What does your incident response look like?

Well it depends doesn’t it? You respond to what you see, and your response is guided by what you understand, and your options are driven by what you know and what is familiar.

So every different type of event should elicit a different response. But turn it on its head and ask what your preparation looks like and this is a very different formula, despite the fact that the two are intimately interdependent and in many ways one should be the negative image of the other.

To anticipate an event requires a degree of awareness that will support the simulation of outcomes and consequences: at least, at first, in theoretical terms so as to assess what to do about exploring it further. To then speculate as to what the organisation should do to respond, resist, recover, and ultimately prepare, is a far more complex process which exposes the natural weaknesses of organisations that struggle with complex problems, take short cuts to 80% solutions, which are invariably drilled down to K.I.S.S principles.

The concept that complex problem can be stripped back to easy-to-understand features, and that solutions can thereafter be built on simple & stupid [or simple to understand & apply equating to ‘idiot-proof’] is a fallacy, and a mainstay of problems in security planning. Consider the different non-technical elements underpin an appropriate response capability to a sophisticated cyber attack...

From first response to situational awareness, and situational analysis to crisis management. Consider the process of alerts and indicators and whether this situational information is being translated into actionable intelligence. Then consider how the intelligence is appropriately actioned, and how this demands examination of decision-making, communication between teams, groups, and individuals; and the evolution of tasks during a crisis.

Even demarcation between security operation and leadership, from the risk team, the crisis management team, and the interface with incident response and forensics teams, can all become complex and even counter-productive with one informed CISO and an increasingly ill-informed list of C-level executives as a complex attack unfolds, and the consequences begin to emerge.... if they become quickly apparent.

It is becoming increasingly futile to consider the individual elements of a complex and persistent attack in isolation in order to construct defence against individual threats. This is particularly the case if the construct of an effective defence is not risk-informed and intelligence-led as far as possible, and this is especially short-sighted if the converged nature of enterprise security risk is not apparent to security planners that needs to assemble a converged response. Without a prepared and rehearsed repsonse to a well-anticipated scenario the response is likley to be poor, and the recriminations broad.

Tackling the issue of building converged security scenarios is daunting enough to many organisations, and the degree to which this is misunderstood is reflected in the attitude of IT and physical security to eachother. Physical security assumes that there is an IT 'fix' and a response team on hand to tidy their end up very quickly. IT thinks that the physical security team has little contribution to make in a crisis, and that contribution is not central to dealing with any crisis that ultimately leads to the exfiltration of data over the network.

But what would happen if you faced a Permanent Denial of Service attack [PDoS]. Consider the need to act in tandem to an event that led to permanent mechanical or system failure due to Over-volting; Over-clocking; Power Cycling; or Phlashing? Asking yourself 'Is this what it seems?' 'Will this follow the pattern of other events?' and 'Is this a problem for one specialist/team?' will quickly be superceded by 'What don’t you know?' and 'What could happen next?' In preparation to fight the next battle - not the last one, security managers need to recalibrate their expectation of how severe and complex future attacks will be, and we can already anticipate the future causes of failure, not least:
1. A propensity to focus on 'the probable'
2. A chronic lack of preparation
3. A bias towards whatever is 'familiar'

If you take steps to counter these three issues, you will be much closer to anticipating the next attack appropriately.

To engage in the issue of 'crisis leadership in cases of a multifaceted cyber attack' join us at CSARN on July 1st.

Posted: 28 June 2013 by Optimal Risk Admin | with 0 comments
Filed under: APT, attack, converged, crisis, cyber, denial, enterprise, incident, leadership, management, of, response, risk, security, service