incident response (noun) [Word Notes] - Hacking Humans

Summary4 min read

Podcast Summary: "Incident Response (Noun) [Word Notes]" – Hacking Humans by N2K Networks

Release Date: December 17, 2024

Introduction to Incident Response

In the episode titled "Incident Response (Noun) [Word Notes]," hosted by Rick Howard on the Hacking Humans podcast by N2K Networks, the concept of incident response is meticulously explored. The discussion delves into the evolution of cybersecurity practices, emphasizing the critical role that coordinated efforts play in mitigating cyber threats. Incident response is defined not just as a reaction to cyber attacks but as a comprehensive strategy involving people, processes, and technology to effectively detect and manage security breaches.

Defining Incident Response

Rick Howard opens the conversation by clarifying the term "incident response."

"[...] incident as in data breach or cyber attack, and response as in a coordinated effort to react to an event. Definition: A collection of people, process, and technology that provides an organization the ability to detect and respond to cyber attacks."
— Rick Howard [00:51]

He underscores the importance of having standardized operating procedures to limit damage from future attacks, exemplifying this with a scenario where an organization enhances its incident response program post a data breach.

Historical Foundations of Incident Response

The Lawrence Berkeley Lab Incident and Dr. Clifford Stoll

The podcast takes listeners back to 1986 with one of the earliest documented cases of cyber espionage at the Lawrence Berkeley Laboratory (LBL). A mere 75-cent discrepancy in the Unix accounting system sparked an investigation by Dr. Clifford Stoll, leading to groundbreaking developments in incident response.

Dr. Clifford Stoll recounts his experience:

"Oh, yeah, it was 1986. I'm doing astronomy over in Berkeley, California, and one day I walk in and I notice the accounts are off. 275, 85. My accounting inside my UNIX machine is out of balance. [...] Somebody's coming in who has super user privilege. [...] Eventually, it took a year of tracing things back and finding that [...] he was stealing military stuff going on military installation."
— Dr. Clifford Stoll [03:59]

This incident, later detailed in his book The Cuckoo's Egg, is often credited with laying the groundwork for the incident response field, even though Dr. Stoll himself did not use the term.

The Morris Worm and the First Distributed Denial of Service (DDoS) Attack

Following closely on the heels of the LBL incident was the emergence of the Morris Worm in 1988, created by Robert Tappan Morris, a Cornell University graduate student. The worm was the first-ever Internet-distributed Denial of Service (DDoS) attack, which demonstrated how malicious software could incapacitate vast numbers of computers simultaneously.

Rick Howard elaborates on this event:

"Robert Tappan Morris was experimenting with the idea that a computer program could spread itself silently across the Internet. His experiment got away from him and, according to the FBI, within 24 hours Morris Worm had directly infected 6,000 of the 60,000 computers that were then connected to the Internet at the time, rendering them unusable and creating an Internet traffic jam for the remaining unaffected computers."
— Rick Howard [02:30]

The fallout from the Morris Worm incident was significant, prompting the Defense Advanced Research Projects Agency (DARPA) to sponsor Carnegie Mellon University in establishing the first Computer Emergency Response Team Coordination Center (CERT/CC), formalizing the approach to handling global cyber events.

Establishment of Formal Incident Response Teams

The aftermath of these early cyber incidents highlighted the necessity for organized and proactive incident response mechanisms. The creation of CERT/CC marked a pivotal moment in cybersecurity, providing a structured framework for responding to and managing cyber threats on a global scale.

Rick Howard succinctly captures this progression:

"Between the Cuckoo's Egg and the Morris Worm, Incident Response was born."
— Rick Howard

This evolution from ad-hoc investigations to formalized response teams underscores the maturing landscape of cybersecurity and the increasing sophistication of cyber threats.

Insights and Lessons Learned

Throughout the episode, several key insights emerge:

The Importance of Early Detection and Response: The stories of Dr. Stoll and the Morris Worm emphasize that early detection is crucial in minimizing the impact of cyber incidents.
Evolution of Cyber Threats: What began as isolated incidents has evolved into complex, large-scale cyber attacks that require advanced and coordinated response strategies.
Formation of Dedicated Response Teams: The establishment of CERT/CC illustrates the necessity of having specialized teams equipped to handle the dynamic nature of cyber threats.
Human Element in Cybersecurity: The podcast highlights that cyber threats often involve human deception and ingenuity, reinforcing the need for comprehensive incident response plans that consider both technological and human factors.

Conclusion

The "Incident Response (Noun) [Word Notes]" episode of Hacking Humans provides a thorough exploration of the origins and significance of incident response in cybersecurity. By tracing back to seminal events like the Lawrence Berkeley Lab incident and the Morris Worm, the podcast underscores the indispensable role of coordinated response efforts in safeguarding digital infrastructures. For listeners seeking to understand the foundations and evolution of incident response, this episode offers valuable historical context and insightful analysis.

Notable Quotes

Rick Howard [00:51]: "A collection of people, process and technology that provides an organization the ability to detect and respond to cyber attacks."
Dr. Clifford Stoll [03:59]: "Somebody's coming in who has super user privilege. [...] Eventually, it took a year of tracing things back and finding that [...] he was stealing military stuff going on military installation."
Rick Howard [02:30]: "Within 24 hours Morris Worm had directly infected 6,000 of the 60,000 computers... rendering them unusable and creating an Internet traffic jam."

Credits

Written by: Nyla Genoi
Executive Produced by: Peter Kilpe
Edited by: John Petrick and Rick Howard
Sound Design & Original Music: Elliot Peltzman

Thank you for listening to Hacking Humans by N2K Networks.

Loading summary

Transcript5 lines

[00:02]
Rick Howard
You're listening to the Cyberwire Network powered by N2K.
[00:14]
Nyla Genoi
The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.
[00:52]
Rick Howard
The word is incident. Response spelled incident as in data breach or cyber attack, and response as in a coordinated effort to react to an event definition A collection of people, process and technology that provides an organization the ability to detect and respond to cyber attacks. Example sentence after the data breached last month, we improved our incident response program by creating new standardized operating procedures to limit the damage in future attacks. Origin and context in 1986, a 75 cent discrepancy in the Unix accounting system at the Lawrence Berkeley Laboratory, or lbl led to one of the first documented cases of cyber espionage. Back in those days we charged users for the computer time they used, detailed first in a 1988 Communications of the ACM article entitled Stalking the Wily Hacker and then more fully realized in the Cybersecurity Canon hall of Fame book the Cuckoo's egg published in 1989, Dr. Clifford Stowe followed a seemingly innocuous trail of breadcrumbs that eventually led to the discovery of of East German hacker mercenaries working for the Soviets with the ultimate goal to break into US military networks. Although Dr. Stohl never called his investigation Incident Response, for all intents and purposes he created the incident response field in that investigation in 1988. And close on the wily hackers heels came the first ever Internet distributed denial of service attack called the Morris worm. A 23 year old Cornell University graduate student named Robert Tappan Morris was experimenting with the idea that a computer program could spread itself silently across the Internet. His experiment got away from him and According to the FBI, within 24 hours Morris Worm had directly infected 6,000 of the 60,000 computers that were then connected to the Internet at the time, rendering them unusable and creating an Internet traffic jam for the remaining unaffected computers. In the aftermath, the Defense Advanced Research Projects Agency, or darpa, sponsored Carnegie Mellon University to establish the first Computer Emergency Response Team Coordination center, or certcc, to handle these global cyber events in the future. Between the Cuckoo's Egg and the Mortar Swarm, Incident Response was born. Nerd Reference Dr. Clifford Stull is one of InfoSec's most colorful charact and in 2011 he retold his legendary incident response story on the AT&T YouTube channel.
[04:00]
Dr. Clifford Stoll
Oh, yeah, it was 1986. I'm doing astronomy over in Berkeley, California, and one day I walk in and I notice the accounts are off. 275, 85. My accounting inside my UNIX machine is out of balance. I'm saying, I start looking at it, start poking at it, and I notice that, oh, it looks like there's somebody using my UNIX machine without permission. An account from a friend of mine, Joe Sventek, is being used without any permission. Somebody has changed the password to it. Maybe I have a hacker. Somebody's coming in who has super user privilege. They're able to get in and manipulate anything they want in my machine. They have the same license that the system administrator has. Start thinking about it, and I come back and say, how can I find it? How can I prove this? Maybe it's this, maybe it ain't. How can I prove it? Yes. Prove it. No. Eventually, it took a year of tracing things back and finding that, oh yeah, the guy would come in and he was stealing military stuff going on military installation. But this guy thinks. He thinks that we are, which says he's not around here. Meanwhile, we're tracing him backwards, trace him from Berkeley, California into Oakland. It's across AT&T, long lines. So we're sort of trace him back to Virginia and from there up into a satellite. But then it turns out to track him back further, it would take two hours or so. And the guy was smart enough, he was clever enough that he'd only connect for a few minutes at a time. How are we gonna catch this guy? We have to keep him online for a couple hours in order to track him across the ocean. But in order to do that, we need something that he'll go for. So I'll set a trap. I'll make a file in my system that's so, so interesting. Full of all sorts of bogus national security things, filled with all sorts of neat things that somebody will say, oh, wow, I gotta read this.
[06:21]
Rick Howard
Credits wordnotes is written by Nyla Genoi, executive produced by Peter Kilpe and edited by John Petrick and me, Rick Howard. The mix, sound design and original music have all been crafted by the ridiculously talented Elliot Peltzman. Thanks for listening.