“If I could give someone just one life tip, I’d tell them to be prepared. I can’t think of better words to live by that can impact virtually every facet of life outside of love and ethics. From my early days and the stinging cold of scout camp to my pursuits as a student, athlete, musician and security professional, a focus on preparedness has always given me my best possible chance of success.”
Most people think of cyber security incident response as something that’s reactionary. What they don’t realize is that incident responders spend more time preparing for events than they do responding to them.
In order to be effective, teams must have the right people, procedures and tools in place ahead of time, tested and ready to go at a moment’s notice.
Increasing incidence of “cyber blackout” scenarios, such as that experienced in the Sony breach of 2014 and more recently tied to threats like WannaCry, have also taught us that like traditional emergency responders, cyber incident responders must understand that the worst thing they can do when responding to incident is to become casualties themselves.
We talk to CISOs all the time – they understand that prior and during crisis incidents, adversaries will leverage an organization’s insecure set of communications channels the security teams use to learn, adapt, thwart detection and enhance their attack strategies going forward. Many security teams have relied on the security of their primary channel (rightly or wrongly), but haven’t spent resources on an alternate channel (due to many conflicting priorities) for the day their networks become compromised, or are willing to rely on insecure out-of-band communications in times of crisis. One thing is for sure, during the incident is a bad time to realize you can’t trust your comms.
Today, preparation goes far beyond a simple incident response preparedness list. Teams are automating everything they can to manage incidents. Tools like PagerDuty are used for automated log distribution and spinning up videoconferencing, ability to integrate webhooks and post full or redacted threat code samples – and, be able to share them within their organization and to external researchers, etc. Slack channels are created for communication or in some cases teams will use obfuscated Gmail accounts as an attempt to throw attackers off the scent. However, modern orchestration techniques that automate response procedures in the clear are an irresponsible invocation of SecDevOps and a sure sign of not being prepared.
The right preparation can be found in encrypting communications, using APIs to automate and orchestrate on top of a data transport layer like Wickr’s that ensures anything sent is only seen and received by verified recipients. Further, it’s critical to have ownership over these communications and processes for purposes of legal prosecution and after action reporting.
Companies can no longer argue that they are prepared if they do not have a clean and secure communication channel. Modern technology has brought us the ability to not only protect our day to day work from adversaries but also guarantee that when there is an attack that you have the ability to communicate in a safe and reliable channel, and that the attackers do not have access to response plans, watch response teams, or gain access to real time chatter.
Thorough preparation is the key to a lot of success. For cyber incident response teams, preparation is quite literally the job. Making sure the data and communications of response teams are protected can be the difference between a successful response and chaos.