Cover Feature Cyber Security
Snake bites and data breaches
W By Elliot Dellys, Principal Analyst at Hivint, a Trustwave company
hy is treating a snake bite like responding to a data breach? It might sound like the beginning of a cheesy joke, but the two can have more in common than you might expect. First, each require an initial triage that is generic to all incidents. For a snake bite you immobilise the patient, bandage the limb, and call an ambulance – little more can be done until the professionals have more information. The initial response to a breach or intrusion is equally predictable: engage key stakeholders, isolate the threat, and call the lawyers. For both, the subsequent remediation efforts become highly diverse once further detail is uncovered about the incident. With a snake bite, the crucial next step is to identify the species to determine the correct antivenom; attribution and remedy are unquestionably mutually beneficial. With a cybersecurity incident, determining the correct ‘antivenom’ is often not so clear. Do you dive deeper to determine the techniques, severity and persistence of the threat, or do you focus on damage control? Sometimes attribution is crucial; at other times it provides little more remediation value than entertaining curiosity. Assuming it is possible at all, of course – which is rarely a given from the outset. The debatable value of attribution is well known among cyber first responders, as recounted in Kevin Mitnick’s book 'The Art of Intrusion': “They were scared out of their wits and wanted the hackers terminated — ‘Get them off the computers and shut all this off right now.’'' Don was able to convince them it would be wiser to wait. "I said, 'We don't know how many places
32 | Australian Cyber Security Magazine
these guys have gotten into. We need to monitor them for a while and find out what the heck is going on and what they've done.'” Here another similarity between snake bites and breaches emerges – the importance of maintaining your cool for sound decision making. After a snake bite, resisting the temptation to run to the local doctor can stop the flow of toxins that might otherwise kill you. Following a breach, an elevated heart rate is just as likely to work against you. A hasty response to a live incident may alert an adversary that they’ve been sprung, causing them to cover their tracks or destroy vital data or infrastructure. The same can be true for preserving forensic evidence in our own actions, where shutting down a device or network may come at the expense of valuable log files. Of course, keeping calm is easier said than done, and increased regulatory pressure has only intensified the need for organisations in Australia to be prepared for the worst. Cybersecurity managers know the value of a wellinformed workforce – and much like treating a snakebite, education plays a crucial role in incident prevention, detection and response. A simple call to security can be the early warning system or the timely notification that makes the difference between an event and a catastrophe. Regular tabletop exercises play an equally critical role in ensuring what we put to paper is actually reflected in reality. Without tried-and-tested incident response plans and adequately trained and resourced staff, we condemn ourselves to the same fate as a snake victim who does not even feel the bite. After all, it is better to learn how to avoid the long grass than where to turn for antivenom.