Security Lessons from Top Cyber Incident Responders at IR17

For the past few years, my team has been building tools to enable completely private end-to-end encrypted and ephemeral communication for organizations sharing highly sensitive business information.

Last week, I got to test my own assumptions and share insights with over 400 top cyber incident responders (IR) who came together to talk about getting ready for compromise.

Here are a few takeaways:

  • You can’t fight a fire with a burning fire truck — there is no use of running an incident investigation on the same network that is already compromised;
  • Responders understand the need to be self-reliant – you can only count on the tools you bring to the incident.
  • Most effective responders are those who have plans in place to communicate securely long before there is an incident so when the time comes, you aren’t scrambling to get everyone to an out-of-band channel.

IR17 Group Image

Many of us in the information security space have known for decades that there’s no such thing as 100% security and it is better to prepare for the emergency today than wait until it actually happens. The ongoing avalanche of massive data breaches is beginning to drive that point home for everyone else. It infinitely improves your chances to mitigate the incident when your team knows the drill far in advance and has all necessary tools in place before it happens. Ironically, the knowledge sharing at IR17 took place against the backdrop of one of the largest breaches of personal information in the US to date. Talk about the importance of IR foresight…

So what separates an effective response from horror scenarios we all have seen unfold in the news?

Sharing sensitive information during incident response: how & where

The aspect of incident response I have long seen as critical is protecting sensitive conversations and information to avoid detection by an adversary on a compromised network.

The information security community has long recognized the importance of sharing intel (network attack signatures, malware signatures, attack vectors, timing, source correlation, etc.) across corporate boundaries and is actively exchanging insights to improve defenses against common threats. But how do you ensure that your team’s investigative progress and operational chatter are not accessible to an adversary, particularly before you know exactly what systems are compromised?

With 80% of corporate IP still shared via mainstream insecure communications tools, the exact target of attackers, the IR experts agreed that it’s essential to direct all sensitive communications around incident response to an out-of-band secure channel away from desktops running on internal corporate networks.

““If at any point the team considers their phone, laptop, email, SMS, or other means of communications to be compromised — they should practice good judgement about what is transmitted, and make a best effort to communicate “out of band” of any adversarial eavesdropping.”

— Ryan McGeehan, IR Expert

Source:  Starting Up Security

Any IR information you would rather share in a face-to-face conversation or a secure phone call should only be shared via encrypted ephemeral channels to ensure effective cyber incident response.

State vs. non-state attacks against communications systems

Another interesting aspect that came up frequently among IR experts last week is how pilfered communications are being weaponized in ways in which not many of traditional IR strategies were prepared.

While state and non-state attackers may have access to the same tech for offense/defense, the depth of resources available to nation states now translates into their ability to be far more patient and persistent than the adversary we were all trained to face in the private sector. In addition, it used to be that the motivation behind the attacks against sensitive corporate communications was driven to steal trade secrets or gain business advantage, which of course is devastating. However, the attacker pool was limited and the incident would generally run its course entirely under the radar. Today, the motivation behind these attacks is increasingly political, aimed more at making a company/organization/country look bad than gaining competitive advantage.

With so many causes and emotions to play on, cyber incidents are now amplified by countless media outlets taking stolen communications public, so a single unfortunate statement taken out of context can do incredible damage to a brand or organization.

So aside from having a robust PR strategy, what are the ways to protect your company from becoming a victim of attacks against stored communications? For many in the IR community, the answer is simple – what isn’t there cannot be compromised.

Countless breaches of corporate, political, and personal communications are all part of the same problem – we collectively store too much information that is either too sensitive to retain or completely useless to spend resources on securing. Businesses willingly expand the attack surface by building a massive database of high-target customer and corporate information that is impossible to secure with 100% certainty.

The most reliable path to regaining power is to rethink how you treat sensitive data, including IR communications, so that no one, including your service providers, can access, monetize, or compromise your conversations and sabotage your team’s IR efforts. Ephemerality must become a norm for enforcing strong security hygiene over valuable business information to ensure that no message between your team lives beyond its useful life and is accessible to an adversary.