Do no harm – First rule for cyber incident first responders By Kenneth Yu, Consulting Partner, Tesserent.
W
ith so much attention placed on defence and protection, effective incident response can sometimes be overlooked. But it’s a critical element of your cybersecurity strategy and one that requires specialist skills and tools that, without training, your team may not have. The first task of the first responder at a cybersecurity incident is just like that of an emergency services worker. A well-prepared responder can identify the threat, contain it, make things safe and then help you learn what happened to prevent a repeat. When a first responder is unprepared their first actions may exacerbate a situation rather than contain the damage and aid recovery. While there is a temptation to respond quickly, particularly in a highly stressful and unexpected situation, knowing what not to do is just as important as knowing what to do first. Cybersecurity first responder training helps teams learn about the tools, procedures and practices that are critical to ensuring those first moments lead to a solution and not to more problems. Thorough training involves understanding the following elements.
WHO ARE THE THREAT ACTORS? Understanding how to respond to an incident starts by understanding the nature of threat actors and how they operate. The most common threat actors are APT groups or cyber gangs. These are coalitions of hackers whose primary motivation is financial gain. They will steal what they can sell, such as privileged corporate account credentials and
32 | Australian Cyber Security Magazine
personally identifiable information. They might attempt to defraud you through phishing, compromise the mailboxes of corporate users, use ransomware or attempt to trick you into paying fake invoices or by some other means. Insider threats are perhaps the next most common type of threat actor. However, not all insider attacks are malicious. Many data losses caused by insiders are the result of errors rather than a specific desire to cause trouble. Hacktivists typically carry out attacks to further some sort of political agenda while state sponsored threat actors are looking to further the national interests of their country of origin. Incident response starts with preparation and ensuring that the organisation has up-to-date incident response plans and playbooks in place. Regularly performing tabletop exercises is also a very useful activity to ensure that incident response plans and playbooks are constantly updated to cater to the latest threats. While it can be tempting to try and jump to attribution when an attack has occurred, this shouldn’t be your priority. Frameworks prepared by experts from NIST, SANS and others place incident identification and containment as higher priorities. That means it’s critical to understand the tools and methods used by attackers. Threat actors use technical tools and social engineering to infiltrate systems, gain intelligence and execute their malicious actions. By investing time into understanding these tools and methods, it’s possible to radically improve the way you respond to incidents. For example, while phishing scams are well known, understanding what happens after the email is opened is critical. That means