When something happens to us regarding our online privacy or security, something involving our personal and/or professional technology, it impacts something larger than ourselves. When we click on a link we shouldn’t have (and eventually we will click on a link or even just visit a website we shouldn’t have), or perhaps we’ve just given out some information some modern-day criminal is going to use against us, or one of our accounts has been compromised and used against us, anything like that, it puts ourselved and also our families, friends, clients, and others all at greater risk than before.
While some risks are preventable, some aren’t. We accept some risks and when these are exploited, that’s where Incident Response (or IR) is important to contain, mitigate, and remediate those scenarios quickly to minimize the damage to ourselves and our orbit of family, friends, clients, and larger habitat.
IR is important and too often overlooked. It’s important because the criminals who originally messed with us may or may not continue to a point that actually ruins our life and buy/sell/trade us with other criminals because now we’re an easier target, worth more on the dark markets and, depending on who we are and how easy it is to take advantage of us, attractive to a diverse audience of criminals who prefer (and will pay $$$) for low-hanging fruit.
We can totally ignore it, choose to live in denial, wishing it away. Until it catches up with with ud (and it will), it will cause avoidable stress. We can improve our resilience to these incidents and move on with confidence.
Let’s talk about the emotional impact for a moment, quick.
When these things happen to us (and they eventually happen to all of us), one of the biggest fallouts is our confidence in ourselves. There’s a grieving process. We feel like we’ve let ourselves down when we fall for social engineering attacks and it takes some time to get past our feelings of incompetence. Anything we can do to reclaim the sense of our best self is crucial after such an incident. Leaving it unresolved often leads to larger emotional challenges. But you don’t have to take my word for it. These are personal experiences and affect everyone in their own, unique way.
IR requires fast, friendly, and actionable guidance. I’m writing this post to help inform more of us about these situations that are sadly becoming more common, which is why it’s important to be aware of them so we can reduce our odds of having to deal with them in the first place.
First thing’s first.
When we’re victims of identity theft, it affects our community of families, friends, clients, a much broader scope of risk is added to the entire habitat. When responding to an incident, it’s important to have some specific priorities in mind and these aren’t always self-evident to victims. It makes sense: Who here hasn’t ever experienced breach syndrome, weary from bad news in the world?
Plus, it seems natural to want to return our default-setting back to ‘normal’ as quickly as we can.
However, there are steps involved in cleaning up an identity theft, a wire fraud, or a ransomware attack, etc. and those steps require some time and attention. Basic protocols, follow-ups, and tweaks after a compromise can take weeks at best, months or sometimes longer at worst.
First thing’s first: the goal is to answer 3 questions:
- What happened? (containment)
- How can the person or organization deal with the incident? (mitigation)
- How do we prevent it from happening again? (remediation)
The Mouse Problem
A “mouse problem” is a decent analogy for a situation like this. Like criminals, mice get into places and cause damage. No one likes knowing of such a presence in their home or office. It can be unnerving.
Hiring an IR team for guidance through a scenario isn’t totally unlike hiring an exterminator to get rid of your mouse problem. We’ll first want to figure out how mice got into your oven, for example, remove them, and then figure out a way to prevent them from getting back into the oven.
First, we’re going to focus on the mice in your oven. We may or may not come across mice in your oven during initial investigation but we definitely aren’t going to look for carpenter ants in the attic, wasps in the garage, or for mold in the basement.
When you hire an IR team to contain and mitigate a social engineering attack, for example, they’re going to focus on that (the mice in your oven, in this case). As the team begins their work, they may or may not discover other attacks that occurred previously (other signs of mice) but they may not discover malware embedded elsewhere (the carpenter ants in your attic or the mold in your basement).
Why? Why can’t an IR team just “find everything”? Because time. IR teams only get so much time to spend on discovery and mitigation. IR teams are typically paid for very limited hours up front. To make the most of their time, IR teams focus on specific incidents, one-at-a-time.
Threat Hunts vs. Threat Assessments
IR is generally a targeted Threat Hunt, seeking a particular type of compromise, like mice in the oven. A Threat Assessment goes deeper, seeking mice and/or other critters and potential threats everywhere (mice and everything else), which means it also requires more time, more resources, and more expertise.
You can hire an exterminator to find signs of mice anywhere in your house. That’s a Threat Hunt, a specific process and purpose using specific but limited tools to verify that you have mice now and/or had them in the past.
If you want the exterminator to look around for signs of other unwelcome elements (carpenter ants, termites, or wasps, for example), then that’s a Threat Assessment. In those cases, teams require more time to focus on all the indicators by all the critters rather than specific indicators of a single critter.
The information gathered by each approach is similar and yet also different. A targeted Threat Hunt generates a lot of information that can inform a remediation strategy against a single, specific threat. A Threat Assessment, on the other hand, generates more information and in greater detail to eliminate or minimize a broad scope of threats.
The timeline to complete a targeted Threat Hunt can be days or weeks.
The timeline to complete and remediate a Threat Assessment can be weeks, months or even years, depending on the level of complexity and what’s discovered.
Here are three questions to help determine what your needs are:
- Have you experienced a concerning security incident? (mice in your oven)
If the answer is “Yes,” then you need an IR team to conduct a Threat Hunt.
- Are you concerned about a specific event? (mice in your house) If “Yes” then Threat Hunt is worthwhile, and also requires less time and tools.
- Do you want to look for threats/potential threats in your home or organization? (carpenter ants, termites, wasps or mold, etc. anywhere) If “Yes” then that’s a Threat Assessment, which requires more time, resources, and expertise.
How we answer determines what type of engagement we need.
Hey, thanks for reading (if you read this far).
Next Steps To Protect You & Yours
What if you want to confirm there aren’t any other potential threats or vulnerabilities on your device(s) or network(s)? What if you want to take it a step further, understand your threat model, and eliminate preventable risks and loss to yourself and/or your organization? I created an advanced Threat Assessment, the Resilience Diagnostic.
The Resilience Diagnostic (RD) takes Threat Assessments a step further to define preventable risks and threat models for individuals and organizations. The RD delivers insights you can use to make important decisions about your operational resilience ahead of a broad-spectrum of unplanned events that would otherwise compromise your productivity, reputation, and bottom line. Use the contact info to get in touch.
Protect what you’ve built from preventable losses caused by human error, global events like pandemics, social-engineering attacks, wire fraud, and the new crime era.