The First Twenty-four Hours in Cyber Incident Response: Lessons from the Front Line

“I’m on an incident that has just come in. I might be a bit late.” These were the words of Reece Corbett-Wilkins, five minutes before our first scheduled chat. I loved how delicious the real-life demonstration of incident response was. Reece was on a triage call for a company that had just been breached and held to ransom.

On our second call, four days later, I ask Reece how his weekend was. “Tough going,” he jokes, explaining the team had been working on the incident that earned him (very much forgivable) tardy points from our first call. “The company is deciding whether to pay the ransom, and the deadline is today,” he reveals. “So we’re not out of the woods yet.”

I want to explore the reality of the first critical hours post-cyber incident, or more accurately, post the detection of a cyber incident. Reece is one of the specialist partners at Clyde & Co’s incident response management service and helps organisations to navigate the many considerations (reputational, operational and financial) involved in getting back on their feet post-incident.

“I got into this nine years ago,” recalls Reece. “I was initially a lawyer doing defence work for professionals that got sued for stuffing up their jobs,” he says. The realisation that he had a particular passion for technical disputes set him on the path to Clyde & Co, and a role that he describes as “helping clients on the worst day of their lives.”

Coordinating and planning incident response is the broad description of what they do, including legal and regulatory compliance, crisis communications, stakeholder management, threat actor engagement, sanctions compliance, insurance claims management, privacy risk assessment, and so much more. In a grittier, less formal description, Reece says, “we do more than just legal stuff. We, working with the team of vendors around us, do hand holding, forensics, communications, negotiations, ransoms.”

So what does a ‘typical’ (acknowledging that typical barely exists in this world) day look like for Reece and his team?

Ring ring!

When the SOS comes in and the phone first rings, bringing news of an incident, Reece has no idea who (in what role) will be on the end of the phone. “It varies on who makes the call, depending on the type of entity and incident. Most of our work is insurer introduced or funded, so if you’ve got a cyber security insurance policy and call the hotline, we answer. Though you don’t need to have insurance to call us.”

Often it will be the CFO on the end of the phone, explains Reece, “because often the CFO buys the cyber insurance policy and wants to see it work,” or it could be the IT team. “Or the CIO, or the risk manager, or the business owner or the general counsel,” he adds. To summarise, it could be anyone.

“We want to ensure the board or senior management is engaged at the earliest opportunity.”

Reece will quickly move to identify the decision-makers in the organisation to get things moving swiftly. The overriding message is that the person he needs to talk to depends on the incident and what has happened. That said, “we always try to get someone from IT and someone with direct connections to the board because if we want to start deferring decisions up to the board, we want to ensure the board or senior management is engaged at the earliest opportunity.

“Typically, the IT team will have a leading role,” he explains. “Depending on the incident, IT will need to get in, start firefighting and focus on containment and remediation. In the event of ransomware, we’ll need to talk to crisis communications and the legal teams too, very early on.” There’s no exact formula, Reece explains. “Every incident is different, but we follow the playbook which we know works time and time again. We get people mobilised and focussed on critical workstreams that cut across just the technical response.”

I’m intrigued to learn how quickly organisations make that call on the discovery of the cyber incident. “There’s always a time-lapse,” says Reece, admitting that the duration of the lapse is “a fairly good indication of how well they’ll go with the incident. Ideally, we want to be called in the first few hours. What I’ve seen go wrong is that they don’t call that number soon enough, they either don’t have the experience or the advisors in place, or they don’t understand the seriousness.” More often than not, Clyde & Co receives the call on day one. “Sometimes it’s hour one, sometimes it’s minute one, but often they’ll try and DIY it until they work out they need help and/or that they have cyber insurance.” Reece is keen to stress that they act on behalf of the policyholder, not the insurer. “But we also bring the insurer along the journey from minute one – that is critical to successful incident response and the key to no surprises and getting maximum support.”

Paging triage

Reece’s initial call with a distressed client is called the triage call, which is a fact-finding conversation. On the back of that call, his team prepares a report for the insurer to reveal what has happened, what the insured is doing, and critically, if there are going to be costs incurred, whether that’s a ransom payment, Clyde & Co’s assistance, IT security/forensics costs or business losses. “This is important,” he states, “because as soon as you get your insurer briefed and get the insured comfortable with the cost of the proposed path forward, then it frees the response team up to focus on incident response and to get the business up and running. So that’s one of the first roles we play.”

What emotions does Reece expect from those unfortunate enough to have that triage call? “Well, if they are a frequent flier, they’ll be wishing they weren’t calling again,” he says of those who have been there and got the t-shirt already. “But equally, they know the drill and just get on with it.”

“If it’s their first time calling, we get everything from excitement to confusion, to complete panic. Many business owners naturally want tight control over the response because their business is their livelihood. Still, they will inevitably have this self-reflective moment where they want to be in control but may have absolutely no idea what to do next.” Part of his job, he explains, is taking away that stress and uncertainty.

 

Mobilise the troops

Triage call complete; it’s time to mobilise the troops, says Reece. “We try to get them to focus on the bits they should focus on. The IT team will already be running, so firstly, brief the legal team. Then, brief the CEO or broader central management team, not just to make them look good if they front-face this, but to be in a position to control the situation,” he explains.

“Our training is less about PR training and more about crisis management and business continuity training. At the end of the day, the head of the business has to account for the incident occurring and the impact on employees, customers, shareholders and stakeholders.”

CEOs are often uncomfortable with IT language, explains Reece. “We try to get them to focus on the business risk perspective, to prepare them for managing the immediate impact to their customers and to frame it so that they make their customer’s lives as easy as possible knowing that the systems are going to be down for a while.”

Make the message meaningful

Reece admits that they tend not to let CEOs go in front of the media right away, “depending on the nature of the breach.” In the event of a big incident that will inevitably hit the headlines, the advice is different, he counters. “Transparency and openness are key, but it’s important to buy time to learn as much about the incident as possible and find the meaningful things to say.”

Where companies go wrong, he considers, is when they don’t take the time, immediately get in front of cameras, and are confronted with questions they can’t answer. “We don’t want clients hiding breaches; we don’t want them sweeping them under rug; we just want them to take as much time and get as much information about the incident as possible. Often you don’t have the luxury of time and need to move quickly, but if we can buy even one day to get bearings, that makes the world of difference.”

Reece’s advice is to focus on what you are doing in response to the incident and prioritise customer care. “Never say something you can’t back up the next day, or in a month”, he says. “Getting that balance right and knowing when to go out is really tough, especially in the early days when you don’t know the total impact or where this will end up. People will hang off every word you say, and always have more questions than you have answers”.

Ransom decisions

In the event of ransomware, like the ordeal that Reece has been handling in real-time as we’ve been talking, it’s Reece’s team’s role to work with the client to help them decide whether paying the ransom is the right move. “It’s the legal advisor’s role to give them a safe space to make the right decision, fully informed of the risks and the pros and the cons,” he explains. “There are many legal and commercial risks associated with paying and not paying.”

The commercial considerations include considerations like ‘why are we doing this?’, ‘what are we hoping to achieve?’ and ‘is the business even able to function?’ Customer care and business continuity tend to be high on the agenda, as well as whether criminals can be trusted to do what they say they will. Most boards are conflicted because ‘doing the right thing’ can take many shapes. “I’ve never met a board that takes the decision lightly”.

And there are reputational considerations. “You’ve got to consider the impact if that data is leaked and the potential effect on clients and third parties. More and more, clients are looking to pay ransoms to protect their client’s data.” Paying, however, doesn’t mean you don’t have to deal with the privacy impact, Reece points out, so it’s not a silver bullet. “You’ve still lost control of the data even if it doesn’t surface on the dark web. But sometimes buying time and control over the outcome is the difference.”

“More and more, clients are looking to pay ransoms to protect their client’s data.”

Finally, there’s the legal perspective. “We walk them through sanctions risk; we’re trying to work out who the threat actor is, and bear in mind you often don’t know who they are because you’re negotiating with a faceless negotiator.”

In those situations, he says, you need to make sure you’re not making a payment to a sanctioned entity. Reece’s team helps clients with conducting due diligence. While the legal advice is a big part of the play, he also refers to “squeezing the clients” through the decision-making process, which means making sure that if they make the payment, it’s the right decision and helping with the fallout if they don’t.

Reece reveals that only around 12% of clients end up paying ransoms. That seems low. “It’s because we give them options not to if they can avoid it and prepare them for taking alternative action and preparing for what comes next.” I ask him whether a decision has been made on paying the ransom for the live incident he is working on but he declines to say. “Through gritted teeth, some wanted to, but the Board was split.”

Board deliberations

I asked Reece to elaborate more on the gritted teeth element. “We had an emergency board meeting at the last minute, and there was a split board on whether or not to pay the ransom.” He confesses it was one of the most challenging conversations he has had with a client about a ransom. Why? “One of the directors is connected somehow to Ukraine. He just couldn’t condone this activity, despite fully knowing the risk of what would happen if he didn’t pay.” He withdrew from the decision and vote.

While this example is unique, Reece emphasises that the Board’s decision should be respected, and re-emphasises those decisions aren’t easily made. “In fact, they tend to have buyer’s remorse,” he says, “one way or another, they question their decision, even after it’s made.” He says the same regret is true for organisations that choose not to pay. Ultimately, he explains, whether or not to pay the ransom is always a decision that the client makes, “we just help them as much as we can, and ensure they are fully informed of the risks and options available. Generally, no one in the community wants these ransoms to be paid, including us.”

So, how do they get to this point? By leaning in on forensics. “We rely heavily upon threat intelligence and forensic artefacts. We’re looking to find out who the threat actor is – that will be based on whoever got into the system first (the access broker), who they sold access to (the person that comes in snoops for information, steals data, and drops malware) and the negotiator (that they then pass the data onto). It’s that chain of custody that you want to understand early.”

“If you’re a client with your back up against the wall needing to make a payment, you can see why the risks are balanced against the need to protect lives, livelihoods, and reputations.

“If a hospital calls and says we need our systems back up and running; we have patients on their deathbeds, it’s an easier call for them to say ‘just pay it.’ The cases in the middle are harder to call,” he says candidly. “You need to move quickly because time is never on your side. The threat actors know that. It’s why they place maximum pressure on a victim to pay. The more time that goes by, the less chance they get paid.”

Support staff

Reece’s support to the stakeholders in each incident is a less advertised element of his job. “Recently, a director of an organisation I assisted personally thanked me for the support we’d given and told me about the impact that the residual stress of the cyber incident had on his personal life and relationships.” Reece recalls that the director had lost a lot of weight due to the impact of stress.

“When considering the human element, there are so many different stakeholders. Employees worry about what the incident means for their jobs and livelihoods.” For directors and boards, the residual stress of being at the complete mercy of powers much more robust and better resourced than them, “feeling like there is no end in sight,” can significantly impact mental health. “At some point in the cyber response lifecycle, we always call out mental health preservation,” he adds, “making sure teams are rotated, rested, and are focussing on the big picture.”

Give Boards a vote of confidence

Reece explains that whilst Boards are naturally intelligent and talented, when it comes to cybersecurity, “unless they are technically proficient, it’s foreign to them, and they sometimes shy away from grasping the subject matter.” Reece believes it essential to give boards a vote of confidence. “Remind them that they understand risk and their organisation more than anybody else, so lean in on this.

“It’s our job to make their life easy and make them look good,” he says, explaining that he uses analogies to make the cyber incident and its consequences relatable to the Board. “Lean in on what they know to make it understandable; there’s nothing better to influence behaviour,” he tells me.

Insurance claims management

At the time of the incident, it’s a policy holder’s decision on how to handle the situation, although they need to bring the insurer along for the journey and critically, obtain prior consent before making big calls and incurring costs. Still, they do have the benefit of the cyber insurance hotline and all the extra support that comes with the policy, says Reece.

“There’s a misnomer in the industry that the insurers are the evil ones for paying ransoms, that the insurers have somehow created the problem,” Reece tells me as he explains Clyde & Co’s role in insurance claim management. “I see these headlines and my eyes roll. The truth is, the insurance companies do not make the call on whether or not to pay the ransom; that has to be the policyholder’s decision. The last thing the insurers want is for the policyholder to jump in and start negotiating just because they have insurance – [insurers] want to see them making an informed decision. They see hundreds of these incidents per year and can provide that insight to help their clients.”

Reece points out that only 10-15% of companies in Australia have cyber insurance, highlighting just how far-fetched that misnomer is. “It’s a complete farce, it’s not just insured companies that get hit for starters. What do you think is happening to the other 85% of companies?”

“At the time of placing a policy, many companies can’t even get insurance as they don’t meet the minimum requirements for cybersecurity for their revenue or risk profile. So, what the cyber insurance industry has done, particularly over the last couple of years, is identified minimum security controls that all clients must have before they even think about getting insurance.” This forces clients to improve their security baseline, meaning that the cyber insurance marketplace has “progressed forward the cyber hygiene of the industry in leaps and bounds.”

Be Prepared

It has been a candid, occasionally brutal, glimpse into incident response in the immediate aftermath of a cyber incident. Interestingly, what has come to light is that the primary key to a successful response is successful preparation.
“If you’re not prepared, you are on the backfoot from day one,” says Reece. “Unless you have response resilience built into your organisation and your people, there will be time delays, lag, and a lot of focussing on the wrong thing at the wrong time. Decisions made early lock you into a pathway that you can’t get out of.”

So, there you have it; preparing well is key to responding well. With organisations like Clyde & Co and people like Reece waiting at the end of the line, preparing to make that call as quickly as possible post-breach is a no-brainer.