How Will You Respond when You’re Under a Cyber Atack?

“Know your enemy and know yourself, and you will win a hundred battles.”  – Sun Tzu from Art of War

The  man  and  his  work  are  legend,  and  for  good  reason.    Inspired  by  the  sage,  I’ve  explored  this  concept  and  applied his  theories  at  some  of  today’s  largest  companies.    And  if  you’ve  heard  me  or  read  anything  I’ve  written  in  the  last  few years,  you’ll  recognize  the  following  interrogatory  statement  which  is  the  above  stratagem  in  modern  cyber-security parlance:   Do  you  know  how,  with  what  resources,  and  where  you  will  direct  your  incident  response  team  when  an active attack has been detected against your organization? 

Short  shrift  is  being  paid  to  the  basic  task  of  understanding  one’s  own  attack  mitigation  and  response  capabilities.    We all  finally  agree  that  it’s  a  matter  of  when  and  not  if  we  are  going  to  experience  a  breach.    So,  even  if  we  know  our threat  horizon  well,  no  security  technology,  architecture,  practice  or  policy,  at  least  today  and  within  my  lifetime,  will ever  be  fully  resistant  to  cyber-attacks.    Knowing  this,  isn’t  it  paramount  to  fully  understand  exactly  what  your organization should be doing when under active attack?

What  I  believe  is  commonly  missing  from  IR  planning  is  a  way  to  provide  tactical  guidance  once  an  attack  is  underway on  who  should  be  responding,  what  activities  should  be  prioritized,  what  tools  should  be  used,  and  most  importantly, what   specific   defensive   capabilities   are   going   to   be   most   effective   against   the   specific   type   of   attack   being experienced.    Fighting  a  cyber-attack  without  knowing  your  own  response  capabilities  is  comparable  to  sending  a field  general  out  to  command  an  army  without  telling  the  commander  what  weapons  his  troops  have  and  how  well they  can  use  those  weapons,  nor  any  knowledge  of  the  enemies’  weapons  the  troops  will  face  in  battle.    The  corollary to  this  is  the  fact  that  many  activities  carried  out  in  a  standard,  well-constructed  IR  plan  may  have  little  or  no  effect  on stopping  the  attack  and  all  the  associated  damage  because  we  cannot  provide  specific,  appropriate  responses  a priori for a future attack.