Connect with us

Hi, what are you looking for?


Incident Response

Continuity in Chaos: Applying Time-Tested Incident Response to Modern Cybersecurity

Despite the drastically newer and more complex technology, many of the core incident response principles remain the exact same and we should never forget the fundamentals.

From MyDoom to AI: Tracing the Evolution of Cyber Threats and Incident Response

Incident response is foundational to every security program, yet many companies still struggle with adoption and testing.

At Blackhat 2004, the founder of Red Cliff Consulting presented a talk titled “The Evolution of Incident Response”. He enumerated the top challenges of incident response at the time which were 1) Increasing complexity and sophistication of computer attacks  2) Incident response methodologies and technologies need to evolve and address emergency threats and 3) Pre-incident preparation is as critical as any other proactive security measures. Back then, companies were just starting to deploy internet connected systems, 56k modems were standard. Windows XP was the dominant operating system, Symantec and McAfee were the largest antivirus vendors on the market and DHS had just announced the need for the government to invest in cybersecurity. Threats of the time were focused on  banking and financial systems, and consumers were seeing fast spreading worms such as Mydoom, Sasser and Beagle.

MyDoom email screenshot from 2004

Red Cliff Consulting would rebrand as Mandiant in 2006, and then go on to be acquired twice, once by FireEye for $1 billion in 2014 and again by Google for $5.4 billion in 2022. That presenter, Kevin Mandia, is now a household name and well respected executive in the industry. Twenty years later, many things have changed and many things have stayed the same. We now use Windows 11, CrowdStrike and Microsoft are some of the largest endpoint protection firms, and DHS continues to invest in cybersecurity. Despite the drastically newer and more complex technology, many of the core incident response principles remain the exact same and companies should never forget core fundamentals of security response.

Heads I win, Tails you lose

Incident responders have been busy cleaning up massive breaches this year. While most of them came from ransomware, there were a handful of very sophisticated attacks involving multiple zero day exploits and chained social engineering. Despite the massive advances in technology over the last two decades; email, patching and humans continue to cause  breaches. Why do we continue to face the same problems as before? With close to 30% more breaches year over year and despite record fines handed out to companies and numerous regulations, we continue to deal with the same problems. If I had to recreate Kevin Mandia’s presentation today, I would add three things to it to help companies better prepare for incidents.

  1. Technology – There is more technology today than has ever existed, including complex supply chains, dramatically increasing the attack surface area across both hardware and software. As we continue to develop software or hardware that is built on existing software or hardware, the tower grows higher in terms of the number of downstream dependencies. A good example of this is how Artificial Intelligence (AI) needs to have well formed training sets of data to function properly and securely, which also relies on other forms of open source software and models. Incident responders need to be prepared to work with key stakeholders to fix or mitigate risk from third party suppliers.
  1. Community – There is a thriving social community that allows for information and currency to move faster within both the security and dark web communities.Underground groups are all organizing quicker and finding new platforms to collaborate such as Telegram. Dark web forums have existed for a long time, however threat groups today have aligned their incentives to maximize collaborative resources in the quickest time. Many have membership that requires an invitation, rules for code of conduct, and a clear target for the community. In addition, groups often have focused areas of expertise, such as brokering access to systems. This allows for high breach success rates and often split profits. Incident responders need to be prepared to work with outside security resources to ensure they have the most accurate and up-to-date threat information.
  1. Compliance – Cyber reporting and compliance requirements are higher than they have ever been before in history. US State regulators now require various levels of reporting based on the information that has been accessed. Federal requirements from the SEC now require public companies to take action in certain instances. Europeans are enforcing GDPR adherence and doling out big fines for non-compliance. In addition, there may be various corporate contractual requirements to plan for.  Companies need to be prepared with public statements, legal contacts and form filing to ensure all communication requirements are met.

Back to Basics

It is clear that despite numerous advances in technology, we are clearly not at a state where we can remove email, patching and humans from companies doing business. When Kevin Mandia spoke about the incident response in 2004, we see his words are still very relevant today. The most foundational aspect of incident response is to ensure your organization has a detailed incident response plan, relevant to your business and with the key stakeholders. While this might sound like an obvious statement, IBM research still found that 77% of respondents indicated they do not have a cybersecurity incident response plan applied consistently across the enterprise, and 54% do not test their plans regularly. Every response plan is different, but we need to ensure our organizations are better prepared for incidents when they happen. No amount of new security tools, security personnel or compliance requirements can substitute for proper incident preparation. Let’s hope the next twenty years yield better results.

Written By

Matt is the current Head of Security and Compliance at Forward Networks. He is a security leader and has a background in the areas of threat intelligence, networking, system forensics and discovery, enterprise security auditing, malware analysis and physical security. He is an industry speaker, author, and frequent security podcast guest. Matt also holds a US granted patent, multiple US Government awards and was selected as a one of Silicon Valley Business Journal 40 under 40.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...


Cloud company Rackspace has completed its investigation into the recent ransomware attack and found that the hackers did access some customer resources.