In 1871 Field Marshal Moltke,
Chief of Staff for the Prussian Army, wrote an essay entitled Ueber Strategie
(“On Strategy”) as part of a broader work on military strategy and
command. In his essay Moltke wrote “One cannot be sure that any operational plan
will survive the first encounter with the main body of the enemy.” Since then, Moltke’s work has been referenced
in many ways, but ultimately it comes down to “no plan survives first contact.”
A modern and more succinct
version of Moltke’s warning was put forth by the well-known pugilist and
philosopher Mike Tyson. Tyson stated,
“everyone has a plan until they get punched in the face!” When it comes to responding to a cybersecurity
attack, you can choose to embrace Moltke or Tyson, but the axiom often holds
Today’s cyberattacks can range
from covert data breaches to fast moving attacks that are extremely violent and
dynamic. Unfortunately, most incident
response plans (“IRP”) are deep on academics but fall short of practical
application when it comes to the current threat landscape. Often, most IRP have four common elements
that lead to Moltke and Tyson being right.
IT Centric – Most IRP are IT centric in that they focus on the IT
response and not the overall response.
This creates a challenge for the overall organization when an attack
occurs in that the IT organization is focus on response, but the rest of the
organization is often uninformed and more importantly not able to help support
Burdensome– We find that many IRP are over complicated and become a
burden to the response. This often is
due to the original design approach.
Teams often employ traditional planning or project management methods. These methods may work well for IT or
corporate projects, but when it comes to doing battle and recovery efforts,
these methods lead to approaches that are not fluid, dynamic or designed to
deal with highly chaotic situations.
Not Reflective of Current Threats – This is one of the most
critical negatives we find with traditional IRP. The plans themselves are
typically outdated the moment they are published. Even with plans that have strong governance
models, we find that they are not capable of dealing with current or evolving
threats such as fast-moving attacks, K2K attacks or prolonged operations.
Focused on Cleanup – Most IRP focus on what to do after the attack
and not how to deal with an attack in progress.
Unfortunately, this creates an “acceptance” mentality that compounds the
affect of the attack and often leads to higher costs of recovery.
After spending a considerable
amount of time researching these and other challenges common to ineffective
cybersecurity incident response programs, we identified components that are
required for effective IRP. Interestingly
we found that the best means of dealing with a cyberattack did not come from
the cybersecurity industry itself. We
found that the best tactics, techniques and procedures (TTP) come from military
special operations (U.S Navy SEALs, Army Delta Force, Air Force Pararescue) and
the world of trauma medicine, specifically the practices pioneered by Doctor
Cowley and Maryland Shock Trauma Center.
These types of organizations
embody TTP that must always be relevant, dynamic and optimized for rapid
response in highly stressful and chaotic situations. Many of the same traits we see exhibited by a
cyber-attack. The reliance on protocols,
standing orders, immediate action drills, ultimate authority, coordinated care,
rapid response each have lessons for the world of cybersecurity that
dramatically changes the odds in the favor of the one responding. Although Sensato has developed a first of its
kind cybersecurity incident response platform based on these principles, you
can apply many of these lessons to your own program.
Learn More about Sensato-TIRP by contacting us or read more about our Elite Training here.
Designed to Evolve
Assure that your program is designed to evolve as
cybersecurity attacks evolve. This is
not just an acknowledgement that the program should evolve but that you have designed
components of the program to assure it evolves and is highly dynamic.
Protocols & Standing
Protocols are not policy, they are designed to allow for the clear
and rapid deployment of tactics. Your
program must minimize policy and increase the reliance on protocols and
Immediate Action Drills
The sheer speed and violence of a cyber-attack means
you must react instantly. Effective
countermeasures, fall back positions and response are critical to containment
and minimizing damage. Immediate
Action Drills (IAD) are key tool that you need to incorporate and utilize as
part of your IRP.
Intelligence Driven Response
Intelligence is critical to decision making,
escalation, recommendations and prediction.
Many organizations do not understand the difference between information
and intelligence, or how to apply intelligence. Assuring you have or rely upon a true
threat intelligence program that is the foundation of your IRP is critical.
Any IRP that takes weeks or months to deploy is by
nature not going to be effective. Your
IRP needs to have immediate value and be able to be deployed in days.
Tools & Tactics
Your program should be tactical and not strategic. Be clear about how you will employ tactics
and what tools you will embrace and utilize.
Not Just Academics
Although you should understand the theory, you need
to test your assumptions and plans often.
Performing IAD, tabletop simulations, visiting a cyber-range (like the
Sensato Cyber Range) are critical to proving that your plan can withstand
real attacks and provide a clear return on investment.
Lightweight & Holistic
Your IRP must be easy to embrace, or it will fail when most
needed. Make sure you design a program
that is lightweight and flexible. You
also need to consider the holistic nature of a response and assure that it is
not just about the IT organization. A
cyber attack affects all areas of an organization and can even create PTS
challenges. How will your plan deal
with this new age of response?
Many believe that Moltke and
Tyson were stating that no plan is ever viable given the violence of an
attack. But, that is a rather uninformed
view of what they were stating. The
reality is that if you dig deeper you will find that Moltke and Tyson were both
warning that our goal should be to prepare plans that can withstand the chaos,
velocity and dynamic nature of an attack.
That despite the enemy’s best efforts we have tools, training and
tactics that allow us to keep fighting back and responding. Programs such as Sensato-TIRP and the
approaches it fosters are specifically designed to go well beyond surviving
first contact. Given that the average
attack against an organization can be conducted in minutes and the violence of
attacks is increasing, it is critical that you modernize your approach. Hopefully in some small way this article has
provided you with new ways to consider how you think about cybersecurity