Like most incident response (IR) teams that work with suppliers, we always get asked for “juicy stories” about IR cases to woo customers with. How unusual or perilous was the incident? How did we deal with it? Here’s how you could also benefit from our shiny new security product.
This is fine. The wheels of marketing need to turn, and what better to kick off a sales call than a direct, first-hand case study about solving another company’s security problem? It is fine, until it’s not fine. Often, the boundaries get pushed and we get asked to focus on a particular threat, industry or even region. While I totally understand the benefits of targeted marketing, it can sometimes feel self-defeating.
It becomes a never-ending game of trying to adapt the last presentation to shoehorn in the latest angle. For instance, I’ve done presentations where we get into detail about threat actors and their particular vector or malware traits, but then the conversation turns into “Which ones should we worry about?”, “Which one is worse?” or “No, I’ve heard that family is shutting down so we don’t need to think about that any more”.
In conversations about preparedness, we often ask organisations about the threats they’re worried about and a lot of them seem to come up with the shiniest new threats because they’re all that’s ever talked about. If organisations want to stay safe, they need to look beyond the “threat du jour”. In a recent conversation on the subject, a colleague exclaimed, “This is not a fashion show!”, and he was quite correct.
All organisations should, of course, be worried about every threat and any combination of threat actor, vector and malware, and not just the shiniest, newest, biggest, “baddest” ones. The reality is that once we’ve done our investigations and found the root cause, it’s rarely the sophisticated mastermind of an attack that someone thought it was.
Quite often, it’s a relatively basic vector that an attacker was able to take advantage of, such as gaining privilege through a poorly secured account that allows them to remain undetected while they exfiltrate data and payloads before dumping some ransomware and bolting.
So, instead of thinking of the threat landscape as a catwalk, we could take a step back and look at what is actually involved in setting the stage in the first place. Instead of reacting to whatever threat is “en vogue”, we should think about what we can do to stop, prevent, detect and then respond.
I know hindsight is always 20/20, and everybody’s a critic looking back up the river, but if all we do is offer standard responses and recommendations based on the “latest” findings, organisations will never be as safe as they could be.
It’s tempting, from a cynic’s perspective, to think this will always be the case, but I’m sure that if defenders stopped focusing on the “fashionable” threats and instead looked at some more basic, less “juicy” resilience steps, we could nip far more threats in the bud before they ever even become an issue. Perhaps then the conversation can change.
The Secret IR Insider works at cyber security services and solutions supplier Check Point Software.
A specialist in incident response (IR), they are at the front lines of the ongoing battle against malicious cyber criminals, ransomware, and other threats.
Their true identity is a mystery.
Read more from the Secret IR Insider
- The ‘Q’ word isn’t one that’s really used in incident response, says the Secret IR Insider, largely because as soon as you use it, something happens.
- The Secret IR Insider shares behind-the-scenes stories of what really happens after organisations are hit by cyber attacks – and shows how they could have been avoided.
- From dealing with SolarWinds fallout to ransomware attacks, it’s been a busy few weeks for the Secret IR Insider, but they’ve picked up some new tricks along the way.