Common Mistakes in Incident Response

How NOT to Investigate. The 8 Most Common (Human) Error Traps. S/O Ben Hutchinson for the paper. Link below. Error #1: The WORST error is to think of a possible cause, then look for evidence to support it There are two ways to solve problems, including finding the causes of incidents: 1) Collect and consider all the relevant data, and if necessary, carry out some experiments 2) Think of a possible cause and then look for data that supports this cause and devise experiments to support it Option #2 is not science. It can "prove" that any cause is the right one. Or, per Mark Twain: “It ain’t what you don’t know that gets you into trouble. It’s what you know that ain’t so.”  Ain't that the truth. In science and in safety. Error #2: Quoting "Human Error" as a cause The "human error" adjective is unnecessary. ALL errors are human errors. Someone, a manager or supervisor, has to decide what to do. Someone, a designer, has to decide how to do it. Someone, an operator or maintainer has to do it. All of them make errors. Additionally, system errors are euphemisms for management errors as only managers can change systems. Investigators do not like to blame their bosses, so they blame systems or institutions rather than those who designed or tolerated the systems. Error #3: Blaming Individuals As you've heard by now: You can blame and punish, or learn and improve. You can NOT do both. Error #4: Reporting that such an incident has never occurred before Error #5: Keeping the report secret My favorite (and most infuriating). There are 4 reasons we should publish incident reports: The 1st is moral. The 2nd is pragmatic. The 3rd is economic. The 4th is, when one suffers, we ALL suffer. "We are here to learn from each other what more we can do to prevent people being killed or seriously injured. That alone is reason enough to publish..." Error #6: Not realizing that the actions are the most important part of a report The purpose of an investigation is to recommend what should be done to prevent it happening again. Partially, yes, partially NO The purpose of an investigation is to LEARN The purpose of corrective actions is to FIX BUT… If the recommendations are not clear, the knowledge for which the company has paid a high price, in human suffering and $$$, is WASTED. Error #7: Saying that the recent incident will never happen again  Major incidents are often repeated in the same company every ~10 years. Why? Most of the staff have moved on. No one remembers the incident or why certain equipment or procedures were introduced. Someone keen to improve efficiency removes said equipment or procedure. Major incident happens. AGAIN NEVER remove equipment or change a procedure unless you know why they are there.  Error #8: Interviewing witnesses in the main office Common sense? Well, common sense sure ain’t common practice Where is YOUR company conducting your investigations?

Post-Incident Reflections I am an Incident Response (IR) Lead at Blackswan Cybersecurity & we help companies deal with their worst cyber day pretty often. An IR Lead has the responsibility of not only bringing the technical expertise but also the humanity to help with an emotional, stressful, and sometimes heated political situation. You must be capable of observing the environment for influences and conflicts, personalities, leadership.... and the crazy. Some people are overwhelmed by emotions & resistant to advice, focusing more on sharing their misery or projecting blame rather than seeking resolution. If they truly want to recover, they need to get out of the way & be a C or I on the RACI chart. If they insist on being in the middle of it, excuse yourself; it's not worth the mental or legal liability. In all other situations, the IR Lead must collaborate in setting expectations & the Rules of Engagement. The Fire Department may ask a few questions when then show for your house fire, like is anyone inside, how did it start, any explosives?. They direct the homeowner to get out of the way & begin employing their expertise to contain & eradicate the fire. If the homeowner interferes, the experts' effectiveness is diminished proportionately (time, impact, loss). Cyber IR is very similar. The experts are here to help, but most importantly to provide their objective experiences from various other incidents where things did & didn't work, prioritization of activities, known tactics, & known mitigations. Cutting to the chase - if an organization engages an IR Team (IRT), they must listen to the advice and direction provided by those who are battle-worn and covered in trench dirt. If they don't, the IRT's effectiveness in putting out the fire is diminished, and in the worst case - the IRT may leave them alone, in the fire, in the dark. What prompted me to consume a few minutes of your day? - Reflections from recent IRs where advice and direction regarding Backups, Assets, Remote Access, & Privileged Accounts weren't followed. So many of the Incidents we've worked could have been quickly addressed with good, secure, trusted, and available backups. And if your ransomware IR Lead suggests that you power off your critical servers and your online backups - Do it - Do it now. Time & again we hear "we got this", "they are secure", followed by "yeah, they are hosed". The other topic I'd like to stress is "Know Thy Self". If you don't know the value, criticality, purpose, or owner of systems in your environment during an IR, there will be pause in dealing with it. Create and maintain an inventory of all your assets, ideally to include a baseline of applications and services so you can quickly determine anomalies. Third - Restrict & inventory remote access, turn it off until needed, and require MFA. Lastly, ensure you know who has privileged access to your applications, hosts, and networks. Reach out if you'd like to discuss further.

🎉 "𝐀𝐝𝐝𝐫𝐞𝐬𝐬𝐢𝐧𝐠 𝐭𝐡𝐞 𝟏𝟎 𝐌𝐨𝐬𝐭 𝐂𝐨𝐦𝐦𝐨𝐧 𝐅𝐥𝐚𝐰𝐬 𝐢𝐧 𝐂𝐲𝐛𝐞𝐫 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐑𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐏𝐥𝐚𝐧𝐬" 🎉 After almost 10 months of hard work, incredible interviews with industry pros, hours of recording with the amazing Jeff Edwards (it was a lot of fun!!), having the #FBI #DHS and #LocalLawEnforcement join a recording with Matt Lee, (episode 8 if you haven't been following), endless writing & rewriting to make sure it all made sense, and most importantly diving deep into what really goes wrong during cyber incidents; I'm thrilled to announce the release of my latest whitepaper: Let’s face it – cyber incidents aren't 𝘢𝘯 𝘪𝘧 𝘢𝘯𝘺𝘮𝘰𝘳𝘦, 𝘵𝘩𝘦𝘺'𝘳𝘦 𝘢 𝘸𝘩𝘦𝘯. And while many organizations have #IncidentResponsePlans, flaws in those plans are what can turn a manageable situation into a full-blown crisis. In this #whitepaper, I break down: 💥 #TheTop10MostCommonIRPlanFlaws (𝐲𝐞𝐩, 𝐈’𝐯𝐞 𝐨𝐛𝐬𝐞𝐫𝐯𝐞𝐝 𝐭𝐡𝐞𝐦 𝐚𝐥𝐥).  💥 𝐈𝐧𝐬𝐢𝐠𝐡𝐭𝐬 𝐟𝐫𝐨𝐦 𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐞𝐱𝐩𝐞𝐫𝐭𝐬, 𝐥𝐞𝐠𝐚𝐥 𝐩𝐫𝐨𝐬, 𝐚𝐧𝐝 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐥𝐞𝐚𝐝𝐞𝐫𝐬.  💥 𝐀𝐜𝐭𝐢𝐨𝐧𝐚𝐛𝐥𝐞 𝐬𝐭𝐞𝐩𝐬 𝐲𝐨𝐮 𝐜𝐚𝐧 𝐭𝐚𝐤𝐞 𝐭𝐨 𝐟𝐢𝐱 𝐭𝐡𝐨𝐬𝐞 𝐠𝐚𝐩𝐬 𝐛𝐞𝐟𝐨𝐫𝐞 𝐲𝐨𝐮 𝐧𝐞𝐞𝐝 𝐭𝐡𝐞𝐦 𝐦𝐨𝐬𝐭. From "Failing to Plan" to "Ineffective Plan Execution," I've tried to cover every detail to help businesses of all sizes fortify their incident response strategies. Why should you care? 𝘉𝘦𝘤𝘢𝘶𝘴𝘦 𝘤𝘺𝘣𝘦𝘳 𝘳𝘦𝘴𝘪𝘭𝘪𝘦𝘯𝘤𝘦 𝘪𝘴 𝘺𝘰𝘶𝘳 𝘭𝘪𝘧𝘦𝘭𝘪𝘯𝘦, 𝘢𝘯𝘥 𝘺𝘰𝘶𝘳 𝘐𝘙 𝘱𝘭𝘢𝘯 𝘴𝘩𝘰𝘶𝘭𝘥 𝘣𝘦 𝘣𝘶𝘭𝘭𝘦𝘵𝘱𝘳𝘰𝘰𝘧. 𝐒𝐩𝐞𝐜𝐢𝐚𝐥 𝐬𝐡𝐨𝐮𝐭𝐨𝐮𝐭 to the SafeHouse Initiative, Jeff Edwards, Alan Gin, & David Lewis for the incredible opportunity to share this through your program—what an amazing experience! If you haven’t tuned in yet, you need to. Massive thanks to: Ken Fishkin, Frank Angiolelli, Israel Bryski, Aaron Goldstein, Randy Pargman, Stu Panensky, John S., Matt Lee, Paul Caron, & Mike Wilkes for sharing your insights with me and the Safehouse Community. 🚨 Don’t wait for the next incident—download the whitepaper now and make sure you’re ahead of the game! 🚨 👇 𝐃𝐨𝐰𝐧𝐥𝐨𝐚𝐝 𝐡𝐞𝐫𝐞 👇 #cybersecurity #incidentresponse #cyberresilience #infosec #cyberthreats #IRplanning #cyberattack #security #responseplans #Cybercrisis #ransomware #malware #bec #phishing