When something happens to us regarding our online privacy or security, something involving our personal and/or professional technology, it impacts something larger than ourselves. Whenever we click on a link we shouldn't have, or perhaps we've just given out some confidential information to someone who tricked us, or one of our accounts has been compromised and used against us, anything like that, it puts not just ourselves, but also our own families, friends, clients, and others all at greater risk than before.
While some risks are preventable, some aren't. We accept some risks and when these are exploited or put us in harm's way, Incident Response (or IR) is required to contain, mitigate, and remediate those scenarios in order to quickly protect ourselves and our larger orbit.
IR requires fast, friendly, and actionable guidance. I'm writing this post to help inform more of us about these situations that are sadly becoming more common, which is why it's important to be aware of them so we can reduce our odds of having to deal with them in the first place.
First thing's first.
When the team and I are notified of incidents that impact our community of clients, families, friends, etc. we have some specific priorities in mind that we have to transmit to affected parties before we begin helping them through their unplanned event. Those priorities, however, aren't always self-evident to victims. It makes sense: Who here hasn't ever experienced breach syndrome, weary from bad news in the world?
Plus, it seems natural to want to return our default-setting back to 'normal' as quickly as we can.
However, there are steps involved in cleaning up an identity theft, a wire fraud, or a ransomware attack, etc. and those steps require some time and attention. Basic protocols, follow-ups, and tweaks after a compromise can take weeks at best, months or sometimes longer at worst.
First thing's first: the goal is to answer 3 questions:
- What happened? (containment)
- How can the person or organization deal with the incident? (mitigation)
- How do they prevent it from happening again? (remediation)
The Mouse Problem
A "mouse problem" is a decent analogy for a situation like this. Like criminals, mice get into places and cause damage. No one likes knowing of such a presence in their home or office. It can be unnerving.
Hiring an IR team to guide you through a scenario isn't totally unlike hiring an exterminator to get rid of your mouse problem. We'll first want to figure out how mice got into your oven, for example, remove them, and then figure out a way to prevent them from getting back into the oven.
First, we're going to focus on the mice in your oven. We may or may not come across mice in your oven during initial investigation but we definitely aren’t going to look for carpenter ants in the attic, wasps in the garage, or for mold in the basement.
When you hire an IR team to contain and mitigate a social engineering attack, for example, they're going to focus on that (the mice in your oven, in this case). As the team begins their work, they may or may not discover other attacks that occurred previously (other signs of mice) but they may not discover malware embedded elsewhere (the carpenter ants in your attic or the mold in your basement).
Why? Why can’t an IR team just "find everything"? Because time. IR teams only get so much time to spend on discovery and mitigation. IR teams are typically paid for very limited hours up front. To make the most of their time, IR teams focus on specific incidents, one-at-a-time.
Threat Hunts vs. Threat Assessments
IR is generally a targeted Threat Hunt, seeking a particular type of compromise, like mice in the oven. A Threat Assessment goes deeper, seeking mice and/or other critters and potential threats everywhere (mice and everything else), which means it also requires more time, more resources, and more expertise.
You can hire an exterminator to find signs of mice anywhere in your house. That's a Threat Hunt, a specific process and purpose using specific but limited tools to verify that you have mice now and/or had them in the past.
If you want the exterminator to look around for signs of other unwelcome elements (carpenter ants, termites, or wasps, for example), then that's a Threat Assessment. In those cases, teams require more time to focus on all the indicators by all the critters rather than specific indicators of a single critter.
The information gathered by each approach is similar and yet also different. A targeted Threat Hunt generates a lot of information that can inform a remediation strategy against a single, specific threat. A Threat Assessment, on the other hand, generates more information and in greater detail to eliminate or minimize a broad scope of threats.
The timeline to complete a targeted Threat Hunt can be days or weeks.
The timeline to complete and remediate a Threat Assessment can be weeks, months or even years, depending on what's discovered.
Here are three questions to help determine what your needs are:
- Have you experienced a concerning security incident? (mice in your oven)
If the answer is "Yes," then you need an IR team to conduct a Threat Hunt.
- Are you concerned about a specific event? (mice in your house) If "Yes" then Threat Hunt is worthwhile, and also requires less time and tools.
- Do you want to look for threats/potential threats in your home or organization? (carpenter ants, termites, wasps or mold, etc. anywhere) If "Yes" then that's a Threat Assessment, which requires more time, resources, and expertise.
How we answer determines what type of engagement we need.
Hey, thanks for reading (if you read this far).
Next Steps To Protect You & Yours
What if you want to confirm there aren't any other potential threats or vulnerabilities on your device(s) or network(s)? What if you want to take it a step further, understand your threat model, and eliminate preventable risks and loss to yourself and/or your organization? I created an advanced Threat Assessment, the Resilience Diagnostic.
The Resilience Diagnostic (RD) takes Threat Assessments a step further to define preventable risks and threat models for individuals and organizations. The RD delivers insights you can use to make important decisions about your operational resilience ahead of a broad-spectrum of unplanned events that would otherwise compromise your productivity, reputation, and bottom line. Use the contact info to get in touch.
Protect what you've built from preventable losses caused by human error, global events like pandemics, social-engineering attacks, wire fraud, and the new crime era.