OPINIONS

Humans are fallible! Why training improves your response quality

13th of November 2020

Opinion, Gaffri Johnson, Managing Security Consultant, NCC Group

Humans are fallible

Being able to quickly detect that something truly bad is happening in your company and being able to respond and recover, requires much more than having fine print and advanced SIEM or SOC capabilities with all kinds of detection rules and use cases. It requires human beings acting, reacting, coordinating and daring to make quick decisions within a very short amount of time.

Huge security incidents that cripple businesses are becoming a frequent thing in the news.

There’s no need to tire everyone with statistics. It doesn’t take long on Google to discover the amount of damage it has cost major companies.

If we look at the last couple of years, most of those business disruptions have stemmed from ransomware attacks.

We like to think we have well-documented incident response procedures and disaster recovery plans that can handle incidents such as ransomware attacks. We’ve made the necessary business impact assessments with all the bells and whistles of RTO’s, RPO’s and maximum tolerable outage being defined. We have also defined some well-structured, logical incident response processes that follows best practice, with fine escalation criteria, decision paths and perhaps even playbooks. However, a major security incident rarely adheres to a scripted process, swim lane charts or playbooks. There are always things at play that will impact our ability to think clearly.

The speed of a full compromise

A recent refinement of an attack tool by the group behind Ryuk Malware has effectively reduced the time needed for a full compromise. From initial stage phishing to domain-wide encryption, an attack can be done in as little as 5 hours1.  With this potential speed of a full-blown ransomware attack, being able to react quickly and deal with an incident is extremely important and can require someone making unpleasant decisions to reduce the spread of ransomware.

How to take a deep breath and not panic

While mobilizing fast and having people not panic and be well-rehearsed is critical, it is not easy. No written policies and procedures can ensure that. Some of the things that are key to avoiding panic are:

  • Everybody knows their tasks and the role they play in a major incident
  • Understanding how to communicate horizontally and vertically to management
  • Instilling the confidence in key employees to make quick decisions that might not be the best or potentially even the right ones in hindsight
  • Taking ownership and knowing when not to take ownership
  • Being able to translate technical terms into risk-language that management understands and vice versa
  • Dealing with the often broken chain between IT-operational emergency processes and business continuity processes
A well-prepared plan needs well-prepared people

Training to respond to a major incident is often underestimated. Many companies are not devoting adequate attention to it. It could be argued that testing or doing simulations yearly really isn’t enough. Would you put all your trust into responding to a potential crisis based on just one yearly test, simulation or process review?
The human aspect plays just as important a role as the written documentation and technical solutions.

To ensure that your people are prepared to respond to a cyber incident, you should consider doing the following:

  • Simulate specific types of events that are likely to occur such as a ransomware attack and major PII data compromise event
  • Remember to also focus on stress testing your key employees to prepare them better
  • Testing how communication with third parties works; can be with incident responders or your IT-suppliers 
  • When you train, try to create a narrative that purposely derails your processes and forces you to choose a “lesser of two evils”
  • For some companies, creating laminated action cards can accelerate quick decision-making and steer people on to the right track as opposed to searching through tons of pages of an incident response process or a business continuity plan. As a consultant, I have seen a lot of incident response documentation and especially business continuity processes and plans that were like small books
  • Remember to do the above or a combination of the above more than once a year

If you are interested in more tips to incident response planning, then I recommend you sign up for my colleague, Erik de Jong’s webinar titled: Five efficient shortcuts to your worst security nightmare. The webinar takes place on December 1st at 10 a.m. CET. Click here to save your spot.