Corporate Counsel’s Cybersecurity Guide Part 2: Managing Incident Response Effectively

Author: Sam Rubin November 18, 2019

Crypsis consultant monitoring the situation at hand

When you are hit with a data breach, knowing who does what will help you respond expeditiously, effectively, and in a manner that minimizes risk to the enterprise. For that, your company needs to have an incident response strategy in place. The general counsel is critical to this process.

In Part 1 of this blog series, we explored:

  • the steps required to find the right incident response consultant
  • how to access the scope of an incident
  • And how to structure an engagement with an IR consultant

Continue reading below to learn the final steps required to manage incident response effectively, and don’t forget to download a free checklist that walks you through this critical process step by step. Email yourself the free checklist now!

Contain the Incident

You face a serious data security incident. It has escalated to a point beyond which you can manage it internally, and you have a trusted IR provider on board that has quickly assessed the situation.

Typically, when we are called upon to respond to an incident, our client’s most immediate need is containment—to “make it stop.” Containment refers to the immediate steps that must be taken to stanch the bleeding, limit the damage caused by the incident, and prevent further damage.

Whether you need to shut down remote access, remove a server from your network, or block a particular network port on the firewall, your IR consultant should be ready with practical advice.

Typically, the IR consultant will make containment recommendations, but your IT team will be responsible for implementing the suggested changes to your network.

Stay mindful that containment steps can destroy digital evidence that may be relevant to the investigation. Weigh the benefits of containment against any detrimental effects containment actions might have on the integrity or availability of digital evidence. For example, completely wiping a server because the IT team suspects it is compromised may contain the incident, but it also destroys all evidence that might support an investigation into the incident. That’s throwing the baby out with the bathwater.

Evidence Preservation and Collection

Your consultants will move quickly from containment to forensic investigation. Investigative objectives will vary depending on the incident. They include determining the initial vector of the compromise, what the attackers did in the environment, and what, if anything, they took.

Accordingly, the investigation will commence with the identification, preservation, and collection of relevant evidence. The environment and specifics of the incident will define the scope of the collection. Your IR consultants may collect “triage” forensic artifacts from live servers, images of RAM memory, historical firewall logs, or even create full-disk forensic images.

The need for speed must be balanced by the need to preserve and collect information in a forensically defensible manner.

Collection strategies must, by design, scale across thousands of endpoints. Speed is paramount. Regardless of the targets of collection, the overarching strategy in incident response investigations is to move fast. This need for speed must be balanced, however, by the need to preserve and collect information in a forensically defensible manner should the need later arise to defend or authenticate the findings.

A nimble and resourceful incident response practitioner will leverage the software tools and data sources already available in the enterprise. These might include firewall logging or a previously deployed endpoint detection, or security information and event management applications.

Counsel’s most effective role at this juncture is to act as project manager. Help ensure that the necessary resources from your company—both human and technical—remain available to the consulting team. As long as information flows easily between your IT people and consultants, trust that the technical experts on both teams understand the variables and can choose the best path forward.

Download your free checklist now so you can follow along with this blog, using our step-by-step process.

Let the Investigation Play Out

After the initial scramble to contain the compromise and collect relevant data, your IR consultants need time to perform their investigation. The consultants will parse log files, extract relevant digital artifacts, and create a timeline of relevant activity. They will search for indicators of compromise—traces left by the accounts, malware, and other software tools the attacker deployed. This iterative process often leads the team to new data sources and new systems as they follow the attackers’ digital trail.

These steps take time.

If the incident affects only one or two systems, the investigation may take a few days. In larger compromises — such as Equifax, U.S. Office of Personnel Management, or The HomeDepot — investigations can take months. As the investigation unfolds, in-house counsel’s main task will be ensuring the availability of human and technical resources to the consulting team.


Information about the incident and insist something be done. Beware the danger in revealing early information or acting too quickly in response to it. Initial conclusions about the scope of a compromise seldom align with what becomes known when the dust settles. Equifax, for example, is still updating how many user accounts were compromised 10 months after its breach. Months after its initial disclosure, Facebook disclosed that an additional 37 million user accounts were improperly accessed by Cambridge Analytica.

Find a cadence for investigation updates that satisfies company stakeholders and works for the consultant team. Give the team all the time and space you can.

Pressure for frequent updates always accompanies a serious incident response. But daily update meetings can hamper the IR team and increase costs. This proves especially true given the effort required to organize and prepare for update calls. Add to that effort the time and resources diverted from the investigation itself. In my experience, even in rapidly evolving situations, two or three update calls per week strikes the right balance.

Short on time? Send yourself a free checklist now with this helpful information.

The Forensic Report

Most data security incident investigations require a forensic report. Ideally, the report should address: how and when the intrusion occurred; whether the attacker accessed or acquired sensitive or regulated data; the controls put in place to address the compromise; and how your company remediated any exploited vulnerabilities.

When the regulators and plaintiffs’ attorneys come calling, a comprehensive forensic report is your best record regarding the incident, the state of the information security environment at the time of the compromise, and your response.

Be prepared to come forth with the facts you intend to litigate. A thorough forensic report often serves as critical evidence. It demonstrates that your company had “reasonable” security safeguards in place and that you acted appropriately in a timely manner to notify regulators and affected customers.

As counsel, you will play a significant role in drafting the forensic report. Under privilege, work with the consultants on drafts to make sure you can understand what it says and that it properly addresses the issues. The forensic team’s understanding of the legal risks of particular language will not match your understanding. Watch out for words loaded with legal meaning, such as “personal information” or “breach.”

Until the time is right, hold the report close. Its disclosure should be undertaken as a highly strategic decision. The same information that might otherwise serve as your shield can be twisted and wielded as a sword by plaintiff’s attorneys to expand claims against the company.

That said, the consequences of not having a report can be far worse. The efficacy of your incident response will prove crucial in demonstrating reasonable security safeguards. As you oversee preparation of the report, your overriding goal is to demonstrate that the company undertook a comprehensive and appropriate response to the incident.

Your free checklist is just a click away! Don’t miss out on this step-by-step guide to effective incident response.

Moving Forward

Your IR consultant’s forensic report will often contain recommended actions to further remediate the IT environment. This could mean re-imaging systems, adding additional security controls, or making configuration changes to your company network. These necessary steps are only a beginning. In the wake of a serious incident, your company should consider an enterprise-wide assessment or review of your information security program.

You should pursue two strategic objectives:

  • In the short term, take affirmative steps to improve your information security program to help defend against any pending litigation or regulatory inquiry. Demonstrate to regulators that you take the incident seriously. This helps tip the balance toward a decision not to pursue an investigation.
  • In the longer term, a severe compromise offers an opportunity to drive real change. In-house counsel is uniquely positioned to mature your company’s overall security program. A data security incident can inspire the company to improve its information security program and lower its risk profile.

Barely a week goes by without headlines of another major company or organization losing sensitive information to hackers. Sooner or later, this challenge will land on your desk. Be prepared and always have a plan in place.

Topics: Security Insights