think about applications and how users access them. Your IR plan needs to define what you have to protect and what your capabilities are. Is it an internal-facing application or service that’s been breached, or is it customer facing? If it’s customer facing, are there service-level objectives? If it’s public facing, are there contractual implications? There’s a lot to consider. 

Q. What makes a strong incident response team? What characteristics are most valuable to achieve success?

A. Being able to move rapidly in the hybrid world is key. IDC spoke to one customer about how we were able to respond to a multinational organization with different sites within 24 hours over a weekend. And of course, WebEx by Cisco helps us respond rapidly from anywhere. 

You also want to look at what an IR provider is offering in its retainer. The days of just reacting are gone. Most organizations are not just using their provider for reactive emergency or breach response, but also for table-top exercises, building out IR plans, playbooks, red teaming, and cyber range (a virtual environment where less experienced cyber pros can get up to speed). IDC called us out specifically for our virtual cyber range — and again WebEx allows us to do that from anywhere.

So having a flexible offering with a wide range of services in your IR retainer is critical, because every customer is in a different place on their resilient incident response journey. 

Q. What must be included in an incident response plan?

A. I think about the why, the who, and the how. If you fail to plan, you're planning to fail. That’s the why. Having a rehearsed plan that’s been tested, that accurately reflects the organization’s capabilities to respond to a cyber incident is critical. 

Who is involved? Incident response is the ultimate team sport. Who do we need to pull in? An IR plan should cover your IT teams, your external IR provider, and your business continuity/disaster recovery folks.

True story: I had a customer who did a great job of updating their response plan, but they listed just a single responder’s name in it. So, I joked, OK, but what happens if that person is on an airplane or on vacation, and you can’t reach them? Again, it’s about removing single points of failure.

Every organization has a gap. Identifying that gap and having a plan for that gap is key to resiliency. All these things need to be in your IR plan. And, of course, your IR provider needs to be listed. In the event of confirmed adversary activity, you need to activate your business continuity/disaster recovery plan, your IR plan, and your IR hotline to activate your CTIR retainer.

Some of the best IR plans I’ve seen are 10 to 13 pages, and some of the worst are 80-plus pages. You want to keep it prescriptive and simple, because things can get very muddy during a crisis. You can’t afford to be unclear in a time of crisis.

That plan is part of the necessary actions if you want to move toward increased business resiliency in 2022 and beyond.


Related content: