What does a “breach coach” actually do?

From Cyberattacks and ransomware extortion

Five Questions to Thomas Lang, breach coach and cybersecurity expert

Thomas Lang is a managing partner at INTARGIA – a valantic company. As a so-called “breach coach”, he advises companies on what to do following a hacker or ransomware attack and advises on which mistakes to avoid.

Thomas, as a breach coach or crisis advisor, you and your team are called to companies that no longer know what to do in the wake of a hacker or cyberattack, or a ransomware extortion, and are often practically unable to act. Which situations do you most frequently face here?

At companies that have been attacked, we usually find a certain degree of helplessness. If, for example, a ransomware attack has encrypted data and made them unusable, then parts of the IT system are at a complete standstill and can no longer be used.

One of the most immediate and pressing questions that needs answering, for example, is whether or not to pay the demanded ransom and give in to the extortionists’ demands. This is because every hour of downtime is lost production time, costing huge amounts of money. Consequently, all those responsible are usually under enormous pressure and at the same time overwhelmed by the unfamiliar situation. After all, it’s not every day that your own company is attacked by cybercriminals. Accordingly, great hope is placed in us to proceed in a clear, structured and planned manner in order to limit the damage or, if possible, avoid it altogether. This means, above all, organizing a restart of the IT that is synchronized with the business processes.

What are the first measures to be initiated by a breach coach?

First of all we talk to those in charge, try to relieve the general sense of hectic, and obtain a precise picture of the status quo. Which IT systems or subsystems are affected and therefore fail? Are up-to-date backups available? Which are the most mission critical business processes for the company due to the high losses caused by their failure? Do any other potential risks exists besides the pure production downtime – such as the threat of contractual penalties or others? The greatest threats are assigned top priority and all necessary measures then should be taken quickly to counter them and get the key business processes up and running again.

What do affected companies lack most urgently in the first hours and days following a hacker attack?

As a rule, companies are taken fully by surprise by a hacker attack and unprepared for the situation. They lack a proven and rehearsed crisis plan. We recommend preparing for the cyberattack scenario in advance, drawing up a step-by-step plan on how best to proceed, and also conducting training measures at regular intervals; in this way, every move in response to the attack will be spot-on, and valuable time can be saved. In an emergency, the damage will then be all-the-less severe.

The situation at the company should be comparable to that of a firefighting team. A firefighting team that’s worthy of the name doesn’t wait until reaching the scene of the fire before trying to figure out how best to fight it and what it needs for this. In both cases, good, proven preparation saves time and minimizes potential losses.

Are companies susceptible to specific vulnerabilities that are repeatedly exploited by attacks, and how can companies best protect themselves against such vulnerabilities?

From our broad expertise in combating cyberattacks, we have identified two main causes of major damage: (1) a lack of proper network segmentation and (2) an inadequately managed Active Directory. Both vulnerabilities are relatively easy to fix, however. Network segmentation limits the malicious impact of malware to a specific network segment, preventing the malware from spreading unhindered throughout the IT system and affecting virtually every business process and service. Network segmentation limits the damage that can be caused by a cyber attack. Moreover, the topic is not new and should be addressed urgently.

Attacks on the Active Directory of a Microsoft system are becoming increasingly popular with cybercriminals because important access and account information is stored there. An inadequately managed Active Directory can be compared to a company’s key cabinet that is inadequately protected by security managers. Sadly, we see that almost all companies fail to follow best practices, posing the risk of hackers gaining access to the master key – to remain with the analogy of the key cabinet.

How does one actually become a breach coach? Is special training needed, and what qualifications do you need?

No formal training is needed yet to become a breach coach, even though that would be highly desirable. An outstanding breach coach must be capable of understanding both the customer’s IT and its business. Also essential are many years’ experience and, above all, a broad network of trustworthy, competent partners who can intervene to provide support in an emergency. A breach coach should be able to think analytically, to separate quickly the important from the unimportant, and to prioritize. It is also important, however, to be able to keep a cool head and remain calm in hectic situations in order to give all those involved a sense of security and that they are in good hands.

Thank you very much, Thomas, for the interview!

The interview was conducted by Jörg Wassink