Chapter 28: Advanced Incident Response¶

Secure Out-of-Band Communication Plan:
├── Primary: Dedicated Signal/WhatsApp group (personal phones, not corporate)
├── Bridge line: Pre-established conference line (not corporate bridge)
├── War room: Physical meeting space designated in advance
├── External: Separate email domain for IR team communications
└── Vendor: 24/7 retainer contact numbers pre-loaded in personal phones

INTELLIGENCE-DRIVEN ERADICATION PROCESS:

Phase 1: Mapping (2-4 weeks, no containment)
├── Identify ALL persistence mechanisms before touching any
├── Map ALL compromised accounts and systems
├── Understand ALL data that was accessed/exfiltrated
└── Establish complete attack timeline

Phase 2: Preparation (1-2 weeks)
├── Build clean parallel environment if possible
├── Pre-stage all replacement credentials and systems
├── Coordinate with all stakeholders (downtime windows)
└── Legal / law enforcement notification if warranted

Phase 3: Synchronized Eradication (D-Day)
├── Execute simultaneously across all identified entry points
├── Rotate ALL privileged credentials simultaneously
├── Terminate ALL sessions (Azure/O365/on-prem)
├── Apply emergency patches for exploited vulnerabilities
└── Block ALL identified C2 infrastructure

Phase 4: Recovery with Enhanced Monitoring
├── Rebuild from clean images or known-good backups
├── Enhanced detection for 90 days post-eradication
└── Assume attacker may have unknown additional access

REGULATORY NOTIFICATION DEADLINES (2026):

GDPR (EU): 72 hours to supervisory authority (data involving EU residents)
  - Competent authority: Lead supervisory authority in member state of org
  - Notification to individuals: Without undue delay if high risk

HIPAA (US Healthcare): 60 days for covered entities (PHI breach)
  - >500 individuals: Notify HHS and prominent media simultaneously
  - <500 individuals: Annual aggregate report to HHS

SEC (US Public Companies): 4 business days for material incidents
  - Form 8-K Item 1.05 — materiality determination required
  - Annual reporting on cybersecurity risk management (10-K)

NY DFS: 72 hours for financial services companies
  - Covered entities: banks, insurance, mortgage companies under DFS supervision

CCPA/CPRA (California): Expedient notification for CA residents
  - No specific timeframe but "expedient" is enforced
  - Attorney General notification for 500+ CA residents

FTC (US Federal): Notification under Safeguards Rule (financial)
  - 30 days to notify FTC for financial institutions (500+ customers)

PCI DSS: Immediate notification to acquiring bank, card brands
  - Forensic investigation required (PCI Forensic Investigator)
  - Timelines set by card brand (Visa/MC typically require immediate)

CISA (Critical Infrastructure): Report within 72 hours (CIRCIA — pending)
  - Ransomware payments: Report within 24 hours (when CIRCIA effective)

LEGAL HOLD PROCESS:

1. Counsel declares legal hold → notification to custodians
2. Preserve: all communications, documents related to incident
3. Suspend: auto-delete rules for affected custodians
4. Document: all evidence preserved, where, custody chain
5. Maintain: hold until litigation/investigation resolved

ATTORNEY-CLIENT PRIVILEGE:
- IR investigation conducted at direction of counsel → potentially privileged
- Forensic report prepared for litigation → potentially privileged
- Communications to counsel about incident → privileged
- Communications between security team members → NOT privileged

Best Practice: Engage external counsel early; have IR firm contracted through counsel

POST-INCIDENT REVIEW AGENDA:
════════════════════════════════════════════════════════

1. INCIDENT TIMELINE WALKTHROUGH (30 min)
   - Chronological sequence of events
   - When each detection opportunity occurred
   - When each response action was taken

2. WHAT WENT WELL (20 min)
   - Controls that detected/prevented
   - Response actions that were effective
   - Team coordination successes

3. WHAT NEEDS IMPROVEMENT (30 min)
   - Detection gaps (blind spots)
   - Response delays (what caused them)
   - Communication breakdowns
   - Missing playbooks or outdated procedures

4. ROOT CAUSE ANALYSIS (30 min)
   - 5 Whys analysis
   - Contributing factors (technical, process, organizational)

5. ACTION ITEMS (20 min)
   - Specific, assigned, time-bound improvements
   - Owner, due date, success criteria
   - Priority ranking

6. METRICS UPDATE
   - MTTD, MTTC, MTTR for this incident
   - Trend comparison to previous incidents

INCIDENT + INSURANCE COORDINATION CHECKLIST:

Day 1:
□ Notify cyber insurance carrier (within policy-required timeframe, often 72 hours)
□ Preserve carrier's right to approve vendors (some policies require pre-approval)
□ Do NOT retain external vendors without carrier approval (may void coverage)

Day 2-7:
□ Work with carrier-approved forensics firm (or pre-approved retainer)
□ Document ALL incident response costs (hours, tools, vendor invoices)
□ Preserve evidence of business interruption losses

Throughout:
□ Legal counsel involved — communications may be privileged
□ Do NOT make public statements about breach without legal/PR/insurer review
□ Track regulatory notification deadlines and coordinate with insurer

Ransom Payment:
□ NEVER pay without:
   1. Insurer approval
   2. OFAC sanctions check
   3. Legal counsel sign-off
□ Insurers increasingly reluctant to cover ransomware payments
□ Document negotiation process

MINIMUM REQUIREMENTS (2024 Market):
├── MFA: Required for remote access, email, privileged accounts
├── EDR: Required on all endpoints
├── Backup: Offline/immutable backups tested quarterly
├── Phishing training: Annual + simulation
├── Vulnerability management: Critical patching within 30 days
├── Incident response plan: Documented and tested
└── Network segmentation: Particularly for OT/ICS

PREMIUM REDUCTION CONTROLS:
├── 24/7 SOC coverage
├── MDR/XDR service provider
├── PAM solution deployed
├── Zero trust architecture
└── Threat hunting program