Why your IR team should be more like Scooby Doo

If you want to get incident response right you need to channel Chuck Norris and become a bit more like the Scooby Doo team, says SANS instructor Steve Armstrong.

Why your IR team should be more like Scooby Doo
Why your IR team should be more like Scooby Doo

Armstrong, who formerly led the RAF's penetration and TEMPEST testing teams but who now works as technical security director at Logically Secure, gave an entertaining and enlightening presentation on incident response at the 44CON conference in London on Tuesday.

In it, he stressed that most threats are “nothing super-special”, with incidents often owing to firms getting the basics wrong. Citing the recent Verizon DBIR report which indicated that most hackers continue to exploit year-old CVEs, he said, “We're talking about people here that are not doing the basics.”

In theory, Armstrong said that an effective incident response plan should see “geeks that love to geek, leaders that love to lead and managers that love to manage” but he admitted that this isn't always the case, with plans often falling down on communication and other factors, such as poor logging.

“A lot of time the leadership fails and it stops the remediation – the incident response – from working,” said Armstrong.

A solid Digital Forensics and Incident Response (DFIR) plan relies on workers sending good intelligence, statistics and data on to managers, who in turn translate this for the leaders, but Armstrong said that any disconnection along the way would see “risk comprehension and funding go away.”

At this stage, "directors are no longer engaged in what's happening”, employees are demotivated and the intelligence value is lost.

Instead, he urged 44CON attendees to follow the much-publicised OODA loop, which was used by air force, to become more fast and agile, even citing the beloved Chuck Norris as an example. Norris, a martial arts expert and actor who is now 75 years old, would “still kick your arse” because he responds to his strengths and sees his opponent's every move. “His OODA loop is so tight," said Armstrong.

For example, he said that a Sysadmin or IT security team could observe an intruder on the network, decide a plan of action and remediate. If you can't react this quickly, “something will out-manoeuvre you.”

He urged attendees to think about their plan, their communication (for example, how are they going to communicate if their network has become a hostile environment?) and how they can scale up operations? The whole plan, said Armstrong, needs to involve everyone – including legal and management.

He warned too of perceived skills and actual capability – comparing young children to doing martial arts. “Attackers can see the inefficiencies of your team – they know you're not Bruce Lee. So you've got to make sure you look at the team, look objectively at what they're capable of doing. If they're not [up to speed], look to infill with help, or onsite training.”

Page 1 of 2