Incident & Breach Response , Security Operations

AusCERT's 'Flying Squad' Helps Victims Respond to Breaches

Key Takeaway: Half of Victims Have No Response Plan
AusCERT's 'Flying Squad' Helps Victims Respond to Breaches

When there's a major data breach at an organization, look out. The stress quickly mounts, and jobs could be on the line. The atmosphere can be so frenetic that some systems administrators just simply disappear, unable to cope with the pressure.

See Also: Ransomware Response Essential: Fixing Initial Access Vector

"We've had people go missing - key staff in the incident response plan - because it's so high pressure," says Thomas King, general manager of AusCERT, one of the world's longest running computer emergency response teams.

King knows this because he's had first-hand experience helping organizations deal with data breaches. Over the past two years under his leadership, AusCERT has sought to diversify the services it offers to its members, which includes real-time threat intelligence, vulnerability scanning and the Flying Squad.

Launched last December, the Flying Squad is a team of specialists available around-the-clock to travel to help organizations deal with a breach on site. The engagements have been an eye-opening look into how unprepared most are for a breach.

King says less than half of the organizations that the Flying Squad has helped have had incident respond plans in place. And for those that did have plans in place, the plans quickly went out the window.

"Not one person has followed their incident response plan," King says. "Zero. None of [the plans] survive contact with the enemy."

'Our Niche is Coordinating'

The scenarios that AusCERT encounters range from hackers trying to extort companies by threatening to release data publicly unless they pay up to ransomware attacks.

The tension rises as staff members try to figure out what went wrong and how to respond. Network administration employees may suddenly find themselves face-to-face with a CEO whose name they've only seen on a company organization chart, King says.

Figuring out the technical problems that lead to a breach is only a very small part of what needs to happen. The challenge is coordinating a response that engages a wide variety of groups: law enforcement, other CERTs, hosting providers, application specialists, penetration testers, forensic specialists, insurers, PR firms and legal firms.

"Our niche is not doing everything," King says. "Our niche is coordinating the incident response."

Many companies underestimate what the government or law enforcement can do for them. They need help in translating what an incident means for the organization's reputation and interpreting what it means for customers - how it impacts company morale or even their supply chain.

"When we come in, we do everything from sitting there in the crisis management meeting to providing them a trusted adviser type capability about when should they publicly disclose, who should they disclose to and how," King says.

Paid Service for AusCERT Members

The Flying Squad is a paid service that is only available to AusCERT's members. AusCERT is well-positioned to offer the service for its members, King says, because it already monitors their digital assets, such as their IP addresses and domains, for threats and software vulnerabilities.

AusCERT's Flying Squad isn't intended to compete with private information security companies. AusCERT is a not-for-profit group based at the University of Queensland. For a long time, it has performed incident response services, but never with boots on the ground, King says.

But there was a need for its Flying Squad service, which has mostly grown through word-of-mouth. All of its work is under non-disclosure agreements, which is why AusCERT's name has never popped up in the press related to a breach, King says.

"The commercial marketplace works pretty well, and we don't want to compete in that space," he says. "We want to focus on where we have real value to offer, and where we can actually be as good as anyone."

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Executive Editor for Security and Technology for Information Security Media Group. He's the creator of "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware, the greatest crime wave the internet has ever seen.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.