Video: Cyber Incident Response Q1

Please Rate this video:





Please select an option from 5 to 1
Panic and Forensics: what are the common mistakes made in the heat of the moment, during the heat of the incidence?

VIDEO TRANSCRIPT

Our first question is it's got the starting title of panic and forensics and the question is what are the common mistakes made in the heat of the moment during the heat of the incidents

So we're going to start with george with this one  

Yeah um i guess the question sort of says it all panic um and i you know the pressure of an incident um often creates panic and often creates a lot of knee jerk reactions and i think you know organizations need to be careful um to follow their incident response plans hopefully they have one and i've been involved in many ir engagements with clients sometimes even though i'm an internal resource i get put into those and i have in previous roles um where i was in a consulting um sort of a consulting capacity where you know the iait team have simply just unplugged the machine they thought was um affected and reimaged it and what that does is as you know sort of sounds pretty obvious now but you know when no one's really quite thinking straight um you know that destroys any crucial evidence that that may have been required to do a proper investigation um it also comes up funnily enough during simulations um and tabletops where you know the sort of reactions to like i'll just pull the plug out um and so sophisticated adversary um may have more than one entry point uh you know secondary accounts remote access trojans things like that and uh by doing a proper ir and containment um sort of process they may be alerted and that can result in things like destructive behavior which we have seen in in some very uh well publicized incidents um you know a few a few years back i guess um so yeah i guess that's probably the first thing i first couple things that i can think of  

Fair enough mark

Yeah look i think um straight off the bat what when everyone wants to sort of get involved everyone's keen you get together the smartest and brightest people again to sort of help you with what's going on um but as ms george said as well one of the things that you've got to do is is you don't forget your basics like pull out your playbooks and just get them out actually bring them out print them out they should be at at hand um and just making sure that there's a guide and that you don't get caught up in the heat at the moment and one of the things that that i'd seen even through through some of the simulations is that people um people uh make a whole bunch of assumptions and you need to lay the framework so assign the roles again who who's going to be responsible for comms who's going to be responsible for escalation who's going to do like who is going to do the liaison because you've got there are timelines to consider as well there's obligations to management and so you need to you can't have one one person doing all that you lay that out clearly who's going to be taking notes who's going to do all that so getting those roles established again and and clarified early on um is an is an important step uh also just to just to sort of make sure that everyone is is coordinated and and that we do execute and that we and that's when there are things in place and what um when that people know that people can be pulled again to to make sure that their functions that they're executing their functions well  

Excellent all right Michael

Yeah the common mistakes in the heat of the moment there's so many um but the two sort of main uh things that i often see when we're dealing with this with clients is uh assumptions and time frames so uh and certainly what mark was saying there about us assumptions kind of expanding on that i've seen some incidents where they've been like these chicken little moments where the sky is falling and something really terrible is happening to our company but then when the incident sort of unfolds you realize it was a nothing burger to begin with and they kind of skip over the identification phase so you get some people in the business will sort of assume the worst but conversely you'll have other incidents that don't seem so bad at the outset and then all of a sudden you realize what the impact is to the business it's much much larger than people realize and you know that that notion of bringing people together in an incident often means you have technical people and non-technical people working in the same room together and sometimes you non-technical people will hear something and kind of go oh that sounds really bad and then suddenly that gets communicated out to the rest of the business and it can also happen the other way around in terms of time frames one of the biggest mistakes i see made is a gross underestimation of the restoration and recovery time that's involved to actually get out of an incident actually responding in instant we see so many times where people go oh this will be over in a couple of weeks time no we're talking weeks months maybe even more than a year uh and beyond that so you know these some of these really serious critical cyber incidents that can happen to businesses are really serious and do take a lot of time to recover from okay

Excellent Jordan

The key things from my experience is sort of around that i know panic will set in but to take time to think like i know in the first instance it's going to be having your plan so knowing that you have to follow identification containment and eradication and understanding those steps are important in preparation but not feeling like you're on your own and trying to make all these decisions yourself is so probably something that you see a lot and organizations spend the first couple of hours trying to discuss what they're going to do and how they should do it when really that was a couple of hours lost especially if you're dealing with ransomware attacks and advanced threats in that it's time critical so take time to think and plan things out but also remember that you can ask for advice and respond and the other thing as a mistake is sort of looking at so the the technical consequences often get looked at first and not necessarily the business impact which is probably going to have a far greater impact than just the the IT  incident and that knowing beforehand is great but in the heat of the moment understanding the consequences of your containment strategy so pull the plug yes that may work but pull the plug on an industrial control system that you don't have the manpower to manually control is a broader consideration so having the right people in the room and making sure you've got the information available to you is something that i think would be key