The Breach: Part 2
In “The Breach – Part I,” Black Bottle IT shares a true story of cybercrime that took place with a manufacturing client and how it unfolded.
“The Breach” continues…
What Do We Do Know?
Immediately following, we start to take action to contain the incident. We immediately block the traffic in/out from the bad actor IP addresses. We look at some simple log data and verify that the Company has been transmitting data to these IP addresses — for as long as we have logged data over 30 days.
In the meantime, I’m getting SOS calls from the CEO, wanting an update from the FBI meeting and wanting to know, “How bad is this?” Since I don’t know the extent of the incident, I don’t have much, other than we think we’ve contained it. He asked good questions: “Don’t we have a firewall, AV, and a 3rd party that is supposed to help us with these things?” All of which the answer is yes. This then follows by the inevitable, “How could this happen?” Someone once told me that when you have bad news, the sooner it’s delivered, the better. So my message to the CEO was, we think we’ve contained it; now we need to figure out what the damage is, which is something that I need to figure out now.
The Response
So, let’s recap:
- the FBI informs us that we have been “cyber-attacked” but offers no more information.
- We think we’ve stopped it.
- Our CEO is asking us questions about whether the company can survive this. And we have no good answers.
It was a pretty bad 24 hours. So, the real challenge for us was, what do we do next? First, we mobilized our third-party MSP to help. They scheduled time over that weekend to visit our location, install some advanced security tools, and “clean” every machine in the building. We didn’t know what had caused the breach, but this seemed like a good place to start.
Next, I got on the phone and started calling companies for advice/help. Most of these calls went something like this: “Yes, we’d love to help you; you need to determine what data was lost. So, you can buy blocks of time for 50K each. When do you want us to start?” Our Company was small, so spending money in chunks of 50K would also very quickly lead to the company’s financial demise. So, after calling and listening to multiple solutions, I had some options. In the background, Company stakeholders are asking me, “How bad is it?” “Are we out of business?”
Ah-Ha. We Have Insurance for That
At some point during the first 48 hours, the CFO had inquired to our insurance agent about having cyber coverage. It turns out we had coverage. She launched a call to our service representative, who then told us, we would receive a call within 72 hours with instructions. I was in the mindset that the company might not survive 72 hours. I didn’t wait around and continued searching to find some resource to help; that made sense. Then, I received a call from the insurance customer service rep. She told me that if I checked the policy, I would find instructions for utilizing the “Data Breach” services that our company was entitled to as part of our coverage. I thanked her, started reading, and found that we indeed had access to a “Data Breach Coach” or a list of them. I picked the first name and called them.
Continue to Part 3
About the Author:
This blog was written by John Hensberger, Managing Partner of Black Bottle IT. Earlier in his career, John was also part of a company that experienced a cybersecurity breach. That experience fueled his passion for assisting other companies with their cybersecurity needs to mitigate their risk. As Technology Executive and Cybersecurity Advisor, John was recognized as the Pittsburgh CIO of the Year, 2014. Connect with John here.