Incident Response

Network Security School of Fort Knox: Part 6

Part Six: Incident Response

In the history of security breaches, a common thread is often inadequate procedures. In any security evolution, having appropriate procedures often means the difference between success and failure.

Blessed Flowcharts

I am known as something of a flowchart nut. I spent years using them when I fixed fighter aircraft and later created them to instruct on incident response and business processes. The reason most people find flowcharts to be a waste of time is that they appear to contain common sense steps. However, what flowcharts often reveal is that the processes in place actually lack the common sense we capture when we take the time to document them.

Many network security operations fail because once they detect an issue, they are forced to create processes at the same time as they traverse a difficult situation. At Fort Knox, they train for incident response scenarios ranging from military invasion to ambitious gate climbers. Network administrators that want to thwart attacks as well as Fort Knox does need to spend some time creating incident response processes for even the least likely scenarios.

Processes in Pencil

Once a process is in place, it is time for the devil’s advocates in the organization to begin asking the “what do we do if…?” questions. As we learned in the last installment of this blog series, the most insidious attackers have time on their side to gather reconnaissance on your processes and infrastructure and to make adjustments. This means that a key to winning the battle for your network is gathering intelligence on possible attacks and adjusting your processes to handle them.

Wildcards Are Dangerous

The most dangerous attacks are those that are unfamiliar situations. Elite attackers are going to avoid presenting scenarios that are drilled against. This means that the most dangerous attacks are not the ones that make the dogs bark, they are the ones that make the eyebrows raise.  When dealing with wildcard threats on the network, they must be given the highest priority until the threat can be fully categorized. In network security, few philosophies can cause more harm than “it must just be an anomaly.” Assume it is deadly and have a process to handle all unknown activity until the mystery is resolved.

Protect Against Off Days (and Laziness)

The worst attacks come on off days. Elite hackers will know when the alpha operator is on vacation and target the substitute. As with the great military attacks of the past, they often happen in the fog and darkness of night. Even the best of network security analysts have a bad day, and the system needs to understand that.

Logging and reporting of security process events are critical pieces for keeping bombs from going off. A flowchart on the wall doesn’t enforce the execution of the processes it represents. There needs to be audit trails, sharing with other concerned parties and a quality assurance (compliance enforcement) process in place. Failing to have policy review will allow the best analysts to become lazy and make the best intelligence gathering infrastructure impotent. If an operator can hit the snooze button on a potential threat, devastating results can occur.

Wrap Up

In this blog series, we took a look at how the lessons from Fort Knox can ground us in modern network security. Every organization needs to be able to identify the worst types of elite threats by intelligently analyzing all available network data. Sound incident response procedures and workflow review need to be tied to these efforts to prevent disaster.