Incident response plants are incredibly important for both IT and OT cybersecurity. They guide you in stressful crises, and aid in both tactical procedures and decision making.
I cannot state enough how important it is that your organization has plans for every environment, those plans are tested, and that ultimately you write and edit the bulk of those plans yourself.
There are skeevy consulting companies who will sell you almost anything - from premade IR plans to services that build them for you without your involvement. However, I can absolutely guarantee without serious project-scale care and feeding from your own stakeholder personnel and environmental considerations, they will fall flat in an emergency. You wouldn’t want your hospital to download a premade triage plan for another size or functional org from scribd.
Can’t stress enough how important it is to take the time to plan, even if you bring in consultants to guide and advise you.
#cybersecurity #dfir
@hacks4pancakes@infosec.exchange
You seem to think that we have the staff and budget to do that. I’m busy begging to get the CapEx to replace a cluster of Dell R610 “servers” that don’t even have iDrac even though they are at a site without IT support. Hell, my laptop has more CPU/RAM/storage than those do.@hacks4pancakes@infosec.exchange if you fail to plan, you plan to fail.
@hacks4pancakes@infosec.exchange Agree completely!
I’d go so far as suggest doing at least an IR tabletop of a complete loss situation against the first draft is required to ensure a minimally usable final draft plan.
@hacks4pancakes this also goes for AppSec. Off the shelf static analysis configs with zero post-deployment tuning will do nothing other than make your devs hate you
@hacks4pancakes@infosec.exchange in all honesty, most organizations are too small with too little support to do any of this. It’s a real issue, but most of them are looking at it like a fire; if it happens it happens and you let professionals deal with it after the fact.
I’m not saying it’s right or good but IT isn’t even a job title at most businesses.If the orgs IR plan isn’t much more than the steps needed to halt operations and enact the business continuity plan than that’s fine. You just want to avoid flying by the seat of your pants as much as possible in that scenario - should it ever come.
@faffinaboot @mikebabcock this. Look, a plan that lists your retainer contact information, who is in charge, and a first hour’s steps is a plan. I get calls every week from orgs that don’t have this much. Many go out of business. Some are in tears realizing this fact, when IR firms tell them it will be a two week wait to get help with no agreements in place. It’s something that has a cost, but you just can’t afford not to do. It’s like cheaping out on smoke alarms. Something, anything.
@hacks4pancakes@infosec.exchange @faffinaboot@hachyderm.io @mikebabcock@floss.social and try to call the hotlines from time to time. Maybe quarterly or twice a year to check that you can reach them and the number didn’t change 😅
We got a weird international-freecall number that breaks my mind (as an ex phone guy that is) as it basically is a +800 country code you need to dial. I bet some PBXs aren’t even configured to cover that.
@hacks4pancakes@infosec.exchange and exercise / fire drills! No plan, however tailor-made and customized to your org will work without regular try runs & maintenance :)
@hacks4pancakes@infosec.exchange so much this. From experience, I would like to emphasise that “stakeholder personnel” should include all levels.
If operational and tactical levels are involved, prepared and tested, but those calling the shots are not, they will make the wrong decisions based on a lack of understanding of, and experience with, the nature and impact of incidents, and subvert instead of support the careful planning.
I would say the same caveats regarding consultants apply here.
@hacks4pancakes@infosec.exchange I cannot agree with this enough. You absolutely have to do this yourself. No external entity, no matter how honorable they may be, and.most aren’t, can possibly grasp your environment more than your own staff that built and run it.
This notion that you can outsource everything even remotely hard is quite frankly not true, and while it may save you some pennies now, you will spend real capital cleaning up the mess when that bad day comes.
Tangentially related trend I am seeing: New ISPs that don’t run their own core networks. They outsource it to companies that claim to run core networks for ISPs. If you can’t run a network, you seriously have no business pretending to be an ISP.
This outsourcing of absolutely everything is going to fuck you sooner or later.
@hacks4pancakes@infosec.exchange thank you for the reminder. As the new (and only) IT guy at work, this is definitely something I want to work towards. Already got proper backups in place!
@hacks4pancakes@infosec.exchange Indeed. The best ‘premade plan’ isn’t worth a few hours of the right people sitting around a table discussing ‘what if…’
I’ll go further than that.
The best ‘premade plan’ (that no one has read) is not going to be as useful as having had the right people sitting around a table for a few hours drinking and talking shit and exchanging contact details and getting to know each other.
@hacks4pancakes@infosec.exchange Love this.
Can’t be said enough; You’re a treasure Auntie L.@hacks4pancakes@infosec.exchange As a business continuity consultant I completely agree with this. I can help you get started, point out risks you might not have thought about, and suggest possible mitigations and responses. But ultimately it has to be your plan because only you know your business, can decide what your constraints are, can decide what and when to test, and can decide how much it is worth spending…
It’s also worth remembering that major business risks (can I make payroll next week? What if a major customer drops me?) can make a business continuity or security risk unimportant in the grander scheme of things. Low probability high consequence events don’t matter until you’ve handled the high probability high consequence ones.
