Ready for the Next Nightmare: The Art of Incident Response

| Daniel Hoffman
Daniel Hoffman
Former CIA Chief of Station

During multiple war zone tours of duty in the Middle East and South Asia, I learned firsthand how timely and effective incident response entails real time insight, color, and context for the analyst. Incident response should enable the analyst more efficiently to mitigate the damage from an attack, as well as track, take preemptive measures, and correlate learning from attempted attacks. This intelligence collection and analysis – the synergy of people, process, and technology – is the essence of both counterterrorism and cybersecurity.

In December 2015, while I was serving overseas in South Asia, terrorists targeted the Inland Regional Center in San Bernardino, California. They killed 14 people, wounded 22 more, and fled in a rented vehicle before being killed in a shootout with police. The U.S. military as well as state and local law enforcement are exceptionally effective at taking preemptive action based on intelligence reporting against foreign and domestic terrorists; however, as the San Bernardino incident and other recent terrorist attacks in the United Kingdom demonstrate, a perfect success rate against attackers is simply not possible. The most timely and effective incident response capability is more critical now than ever before.

When I served at CIA, being in the incident response phase – or “to the right of boom” – of a counterterrorism operation meant we had not collected enough of the disparate intelligence, or perhaps did not analyze it properly, to mitigate more quickly, if not prevent, an attack. In most cases, terrorists, much like hackers, conduct reconnaissance of a target before mounting an attack. Failing to detect this reconnaissance and analyze it to learn about the nature of the threat, allows the attacker to generate the element of surprise and benefit from dormant infiltration for their nefarious mission.

U.S. national security often depends on conducting immediate, all-source forensics and incident response following a successful terrorist attack. Likewise, security of an enterprise’s infrastructure in which intellectual property and sensitive data is entrusted, can be greatly enhanced with a robust, integrated incident response capability.

Cyber savvy enterprises across the globe rightly focus on prevention and detection in the “left of boom” pre-attack phase. They harden defenses with a multitude of tools including, for example, by reducing vulnerable attack space with secure routers and servers, using firewalls, rigorously applying both patches and back-up protocols, and encrypting data both at rest and in motion. Beyond meeting the IT challenge, a security-conscious CIO or CISO will also mitigate damage from what FBI Assistant Director Donald Freese calls the “skin behind the keyboard” – insider threats from both unwitting employees and malicious personnel with ill intent.

Cyber adversaries are adaptive, intelligent, and will continue to evolve their tactics. Similar to terrorists, they have motivations that include destruction, theft, and monetary gain – all of which are beyond machine language.

Organizations should assume they will be successfully hacked and therefore make preparations for such a scenario. In the words of the former Director of the CIA and NSA, General Michael Hayden, cyber defense is about “defense in depth, situational awareness, response, recovery, and resiliency.”

The most effective incident response platform – a tool programmed to enable a systemic and automated response to breaches when they occur – includes Hayden’s five elements of cyber defense and a dynamic accounting of all past and current breaches. With a customized dashboard, organizations can effectively integrate the evolving event with previously identified data. This could address key questions, including how long it would take to detect infiltration and mitigate the threat by responding to the breach.

Incident response is a four-step process. First, the response platform “ingests” the threat with a security incident management tool. Second, using a security module, the platform “escalates” the notification by automatically characterizing the incident, assessing the threat, and directing the response. Third, the platform manages the response by creating additional notifications, while complying with legal requirements related to any data loss that might have occurred. Fourth, the platform adheres to privacy notification laws and manages both internal triage as well as notifying those who were breached.

Cybersecurity breaches involve not only analysts and their leadership, but can also impact the enterprise writ large. The platform should allow for multiple actions, which encompass privacy teams, lines of operation, and all users whom the breach might have targeted.

An effective platform reduces response time and enrichment notification to seconds and serves as an analytic tool that enables the most effective and efficient executive decisions. The platform should be a single command and control center, which provides immediate updates on cybersecurity posture, including historical statistics on previous indicators of compromise. The platform should also integrate all existing security protocols with intelligence reporting when possible, which enables an adaptive response to threats.

Ideally, the platform should ensure basic triage steps are immediately taken even before an analyst becomes directly involved. It should showcase significant ability to adapt, in real time, based on nuances gleaned from existing invested technologies, which cater specific response playbooks unique to that event.

Beyond an automated machine-to-machine linear response, the best incident response platform creates the clearest situational awareness so that an analyst can make the best executive decisions. The process is dynamic and inductive. As they collect, collate, and analyze more information, enterprises will enhance their incident response capability. Of great importance is highlighting areas of vulnerability associated with individuals and the network on which the enterprise can focus its defense and mitigation strategies.

Cybersecurity is based on detecting, monitoring, and responding to events on an individual computer and the network on which it operates. An incident response platform with the capability of instantaneously and automatically sifting through the large volumes of data where malware and other threats reside is a critical piece of security infrastructure necessary to protect the cyberspace on which commercial success so deeply relies.

The Author is Daniel Hoffman

Daniel Hoffman is a former Chief of Station with the Central Intelligence Agency. His combined 30 years of distinguished government service included high-level positions not only within the CIA, but also with the U.S. military, U.S. Department of State, and U.S. Department of Commerce. Assignments included tours of duty in the former Soviet Union, Europe, and war zones in both the Middle East and South Asia. During this time, Hoffman developed substantive expertise on geopolitical and... Read More

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW