“Know your enemy and know yourself, and you will win a hundred battles.” – Sun Tzu from Art of War
The man and his work are legend, and for good reason. Inspired by the sage, I’ve explored this concept and applied his theories at some of today’s largest companies. And if you’ve heard me or read anything I’ve written in the last few years, you’ll recognize the following interrogatory statement which is the above stratagem in modern cyber-security parlance: Do you know how, with what resources, and where you will direct your incident response team when an active attack has been detected against your organization?
Short shrift is being paid to the basic task of understanding one’s own attack mitigation and response capabilities. We all finally agree that it’s a matter of when and not if we are going to experience a breach. So, even if we know our threat horizon well, no security technology, architecture, practice or policy, at least today and within my lifetime, will ever be fully resistant to cyber-attacks. Knowing this, isn’t it paramount to fully understand exactly what your organization should be doing when under active attack?
What I believe is commonly missing from IR planning is a way to provide tactical guidance once an attack is underway on who should be responding, what activities should be prioritized, what tools should be used, and most importantly, what specific defensive capabilities are going to be most effective against the specific type of attack being experienced. Fighting a cyber-attack without knowing your own response capabilities is comparable to sending a field general out to command an army without telling the commander what weapons his troops have and how well they can use those weapons, nor any knowledge of the enemies’ weapons the troops will face in battle. The corollary to this is the fact that many activities carried out in a standard, well-constructed IR plan may have little or no effect on stopping the attack and all the associated damage because we cannot provide specific, appropriate responses a priori for a future attack.