Alex Waintraub and special guest, Randy Pargman, Director of Threat Detection at Proofpoint, discuss the fourth common flaw in Incident Response Plans, that of having an Inadequate Communication Strategy and Solution. Read what these experts say can happen if you don’t have a Communication Strategy and things to consider when designing it. Listen to the podcast here: https://safehouseinitiative.org/10-common-flaws-in-incident-response-plans-flaw-4-inadequate-communication-strategies/
Effective communication is the backbone of a successful incident response plan. When a security breach occurs, every second counts, and the ability to coordinate a cohesive and secure response can mean the difference between a manageable situation and a full-blown crisis. Randy Pargman, a seasoned cybersecurity expert with extensive experience in both the FBI and the private sector, shares his insights on the critical role of communication in incident response.
During a cybersecurity incident, communication is the key to keeping the response team aligned, informed, and one step ahead of the threat actors. Pargman emphasizes that threat actors are highly interested in the communication channels used by the incident response team, as this information can give them a significant advantage. By intercepting or compromising the communication channels, the attackers can stay one step ahead, pivot their tactics, and potentially prolong the incident.
Pargman stresses the importance of keeping all communication related to the incident response effort secure and out of the reach of the threat actors. This includes not only the content of the messages but also the very fact that an incident is being investigated. Tipping off the attackers too early can jeopardize the entire response effort, as they may quickly adapt and cover their tracks.
Pargman recommends that organizations proactively establish a secure communication strategy as part of their incident response plan. This strategy should include the use of secure messaging applications, such as Signal, that offer end-to-end encryption and the ability to set message retention policies.
One approach Pargman suggests is to have two separate communication channels: one for the free-flowing, real-time exchange of information among the response team, and another for the official, documented updates that can be shared with stakeholders and legal counsel. The ephemeral nature of the first channel allows for open and uncensored communication, while the second channel serves as the official record.
Additionally, Pargman emphasizes the importance of using separate devices for incident response communication, preferably ones that are not connected to the compromised network. This helps to ensure that the communication channels are not compromised by any malware or backdoors that may have been installed on the organization’s primary devices.
Pargman shares several real-world examples of how communication breakdowns have impacted incident response efforts. In one case, the security team’s laptops were compromised, allowing the threat actors to monitor their screen activity and stay one step ahead. In another instance, an employee’s use of a personal VPN service inadvertently provided the attackers with a backdoor into the organization’s network.
These cautionary tales highlight the importance of proactive planning, regular testing, and vigilant monitoring of communication channels. Pargman emphasizes that even the smallest misstep in communication can have far-reaching consequences, potentially undoing the hard work of the incident response team and prolonging the recovery process.
By proactively establishing a robust communication plan, organizations can better protect their sensitive information, coordinate their response efforts, and ultimately minimize the impact of a security breach. Pargman’s insights and real-world experiences serve as a valuable guide for any organization looking to strengthen their incident response capabilities and stay one step ahead of the threat actors.