Pages

1 May 2019

Security Think Tank: Surviving the existential cyber punch part 2

Gregory Touhill

Good CISOs know that the dreaded day when they and their organisations are confronted with a potential existential attack is just around the corner. The great ones know that day may be today and are prepared to ensure they and their organisation can take that cyber punch and keep going.

I am often asked what is the first thing a CISO should do when alerted to a hostile attack or other significant cyber incident. My answer is always the same: “Don’t panic!”

Too often, CISOs and the organisations they support exhibit what I call a “sense of fear and panic” when confronted with a potentially existential attack or incident. Many ignore existing playbooks, policies, procedures and checklists and revert to a panic-driven, knee-jerk response.

I have observed some who tried to do everything all at once, stressing their staff, confusing their organisation, destroying evidence and losing control of the confident and disciplined incident response effort they are expected to lead.


I learned in the military that troops look for competent, strong and confident leaders to take charge in times of crisis. The great CISOs prepare to rise to the occasion and focus themselves and their organisation to respond effectively, efficiently and deliberately to survive any cyber attack or incident.

General Colin Powell is famous for having said: “The first report is always inaccurate.”

You may be notified of an attack or incident through a variety of sources. The report may come from automated systems, such as an alert from your security information and event management(Siem) system. It may be a notification from a government authority. It may come from a third-party partner who has discovered suspect information emanating from your system or whose own network has been compromised, thereby affecting you as well. It may also come from your staff, who have discovered systems, processes or activities acting outside of normal parameters.

Realising that the first report may be inaccurate helps you to focus on deliberately maintaining control as you and your team verify the accuracy of the report and determine the next steps.

After receiving that initial report of a potentially hostile attack or significant cyber incident, I recommend you immediately alert your boss. No supervisor wants to be surprised and bad news doesn’t get better with time.

When confronted by a potential cyber attack or significant cyber incident, give your boss a heads-up on the situation, how you were alerted, what the possible implications are, what your next steps are, and what you need your boss to do, as well as what you do not want them to do.

Be sensitive that adversaries may be monitoring email and communications channels to gauge the effectiveness of their attack. While face-to-face communications are always best, make sure that your boss is promptly apprised of the situation.

Mature organisations invest to develop and exercise cyber playbooks that identify alert thresholds and reporting requirements. Great organisations include convening what I refer to as the “cyber war council” to address hostile attacks and significant cyber incidents.

In the military, war councils are meetings of senior leaders in the midst of battle or combat operation to decide on a course of action. Your cyber war council ought to include your senior leaders, such as the CEO, COO, CFO, CIO and CISO.

Read more from Computer Weekly’s Security Think Tank about how to survive a cyber attack that could potentially destroy a business

Your cyber war council should exercise at least twice a year with realistic scenarios, so that leaders are familiar with what needs to be done during a cyber crisis.

Exercises help senior leaders understand the anticipated courses of action presented through organisational cyber playbooks. They should understand their own roles and how they are expected to contribute to the time-critical decision-making process that effective cyber incident response relies upon.

Ad-hoc or “just in time” cyber war councils are disastrous and invariably fall victim to “paralysis by analysis”, placing their organisations at extreme peril. A properly trained and exercised cyber war council is ready to quickly observe and understand the situation, properly orient the organisation to execute what needs to be done, decide on the best course of action, and act to execute that action with velocity and precision.

Fighter pilots claim that this process – the OODA Loop – is the key to success in high-speed dogfights. Cyber dogfights are faster. The OODA (Observe, Orient, Decide and Act) methodology can help your cyber war council guide your organisation to survive a potentially catastrophic attack or incident.

When you are under attack, there are significant decisions that the cyber war council needs to make, including answering questions such as: “What is our risk exposure?”, “Who needs to know about this and when do they need to know?”, “Do we have the right talent in place to address this situation or do we need to get help?”, “Should we bring an incident response specialist in to augment our team?”, “When or should we notify law enforcement officials?”, “When do we disclose the situation to the board of directors?” and “How do we message this to our board, our employees, our partners, and the public?”

Preparing the cyber war council in advance through focused cyber exercises assists them in asking the right questions and better prepares the staff to quickly, crisply and accurately present them with the information they need to make informed decisions.

When I lived in England, I heard it said that the Battle of Waterloo was won on the playing fields of Eton. A cyber attack could be your Waterloo. Only through preparation at all echelons of your organisation, including a cyber war council comprised of your seniors, can you Observe, Orient, Decide and Act with the velocity and precision to effectively respond to protect your brand, reputation and information.

No comments:

Post a Comment