Incident Response Culture
Anyone who has read some of my previous blog posts will quickly realize that I tend to focus on the non-technical. This is another one of those non-technical posts, but I genuinely believe that topics such as this need to be discussed. For the Marine Corps and the Navy, culture is easily one of the most important aspects that must be instilled in all members. Arguably it is more important then tactical training. As incident responders it is our responsibility to defend the networks we have been charged with defending. Whether our role is that of a sell-sword or that of a true patriot to our respective employers, we must always remember that we are the DFIR Warriors on the wall fighting to keep the adversary at bay. We must own the mission of those we have volunteered to protect. By understanding the goals of the organization and keeping those goals on our minds at all times, we can make decisions that are in support of that mission. If the mission of your organization is to manufacture and sell widgets, then as a DFIR Warrior your missions is to ensure that those widgets are made and that they can be sold. When going through the PICERL Incident Response Process you must always be mindful of the impact to widget production [1].
We must sharpen our minds
Every member of the team should have passion for their chosen profession. That passion is displayed through the active pursuit of continuing education [2]. It could be from certifications being pursued, through the research into new tools and techniques, through the reading of new books or the development of a hip-pocket class given to other DFIR professionals. Maybe the attendance of an industry conference. Hopefully all members of the team will demonstrate this passion during the hiring process. The realities of life though show that not all will. As leaders we must lift up our fellow DFIR brethren and ignite the passion in them to continue moving forward.
We owe it to our junior cyber security professionals to demonstrate what it means to be a consummate professional at all times. This is done by engaging in some of the activities previously mentioned. It is also done by helping the junior professionals in following the same path. Help them to identify their strengths and weaknesses in the field. This field is very complex requiring many different skills [3]. We cannot be great at all things. By helping them to find where their interests lie, we can help build a better DFIR team. They can focus their efforts on improving their skills in a topic where there is a clear skill gap. We as leaders can then identify skills that need to be hired for.
Not all organizations have the budget to send their employees to expensive training. We cannot allow the lack of budget though to excuse failing to learn more. Knowledge is free mostly on the Internet. Lookup videos from DEFCON [4]. Encourage your peers to do the same. If you are in a management position, set time aside regularly to review a conference video as a team or discuss process improvements.
There are a lot of great DFIR blogs out there. Keep keyed into what is happening in the industry [5]. On your daily task list, place reviewing blogs as one of the first things you do in the day. I start each morning by first reviewing what events were escalated to incident response overnight that may require immediate attention, then I review blogs, emails and other sources of intelligence.
Get on Twitter! There is so much information made available on twitter that ignoring it is silly. Use tweetdeck and setup a search for terms about the organization you are protecting. Often activitsts like to boast about their exploits. If ‘Widget Inc.’ is the target of a denial of service attack by the ‘Gizzard Squad’, they will almost certainly start tweeting about it. Keep a search open on tweetdeck for #DFIR.
Learning is continuous. We must never stop learning new things. Every day you should go to bed comfortable in knowing that you have done your best to improve the knowledge of yourself and peers.
We must sharpen our swords
Learning about new tools and techniques does us no good if those skills are not leveraged during our incident response investigations. Keeping up with new tools on a DFIR blog or on twitter require us to test those tools and make changes to our procedures as we find better methodologies. Remember the Process Improvement Loop while finding ways to make your job more effective and more efficient. After reviewing all those blogs, plan on what changes could be made and test those plans, do the plan by implementing the changes to processes or tools, check to verify that the plan was executed properly, and act on any shortcomings discovered during the check phase.
Certainly an incident response team is more than the sum of their tools, but we work in a technical field which requires tools. Scripting a solution may only get you so far. Open-source or proprietary software may be necessary to move forward. If you find your organization is not able to respond to some incidents because they lack the appropriate assets to do so, make an argument to get new tools. Build your argument on a basis of logic. Provide strong references to support your request. Identify potential costs and perform some level of cost/benefit analysis. Implementation of a new tool will have to be approved by a business person. Make your argument in the language of business as best as you can.
Have a real penetration test performed regularly on your network. This serves a number of huge benefits. From the business perspective it helps leaders see that the finances they have budgeted to cyber security are going to good use. Performing the test annually along with a comparison of what project and process improvements have been implemented over the past 12 months will ease the minds of the business when you make an argument for the next tool.
Conclusion
A culture of continuous process improvement driven by excited passionate cyber security professionals will drive your security operations center towards success. Question everything and keep moving forward!
-aub
References
Originally published at aubsec.github.io on July 1, 2016.
