Recovering from a major network breach can be a daunting task — as several agencies have learned — but it is possible with the right people, according to private security researcher Chris Kubecka.
Kubecka led Saudi-Aramco's overseas response after a devastating cyberattack in 2012 that brought down the companies networks and brought operations to a standstill.
"Imagine if you walked into work on Monday and had no email, no files, nothing," she said to an audience of hackers and cybersecurity professionals at Black Hat 2015, noting that, in Aramco's case, more than 50 percent of its systems were compromised by the attack.
Many federal employees could empathize with that situation.
In late 2014, intruders broke into the State Department's email system, forcing the agency to take external email communications offline for months.
After the two massive breaches at the Office of Personnel Management, the agency reviewed the security of its apps and had to take its online background investigation submission system down for a month. OPM also instituted new rules for web browsing at work, restricting employee access to personal email and social media.
In the wake of the attack on Aramco, Kubecka's first priority was building a team that could secure the network, expel any hackers still poking around inside and get the infrastructure back online.
Finding that talent was the first step.
Kubecka used some of the traditional methods like job boards, meeting people at conferences and poaching from other companies. But she also used nontraditional methods, such as Reddit's NetSec feed, which includes a job board.
She also suggested looking deeper into prospective candidates. Many of the seemingly obvious choices were good with prevention and remediation tools but didn't actually understand the technology behind them.
"Don't look for the corporate image," Kubecka said. "If they have tattoos or a couple piercings, it can work."
After appearances, she suggested looking past degrees and certifications to find true passion for the work.
"If you get people who talk about their home lab and they get a smile on their face – they glow – those people will do great things," she said.
Those people might already be employed at an organization but they need to be a special kind of talent to be effective after a significant incident.
"You can have success with regular IT staff but they have to be a little bit evil," Kubecka said, saying the right people would be "gray hats," somewhere between ethical hackers and malicious actors. To be effective, staff have to be able to think like the bad guys to identify how they would break into the network and patch those vulnerabilities.
Along with cybersecurity staff, Kubecka said organizations should be sure to loop in their public relations and legal offices, preferably before an incident occurs.
"There's going to be mass chaos," she said. "If you're trying to scramble to find people after an incident, it's going to cost a lot of money to recover, if you can."
"Recovery is expensive and time consuming," she added, "But it is possible."