The importance of Incident Response (IR) Preparedness – Bad things happen to good people (a lot)
The classic heist movie. No matter your age, there’s one for every generation. Perhaps it’s Heat, an iconic film that still influences the genre today. Maybe something more modern like Baby Driver suits your style. Maybe your nostalgia flows even further back, and you still remember watching the Italian Job – the original, of course - for the first time. These films, separated by decades, still have something in common however – a group of armed men and women show up at the door.
We might like to think that’s how it would happen if we ourselves were the victim. We lock our doors, we install alarms, and we sleep safe knowing the Police are a phone call away. The reality has changed. Long gone are the days of an open and transparent criminality. The vastness of the internet offers a convenient, anonymous and quite frankly easy route to the dark side.
I’m sure you’ve heard about – or were a victim of – some of the more recent scams, vulnerabilities or attacks. LinkedIn, Yahoo, Facebook, Ashley Madison; it seems to be an almost daily occurrence. Maybe it was a strange link in an email, a threat of exposure, ransomware. These avenues provide a bountiful return on investment for the modern threat actor, and the investment isn’t even very big to begin with.
In much the same way we as cyber security professionals collaborate, so too do the threat actors. Off-the-shelf phishing email solutions, ready-made attack tools and databases, intelligence on soft targets; it takes a minimal amount of effort to set up shop. Weak cyber security and poor incident response planning are the digital equivalent of leaving that door unlocked. As that old saying goes, “fail to prepare, prepare to fail”.
Incident response preparedness can cover a range of areas, from the mundane – appointing response team members, devising communications plans, building your playbook – to the truly heart pounding – there’s just been a breach and they’re asking you what to do. Having an incident response plan helps to alleviate that blunt trauma, and puts you in the best possible position to act, and act decisively. Preparedness doesn’t just mean knowing what to do when the worst happens, it also includes ensuring you already have your protective controls in place to limit the damage an attacker could do. For example, when an incident occurs, you will be thankful you had been properly managing which people and devices can access your network and what actions/transactions each of them can do (your access controls) because the attacker may well hijack those permissions to do their worst. Thinking ahead is the key.
In this new landscape, it’s more important than ever. Data is the new dollar, a digital currency that encompasses every aspect of our lives – just ask Facebook. In much the same way you would feel violated if they lost your data, your clients, customers and staff feel the same about you. Bad things can and do happen, but you don’t have to go it alone.
I really do mean what I say – you aren’t alone. The threat actors collaborate, so should we. Having been to these incidents and seen the devastation first-hand, knowing your team has both the expertise and the will to back you up goes a long way. Implementing a plan needn’t be a daunting task either, have fun with it; role-play some attack scenarios, test your security and involve your staff, feel confident you’ve got things covered.
It’s the importance of that preparedness that can’t be overstated. There’s no time like the present, and when you’re facing down an unknown enemy, from who knows where, with who knows what, you’ll be thankful you were.
Written for the Channel Islands Information Security Forum by Black Arrow's Incident Response & Forensics Lead Riley Paisley
https://www.linkedin.com/pulse/importance-incident-response-ir-preparedness-/