Incident response is foundational to every security program, yet many companies still struggle with adoption and testing.
At Blackhat 2004, the founder of Red Cliff Consulting presented a talk titled “The Evolution of Incident Response”. He enumerated the top challenges of incident response at the time which were 1) Increasing complexity and sophistication of computer attacks 2) Incident response methodologies and technologies need to evolve and address emergency threats and 3) Pre-incident preparation is as critical as any other proactive security measures. Back then, companies were just starting to deploy internet connected systems, 56k modems were standard. Windows XP was the dominant operating system, Symantec and McAfee were the largest antivirus vendors on the market and DHS had just announced the need for the government to invest in cybersecurity. Threats of the time were focused on banking and financial systems, and consumers were seeing fast spreading worms such as Mydoom, Sasser and Beagle.
Red Cliff Consulting would rebrand as Mandiant in 2006, and then go on to be acquired twice, once by FireEye for $1 billion in 2014 and again by Google for $5.4 billion in 2022. That presenter, Kevin Mandia, is now a household name and well respected executive in the industry. Twenty years later, many things have changed and many things have stayed the same. We now use Windows 11, CrowdStrike and Microsoft are some of the largest endpoint protection firms, and DHS continues to invest in cybersecurity. Despite the drastically newer and more complex technology, many of the core incident response principles remain the exact same and companies should never forget core fundamentals of security response.
Heads I win, Tails you lose
Incident responders have been busy cleaning up massive breaches this year. While most of them came from ransomware, there were a handful of very sophisticated attacks involving multiple zero day exploits and chained social engineering. Despite the massive advances in technology over the last two decades; email, patching and humans continue to cause breaches. Why do we continue to face the same problems as before? With close to 30% more breaches year over year and despite record fines handed out to companies and numerous regulations, we continue to deal with the same problems. If I had to recreate Kevin Mandia’s presentation today, I would add three things to it to help companies better prepare for incidents.
- Technology – There is more technology today than has ever existed, including complex supply chains, dramatically increasing the attack surface area across both hardware and software. As we continue to develop software or hardware that is built on existing software or hardware, the tower grows higher in terms of the number of downstream dependencies. A good example of this is how Artificial Intelligence (AI) needs to have well formed training sets of data to function properly and securely, which also relies on other forms of open source software and models. Incident responders need to be prepared to work with key stakeholders to fix or mitigate risk from third party suppliers.
- Community – There is a thriving social community that allows for information and currency to move faster within both the security and dark web communities.Underground groups are all organizing quicker and finding new platforms to collaborate such as Telegram. Dark web forums have existed for a long time, however threat groups today have aligned their incentives to maximize collaborative resources in the quickest time. Many have membership that requires an invitation, rules for code of conduct, and a clear target for the community. In addition, groups often have focused areas of expertise, such as brokering access to systems. This allows for high breach success rates and often split profits. Incident responders need to be prepared to work with outside security resources to ensure they have the most accurate and up-to-date threat information.
- Compliance – Cyber reporting and compliance requirements are higher than they have ever been before in history. US State regulators now require various levels of reporting based on the information that has been accessed. Federal requirements from the SEC now require public companies to take action in certain instances. Europeans are enforcing GDPR adherence and doling out big fines for non-compliance. In addition, there may be various corporate contractual requirements to plan for. Companies need to be prepared with public statements, legal contacts and form filing to ensure all communication requirements are met.
Back to Basics
It is clear that despite numerous advances in technology, we are clearly not at a state where we can remove email, patching and humans from companies doing business. When Kevin Mandia spoke about the incident response in 2004, we see his words are still very relevant today. The most foundational aspect of incident response is to ensure your organization has a detailed incident response plan, relevant to your business and with the key stakeholders. While this might sound like an obvious statement, IBM research still found that 77% of respondents indicated they do not have a cybersecurity incident response plan applied consistently across the enterprise, and 54% do not test their plans regularly. Every response plan is different, but we need to ensure our organizations are better prepared for incidents when they happen. No amount of new security tools, security personnel or compliance requirements can substitute for proper incident preparation. Let’s hope the next twenty years yield better results.