It wasn't raining when Noah built the ark

Craig Billado, Forensic Analyst, Coalfire Labs

This month movie-goers around the world will flock (possibly two-by-two) to see Darren Aronofsky’s ‘Noah’—a silver-screen adaptation of the timeless biblical story, starring Russell Crow and Jennifer Connelly .  Whether one interprets the flood narrative literally or figuratively, this fact remains:  the time to prepare for disaster is not after the fact but beforehand. This is true whether the calamity is divine or human in origin.
When it comes to cyber-attacks, most companies are woefully unprepared.  Some mistakenly think that meeting a regulatory requirement means that they are ipso facto secure.  Others realize that audit and compliance are just the beginning and as such, invest significant resources in IT security solutions and services.  Yet even this does not make an organization impervious to attack.  Target is a perfect example having spent $1.6 million specifically on a malware detection tool only to be ravaged by malware six months later at the height of the holiday shopping season. 
Why is it that so many fare badly when disaster strikes?  In our experience it’s because so few prepare for the successful attack on their environment—the one that gets through in spite of (or in lieu of) robust defensive measures.
If recent history has taught us anything about IT security, it’s that no system or network is impenetrable.  Regardless of the security investment, unwanted visitors that have sufficient skill, motivation, and time, manage to get in; and previously confidential information manages to get out.  In light of this tragic reality, organizations cannot focus exclusively on perimeter security and intrusion prevention.  They must prepare for successful attacks.  Key parts of the business (IT staff, human resources, legal, etc.) must know when to get involved, and what to do during a computer security incident.  Appropriate staff members need to assume the roles of incident manager and incident responder.  They must tread lightly on affected systems, preserving as much digital evidence as possible.  This doesn’t happen automatically, and especially not in the throes of a crisis; it must be planned ahead of time.  Otherwise the company will likely be swept away in the torrent of chaos, monetary loss, and unflattering media coverage.
The proverbial ‘ark’ in this scenario is the Computer Security Incident Response Plan, or CSIRP.  The CSIRP establishes goals and priorities for the organization during a security incident.  It defines various types of incidents, assigning severity levels that help determine the appropriate response.  Members of the incident response team are identified, as are specific roles needed before, during, and after an incident.  Proper channels of authority are designated for critical decisions (e.g., whether or not to sever a WAN connection, initiate database recovery procedures, notify law enforcement, unplug power to a web server, etc.).  Having this chain-of-command often spells the difference between decisive action and paralysis during an incident.  The CSIRP also explains when an organization’s human resources and/or legal counsel should get involved. 
Of course merely having a plan is not enough.  It must be tested on a regular basis using realistic scenarios that involve every team member.  Coalfire recommends both table-top exercises and red team/blue team drills to test the effectiveness of the CSIRP.  These should conclude with an after-action review that enumerates what went well, what could have gone better, and what will be done differently next time, with the CSIRP updated accordingly.
When an organization takes the likelihood of a successful attack seriously, it actually reduces the impact of the attack when it occurs.  And as for punishing the wicked, we’ll leave that to the authorities (human and divine).

Craig Billado


Craig Billado — Forensic Analyst, Coalfire Labs

Recent Posts

Post Topics