Neil Hair Brown (13:45)

Many organizations are approaching incident response. Well, many organizations are not approaching incident response planning, unfortunately, but those those that are approaching incident response planning are tending to look to the standards. There have been some pretty good standards in cyber incident response for a number of years now. I've been in cyber for 40 years now and I started cyber incident investigations in 96. And even back then the first computer emergency response team out of Carnegie Mellon had published their initial thoughts on what makes good cyber incident response. And so that's been developed over the years. One of the areas which I think is largely missing from the standards is the appreciation that cyber incidents or cyber incident response is actually a lot more than Just the technical aspects. And this is something which for the last 12 years now, we've been managing or responding to incidents on behalf of cyber insurers. Over a thousand incidents in the last decade. And there are, there really is a large amount of work that has to be done with those organizations that are suffering from incidents in the non technical areas, such as the legal, legal side of things, the crisis PR side of things, trauma counseling, ransom negotiation. These are all things which are, if you like, outside of the scope of technical. And that's when it comes to planning. That's something which many organizations need to embrace as part of their cyber incident response plans. Those organizations that are a little bit more mature, I would say, certainly those that have got well developed business continuity plans, they are very well advised to, if you like, adapt those business continuity plans to incorporate cyber incidents as well.

Dave Buettner (16:03)

As, you know, inherent in the name incident response, I think, is that folks come at this in a reactive way. I guess that's understandable. But how does that approach affect the.

Neil Hair Brown (16:17)

Outcomes here when it comes to actually dealing with incidents on the fly? So, you know, when incidents actually occur, we tend to find that many organizations are, they have not prepared, certainly they've not prepared adequately enough for cyber incidents. And so oftentimes they will, that will be the point at which they will call in the specialists or certainly seek to call in the specialists. Those specialists may be provided if they have cyber insurance or they might be seeking to acquire that expertise just commercially from cyber incident response teams such as ourselves. And so that, if you like, I think, as you've already alluded to, is not the ideal situation. Certainly we deal with many incidents where the senior management is the first time that they've ever met the IT or operational folks in their own organization. And so that kind of really underlines the need to prepare for cyber incidents and to prepare for the reactive state. Certainly if you want to have a good outcome, organizations that are not prepared, even if they are using highly experienced professional cyber incident responders, they're still not going to have anywhere near the effectiveness of, you know, the good outcomes that they would have if they had actually been much more prepared.

Dave Buettner (17:53)

What does that preparation look like and how should the security team make the case to the executives that preparation is a worthwhile investment.

Neil Hair Brown (18:07)

So when it comes to the preparation side of things, again, it really is important to think outside the box. So having a written plan is a great thing, but making sure that it's going to survive first contact is the second thing. So ensuring that you've actually had an exercise of your plan is very important. Also, ensuring that the plan caters for both the strategic senior management aspects of managing a cyber incident and the operational sort of technical aspects as well. And we find that most organizations work more effectively if they actually separate those two groups of folks when they have an incident or when they're actually having an exercise. So that because that's actually the most efficient way of managing things, you tend to find that you might have senior management that want to get involved or understand some of the technicalities. And generally being when you're in the middle of a cyber incident, that isn't the right time to do that. And similarly, sometimes you get some of the technical folks wanting to become legal experts, and that equally is not the right time. So it's always best to actually keep those two groups apart, but have a coordinator that is working with those two groups to make sure that the requirements of the strategic group are properly conveyed to the operational group and the results are passed back so they can make some informed decisions. So this is all part of the actual preparedness. And then you can also have some specific preparedness workshops. So for instance, forensic preparedness. So having a good idea of the various technologies that you're using, what the tech stack looks like and what the ability for those technologies is to actually record evidential items and to make sure that that evidence, whether it's in the format, whether it's in logs, or whether it's in other forensic artifacts that could be produced during an incident, and to make sure that those are preserved. So this is something which is very important to actually talk through ahead of times so that you can make sure that you have a really effective response when an incident occurs.

Dave Buettner (20:31)

You mentioned that many organizations come at this as a technical challenge, and that certainly makes sense. But you also mentioned that there are a lot of other things at play here. And one thing that caught my ear was this notion of helping people deal with the trauma of an event like this. Explain the importance of that.

Neil Hair Brown (20:53)

That's one of the major losses that we see organizations suffering from. And it's a loss which is not immediately felt by the organization or indeed the individuals that are tasked with the response. Bearing in mind the response isn't just purely technical. So we're not just talking about just the IT folks here. We can be talking about management as well, and even senior executives. But the post traumatic stress that those participants feel, those responders feel, once the incident has sort of been dealt with, can sometimes be quite significant. We've dealt with a number of incidents, for instance, where members of staff have been deceived into giving up credentials or into actually making payments, that kind of thing. And that kind of, you know, that sits very heavily with them. And it's generally the case that unless an organization does something to recognize that and to offer them the support that they will need, that they could be looking at those staff leaving within a relatively short period of time after the incident has taken place.

Dave Buettner (22:07)

In this world where so many organizations have moved their operations to the cloud or they're relying on managed service providers, I can imagine that they are looking to rely on those organizations if there is an incident to help with the recovery, Is that a sensible plan? Does that make sense? How reliable are they as a support network?

Neil Hair Brown (22:36)

Very good question. I think it does need, and this again, kind of underlines the need for preparation because it really needs some thought as to what roles an organization would want their service providers to play in the event of an incident. There's no doubt that if systems or data have to be recovered, then it may well be that the expertise that their MSPs are offering and the familiarity that they have with the client systems and data is such that they would be the ideal person to help with that recovery. When it comes to the investigation aspects, though, some very careful thought has to be given there as to whether or not their providers would be conflicted if they were to help with the investigation. Consider, for instance, if a managed security services provider or a straight MSP that's providing some kind of security services as part of their overall package would actually, if they were then tasked to actually perform an investigation, and it happened that the very controls that those organizations should have been putting in place had failed in some way, perhaps an MSSP that should have been monitoring systems failed in their ability to do that properly. Are they going to actually reveal that? Are they truly independent when it comes to that investigation? Are they going to give the organization that kind of clarity on the initial point of compromise, etc. So it's very important to give that some consideration. And certainly we've come across many cases now where MSPs who are appointed to do the investigation part of the incident response are indeed conflicted. And they are rather opaque with helping the organization to understand what went wrong and how it went wrong.

Dave Buettner (24:42)

There's kind of this old joke in cybersecurity about the security professional standing in front of the board of directors and saying, hey, we spent all this money and congratulations, nothing happened. And the board scratches their head and said, well, why are we spending all this money, if people are investing in a retainer with an organization like yours, how do they leverage that investment proactively?

Neil Hair Brown (25:15)

So certainly I would say all good retainer services should provide a range of onboarding services. So this is separate from the actual incident response time that is set aside in case an incident does occur. And those onboarding activities should include, as we've already discussed, some kind of preparatory support. We perform something called assimilation, where we sort of take a lot of time to understand a client's tech stack, what their points of contact are, which regulations apply, you know, what their legal obligations are, et cetera, et cetera, lots and lots of points. And so I would say good retainer service should have some onboarding activities, maybe a risk assessment, maybe some attack surface scanning, that kind of stuff. Then there is the investment itself into actual, into the time that may be required should an incident occur. And that time would be used at different rates depending on the skills that would be needed should an incident occur. So, you know, you may have a different rate for a senior legal advisor, for instance, than you would for a forensic investigator. So, yeah, having a way to actually make sure that that is all dealt with as part of the process. And then thirdly, and very importantly, as you've already said, if an incident does not occur, then how is a client going to maximize their investment? And so the best process is that they should be able to see 100% of their investment and that should be converted into the ability to undertake proactive activities. So for instance, staff awareness training, penetration testing, maybe cyber incident exercise, all of these things can, can actually be a way for clients to get a maximum out of their investment.

Dave Buettner (27:16)

That's Neil Hare Brown, CEO at Storm Guidance. For more information about cyber incident response retainer service provision, you can find a link in our show notes. What's the common denominator in security incidents? Escalations and lateral movement. When a privileged account is compromised, attackers can seize control of critical assets. With bad directory hygiene and years of technical debt. Identity attack paths are easy targets for threat actors to exploit, but hard for defenders to detect. This poses risk in active directory, entra ID and hybrid configurations. Identity leaders are reducing such risks with attack patterns. Path management. You can learn how attack path management is connecting identity and security teams while reducing risk with Bloodhound Enterprise powered by SpectreOps. Head to SpectreOps IO today to learn more Spectre ops. See your attack paths the way adversaries do foreign. And finally, in late March, mitre marked the 25th anniversary of the CVE program the cornerstone of global vulnerability tracking and every security pro's favorite database to grumble about while secretly relying on it daily. For a brief, jittery moment in April, it looked like this quarter century run might come to an abrupt, awkward end. A leaked memo revealed that the Cybersecurity and Infrastructure Security Agency had not renewed mitre's funding contract. The memo gave everyone a very specific countdown, about 36 hours until the lights went out. Analysts, vendors and researchers, all highly trained to manage risk, suddenly found themselves in a digital doomsday scenario. One expert said it was the 11th hour, 59th minute. It gave a doomsday feel. Then, just 17 hours later, CISA reversed course and issued an 11 month contract extension. Crisis averted mostly. The near miss did more than rattle nerves. It kicked off a rapid rethink of who should control, Fund and Future Proof, one of the Internet's most essential public services. Enter a cast of new players. Europe Beta launched its own EU vulnerability database. Luxembourg's Circle debuted the Global CVE Allocation system. And several CVE board members introduced plans for a new CVE Foundation, a privately funded alternative aimed at global resilience and governance beyond a single US Agency. That last move stirred controversy. Former CISA Director Jen Easterly publicly criticized CVE foundation board members for secretly building a rival while still overseeing the current program, calling it a conflict of interest. Meanwhile, supporters argue that relying on a single funder, especially one with a volatile budget and shifting political winds, is just bad business. You want resilience, said one expert, not a cliffhanger every fiscal year. As for mitre, they're staying the course, grateful for the overwhelming support and committed to keeping CVE running smoothly, contract drama notwithstanding. Still, the takeaway was the CVE program may be a public good, but it's not immune to bureaucratic entropy, whether it evolves into a broader, more distributed model or continues under its current stewardship. One thing is no one wants to live in a world without it. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in rapid the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes we're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

Neil Hair Brown (32:48)

Foreign.

Dave Buettner (32:59)

And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.