The best-laid schemes of mice and men go oft awry.
— Robert Burns
Plans are useless, but planning is indispensable.
— Dwight Eisenhower
Neither was a tech visionary, but Robert Burns, the 18th century Scottish poet, and President Dwight Eisenhower, the World War II Army general, have a lot to say about protecting companies from those who might steal data or disrupt operations.
What the poet suggests is that digital data and systems are continually vulnerable to attack. Just like the mouse in Burns’ poem whose nest is disrupted by a farmer, modern companies and supply chains must be prepared to respond to potentially catastrophic cyberattacks. This means every business must have an incident response (IR) plan in place. And they should test those plans.
As for the Army general, he advises that those pre-tested plans will be disrupted in the heat of battle because enemies are clever and every situation is different. The point is that advance planning gives everyone on the team the necessary background of knowledge and experience to react quickly and strategically to a crisis.
“‘No plan survives first contact with the enemy’ is an old military saying that is unattributable, but it goes hand in hand with Ike’s thinking,” said Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense. “What you come up with is probably not going to work because the enemy gets a vote in what happens. But if you’ve done your homework (planning) you can come up with an alternative and still accomplish what you set out to do.”
In other words, readiness to respond to the unexpected is key to successfully defend against costly cyberattacks. In this edited Q&A and IR plan overview, Tanji explains how to prepare for the next cyber crisis.
Three questions for Tanji
Isn’t IR planning something only large organizations undertake?
MT: It’s easy to think one is too small or not important enough to attract the attention of malicious actors, but it really doesn’t matter what you do or make for a living; you have something — compute power, intellectual property, a trust relationship with a bigger target — they want. So, you’re not being paranoid, you’re being prudent.
An incident response plan can be fairly brief, or it can be comprehensive. It’s not the fact that you have a plan that’s of value, it’s making sure you practice it. Everyone should know what they must do in a given situation. It might not end up being second nature, but it will be familiar, which means things will go smoother and faster than if everyone was hunting for and blowing dust off a response plan that they’ve never read, much less practiced.
Why is planning so important?
MT: Did you know that EMTs are trained to walk, not run, at an accident site? Running can lead to accidents. It gets people excited, which can lead to panic. Walking allows them to survey the scene to help avoid any hazards that they might have missed if they ran in.
When an incident occurs it’s the same thing. You’ve been compromised. Things aren’t working. Data is lost. The tendency is to panic and rush. That’s an instinct you have to fight. Remember: You have planned for this. Get the plan out and start working it. If the plan doesn’t address whatever is happening, that’s OK. You’re working with a team who has practiced dealing with bad stuff happening. You get together and figure it out. You will find out fairly quickly that you will have a handle on things and have a plan (ad hoc as it may be) to get things back to normal.
Creating a plan makes sense, but how do you test it?
MT: There are two main ways of testing your IR plan: a tabletop or an exercise.
A tabletop is just that. All the right players sitting around a table, talking through different scenarios, and responding with what they’d do in a given situation.
An exercise is more realistic in the sense that you may be using your own equipment and systems you use every day, or working in a simulated environment, and working through an incident using email, chat, meetings, etc. just as you would in a real-world situation.
In both cases the effort is led/facilitated by a third party who is in charge of explaining the scenario and “injects” new information or conditions to see how you respond.
In both cases you may find yourself needing to modify or update your plans in response to the testing you’ve done.
Michael Tanji’s Six Steps of an IR Plan
An IR plan is a living document that should be reviewed and updated on a regular basis to keep up with new threats, changes in your technology, changes in what the company does and how it works. According to Tanji, here are the six components to an IR plan.
I. Preparation
- Know what You Are Trying to Protect: Think of this as making a list of everything important online — computers, machines, websites, data, etc. You need to know what you have to protect it properly.
- Establish Roles and Responsibilities: Decide who is in charge when something goes wrong. Who makes the decisions? Who talks to the outside world? Create clear roles and responsibilities for different people or teams.
- Understand What Resources You Have: Firefighters have hoses and axes, you have your own tools. This might include software to find malicious activity, ways to lock down systems, and ways to communicate securely (or outsourcing same).
- Practice: You need to practice your plan so everyone knows what to do when a real problem happens. This helps find weaknesses in the plan before it’s too late.
II. Identification
- Finding Clues: This is about noticing when something isn’t right on your systems. It could be strange messages, computers acting weird, or alerts from your security tools.
- Figuring Out What Happened: Once you see a problem, you need to investigate. What exactly happened? How did it happen? How bad is it?
III. Containment
- Keep it From Getting Worse: Once you know what’s happening, the next step is to stop it from spreading to other parts of your systems. This might involve disconnecting infected computers from the network or shutting down certain services temporarily.
- Short-Term Fixes: This is about taking immediate actions to limit the damage.
IV. Eradication
- Make Longer-Term Fixes: This is where you remove the threat, like deleting malicious software or repairing damaged systems.
- Check Your Work: You need to double-check that the problem is completely gone and cannot be used against you again.
V. Recovery
- Restoration: This is getting systems and services back online so you can get back to work.
- Recovery: You must make sure everything is working properly and securely after the cleanup.
VI. Retrospective
Refinement: Use what you learned to update your plan, improve your security, and prevent similar problems in the future. This is like making sure the same mistake doesn’t happen again.
Hotwash: After everything is back to normal, it’s important to look back at what happened. What went well? What could have been done better?
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.