Back to Resources

Learning From Experience: Why You Need an Out-of-Band Network for Incident Response
By Jacqueline McCullough
Learning From Experience: Why You Need an Out-of-Band Network for Incident Response

If you’re a project manager handling cyber incident response, it’s normal to receive more than 1,000 emails from various stakeholders related to any one cyber incident.

In order to align on next steps of how to manage the incident response, you need to engage stakeholders from the incident response vendor, your legal counsel, your insurance carrier, and internal experts at your organization. In my experience, anywhere from 10 to 30 people are typically involved in communication around an incident response plan in the aftermath of a cyberattack.

With all these people involved and emails flowing rapidly, organizing and keeping on top of the conversations, tasks, due dates, and next steps among the various threads is challenging enough on its own.

But during one particular incident, the threat actor reached out to me and other stakeholders directly on our personal emails—a horrible surprise.

The threat actor was in the network of the policyholder and was actively reading the emails being exchanged. They saw who we were and what we were doing to help the policyholder and used that against all of us. What was originally an investigation for the policyholder turned into an investigation for everyone involved in the entire incident response process.

Resolving the incident took much longer than anticipated, in order to secure a separate email platform and complete additional security tasks that were now required outside the client network. Setting up new IT infrastructure while simultaneously dealing with the worst day of their professional life made for a very unhappy policyholder.

Everyone else involved also had to experience the implications of the added security needed for all our personal emails, passwords, and systems to avoid ongoing risk to each of us. All of this caused a lot of additional delays and frustration on top of an already stressful incident.

Launching the entire investigation, including first notice of compromise, from a completely separate and secure out-of-band system like CYGNVS would have allowed each party to communicate privately, without the peering eyes of the threat actor. Following this process would have avoided the added time, cost and stress of all the downstream measures for each of the people involved.

Why response time is important in cyber incident response

Incident-response-as-a-service is reactive and extremely fast-paced. As a vendor, that means being on-call 24/7 to assist an organization during a chaotic and difficult time, when they may lack clarity on how severe the damage is and what to do next.

Once the company realizes its system has been compromised, it’s go-time. If the company’s stakeholders have an incident response plan already laid out, they’re one step ahead. Using CYGNVS, a preparation room can already be set up to house their policy and readiness plan, assign internal teams, and even provide a seamless first notice of loss to their broker/carrier for a proactive stance for when (not if) an incident occurs.

Once that notice is provided, the broker/carrier provides resources of breach counsel and forensic vendor to put a stop to the attack, as well as determine what happened, how, and what to do next.

The earlier your organization has that initial conversation with the breach counsel and vendor, the better—ideally within a matter of hours after the breach has been discovered. From there, the experts hear what has been done to secure the networks, deploy endpoint monitoring and other security measures, establish viability of backups, and gather other crucial details needed for the investigation.

Secure and collaborative communication is critical when time is of the essence, especially when tackling all the tasks of incident response, such as:

  • Identify all working teams, both internal and external
  • Determine logistics, deadlines and next steps
  • Upload and document required information

Collaborating outside a potentially compromised network is imperative, not only due to the continued security of company systems, but also to the time-sensitive nature that is incident response.

By using a best-in-class incident response platform like CYGNVS to codify your incident response plan and securely collaborate and strategize with all of your stakeholders when an incident takes place, you’ll be able to stay a step ahead of your attackers, limit the severity of the attack and minimize the disruption to your business operations.

Jacqueline McCullough
Global Client Executive at CYGNVS