Using the incident pit technique in the wake of an attack is the best way to see off future threats to your organisation.
Good security governance will have fantastic risk assessments built into the very fabric of an organisation, designed into the business as usual operating instructions and practised by everyone, all of the time.
We've all come across bad risk assessments – or ‘tactile risk assessments' – where professionals decide an arbitrary level of risk against any given asset, based solely on how risky it feels without considering the likelihood of an attack being realised. This has a significant margin of error and reveals laughable levels of risk along with hilarious proposals to reduce that risk associated with the event being realised, based on a script that HG Wells would find interesting.
It doesn't have to be this way – there are easier ways of getting quick wins in an organisation and ensuring our businesses stay secure while moving full steam ahead.
Take the Titanic. The captain knew he was moving into an area populated with icebergs, but instead of considering the effects of hitting a huge chunk of ice, he ploughed on. Of course, the rest is history, but it didn't need to happen. Boats hitting icebergs are not exactly commonplace events, but it does happen, and there are some events that when condensed will almost certainly lead to an undesirable outcome.
Consider the events that led up to the collision. The largest boat ever built, considerably unmovable at full speed, was travelling full pelt at night when visibility was low, relying on the human eye to warn the captain via voice if the ship was about to hit an iceberg. This is what is known as the incident pit, and once you are in it, there is very little you can do to prevent the eventual outcome.
So how does this relate to security in your organisation? The incident pit can be used to understand, acknowledge and prevent attacks being realised in the future based on past experience of threats being realised. On its own it isn't very useful, and during an event there is little point in deploying this technique, but after an event it is something that should be understood.
Using the example of a hacktivist group taking down your payment card solution in the run-up to Christmas, it is simple to see how you can prevent this type of attack happening in the future. Working it through with a simple risk assessment will lead to a high level of risk and, subsequently, high project costs to contain any future attack. The same can be said for a tactile risk assessment – it will almost certainly result in a massive level of risk and grotesque costs to control. However, by employing the incident pit, it is possible to review all the component parts of the event and remove or control each element, thus erasing the risk completely without paying for exuberant technical controls.
First, we know that the attack was completed by hacktivists, so we need to understand what motivated them. Was it because your company supplied hosting services to an entity they believe to be immoral? Is that a battle your CEO is aware of, and something you can avoid in the future? We know the attack was timed over the festive period, likely to cause as much financial disruption as possible at a time when many of your staff are on leave and perhaps only junior personnel are watching the dials and controlling the response.
Is this something that can be remedied by employing temporary staff over the Christmas period to bolster your defences? Make sure that they are trained and that you have adequate backup plans in place, and that these are practised well before a major security event might occur. These are all simple systems that you can employ to provide better defences throughout your organisation.
Removing a risk that you know has been exploited before, and doing so before it has time to crystallise into a major problem for your organisation, is surely a much better way of controlling those threats that are almost certain to appear should you find yourself somewhere inside the incident pit.