In 1871 Field Marshal Moltke, Chief of Staff for the Prussian Army, wrote an essay entitled Ueber Strategie (“On Strategy”) as part of a broader work on military strategy and command. In his essay Moltke wrote “One cannot be sure that any operational plan will survive the first encounter with the main body of the enemy.” Since then, Moltke’s work has been referenced in many ways, but ultimately it comes down to “no plan survives first contact.”
A modern and more succinct version of Moltke’s warning was put forth by the well-known pugilist and philosopher Mike Tyson. Tyson stated, “everyone has a plan until they get punched in the face!” When it comes to responding to a cybersecurity attack, you can choose to embrace Moltke or Tyson, but the axiom often holds true.
Today’s cyberattacks can range from covert data breaches to fast moving attacks that are extremely violent and dynamic. Unfortunately, most incident response plans (“IRP”) are deep on academics but fall short of practical application when it comes to the current threat landscape. Often, most IRP have four common elements that lead to Moltke and Tyson being right.
IT Centric – Most IRP are IT centric in that they focus on the IT response and not the overall response. This creates a challenge for the overall organization when an attack occurs in that the IT organization is focus on response, but the rest of the organization is often uninformed and more importantly not able to help support the response.
Burdensome– We find that many IRP are over complicated and become a burden to the response. This often is due to the original design approach. Teams often employ traditional planning or project management methods. These methods may work well for IT or corporate projects, but when it comes to doing battle and recovery efforts, these methods lead to approaches that are not fluid, dynamic or designed to deal with highly chaotic situations.
Not Reflective of Current Threats – This is one of the most critical negatives we find with traditional IRP. The plans themselves are typically outdated the moment they are published. Even with plans that have strong governance models, we find that they are not capable of dealing with current or evolving threats such as fast-moving attacks, K2K attacks or prolonged operations.
Focused on Cleanup – Most IRP focus on what to do after the attack and not how to deal with an attack in progress. Unfortunately, this creates an “acceptance” mentality that compounds the affect of the attack and often leads to higher costs of recovery.
After spending a considerable amount of time researching these and other challenges common to ineffective cybersecurity incident response programs, we identified components that are required for effective IRP. Interestingly we found that the best means of dealing with a cyberattack did not come from the cybersecurity industry itself. We found that the best tactics, techniques and procedures (TTP) come from military special operations (U.S Navy SEALs, Army Delta Force, Air Force Pararescue) and the world of trauma medicine, specifically the practices pioneered by Doctor Cowley and Maryland Shock Trauma Center.
These types of organizations embody TTP that must always be relevant, dynamic and optimized for rapid response in highly stressful and chaotic situations. Many of the same traits we see exhibited by a cyber-attack. The reliance on protocols, standing orders, immediate action drills, ultimate authority, coordinated care, rapid response each have lessons for the world of cybersecurity that dramatically changes the odds in the favor of the one responding. Although Sensato has developed a first of its kind cybersecurity incident response platform based on these principles, you can apply many of these lessons to your own program.
Learn More about Sensato-TIRP by contacting us or read more about our Elite Training here.
Designed to Evolve
Assure that your program is designed to evolve as cybersecurity attacks evolve. This is not just an acknowledgement that the program should evolve but that you have designed components of the program to assure it evolves and is highly dynamic.
Protocols & Standing Orders
Protocols are not policy, they are designed to allow for the clear and rapid deployment of tactics. Your program must minimize policy and increase the reliance on protocols and standing orders.
Immediate Action Drills
The sheer speed and violence of a cyber-attack means you must react instantly. Effective countermeasures, fall back positions and response are critical to containment and minimizing damage. Immediate Action Drills (IAD) are key tool that you need to incorporate and utilize as part of your IRP.
Intelligence Driven Response
Intelligence is critical to decision making, escalation, recommendations and prediction. Many organizations do not understand the difference between information and intelligence, or how to apply intelligence. Assuring you have or rely upon a true threat intelligence program that is the foundation of your IRP is critical.
Any IRP that takes weeks or months to deploy is by nature not going to be effective. Your IRP needs to have immediate value and be able to be deployed in days.
Tools & Tactics
Your program should be tactical and not strategic. Be clear about how you will employ tactics and what tools you will embrace and utilize.
Not Just Academics
Although you should understand the theory, you need to test your assumptions and plans often. Performing IAD, tabletop simulations, visiting a cyber-range (like the Sensato Cyber Range) are critical to proving that your plan can withstand real attacks and provide a clear return on investment.
Lightweight & Holistic
Your IRP must be easy to embrace, or it will fail when most needed. Make sure you design a program that is lightweight and flexible. You also need to consider the holistic nature of a response and assure that it is not just about the IT organization. A cyber attack affects all areas of an organization and can even create PTS challenges. How will your plan deal with this new age of response?
Many believe that Moltke and Tyson were stating that no plan is ever viable given the violence of an attack. But, that is a rather uninformed view of what they were stating. The reality is that if you dig deeper you will find that Moltke and Tyson were both warning that our goal should be to prepare plans that can withstand the chaos, velocity and dynamic nature of an attack. That despite the enemy’s best efforts we have tools, training and tactics that allow us to keep fighting back and responding. Programs such as Sensato-TIRP and the approaches it fosters are specifically designed to go well beyond surviving first contact. Given that the average attack against an organization can be conducted in minutes and the violence of attacks is increasing, it is critical that you modernize your approach. Hopefully in some small way this article has provided you with new ways to consider how you think about cybersecurity incident response.