Is incident response broken?
IT practitioners involved in incident response engagements often do not have a real understanding of the threats. As such, their responses to an incident are superficial at best, focusing on removing what they think the threat is.
So says Jason Jordaan, principal forensic analyst at DFIR Labs, who has joined the cyber security expert speaker line-up for ITWeb Security Summit 2019, to be held from 27 to 31 May, at the Sandton Convention Centre.
"Another issue is that there has often been a disjoint between the incident responders and management of the organisation," he says. "The problem is we are still doing incident response as if the threats we faced when 'incident response' was formalised as a concept are the same as those we face today. The landscape has changed and we need to adapt our incident response processes as a result.
"There are a number of issues where we go wrong in South Africa. One of them is not trying to really solve the problem. In the event of an incident, the first thing that we do is 'pull the plug' so to speak, compromising any digital evidence that we could use to either identify the perpetrators, or to establish the root cause or extent of the compromise."
Usually this is a result of management insisting the business get back up and running as soon as possible, coupled with incident responders lacking the technical and legal understanding as to their roles and responsibilities.
He says the major problem with this approach is that the scope and nature of the compromise is never completely identified, and, in many cases, the compromise is not rooted out, meaning the attackers remain in the network, patiently biding their time to strike again.
"We are lucky at the moment that POPIA [Protection of Personal Information Act] is not fully in place... What would organisations do should the regulator conduct an investigation and the incident responders have effectively trampled all over the evidence?"
Jordaan says today's threat landscape is about cyber crooks gaining access to and maintaining presence in an organisation's network. "They want to be able to live there. They are not interested in a quick hit and run, so the notion that you can remove the threat actors from your network by simply killing a few machines and redeploying them is ludicrous.
"To eliminate attackers you need to know them, and understand the extent of their activity on your networks. In essence, incident response is more about treating the symptoms than the actual disease itself."
While there are many things that should come out of a successful incident response, Jordaan says one of the critical issues is removing the threat, and identifying the root cause of the incident so that lessons can be learned from it.
Delegates attending Jordaan's talk, "Is incident response broken? Why traditional incident response is not stopping cyber breaches", will learn why current incident response practices do not address persistent threat actors and how incident response can be done effectively.