Why your IR team should be more like Scooby Doo

News by Doug Drinkwater

If you want to get incident response right you need to channel Chuck Norris and become a bit more like the Scooby Doo team, says SANS instructor Steve Armstrong.

Armstrong, who formerly led the RAF's penetration and TEMPEST testing teams but who now works as technical security director at Logically Secure, gave an entertaining and enlightening presentation on incident response at the 44CON conference in London on Tuesday.

In it, he stressed that most threats are “nothing super-special”, with incidents often owing to firms getting the basics wrong. Citing the recent Verizon DBIR report which indicated that most hackers continue to exploit year-old CVEs, he said, “We're talking about people here that are not doing the basics.”

In theory, Armstrong said that an effective incident response plan should see “geeks that love to geek, leaders that love to lead and managers that love to manage” but he admitted that this isn't always the case, with plans often falling down on communication and other factors, such as poor logging.

“A lot of time the leadership fails and it stops the remediation – the incident response – from working,” said Armstrong.

A solid Digital Forensics and Incident Response (DFIR) plan relies on workers sending good intelligence, statistics and data on to managers, who in turn translate this for the leaders, but Armstrong said that any disconnection along the way would see “risk comprehension and funding go away.”

At this stage, "directors are no longer engaged in what's happening”, employees are demotivated and the intelligence value is lost.

Instead, he urged 44CON attendees to follow the much-publicised OODA loop, which was used by air force, to become more fast and agile, even citing the beloved Chuck Norris as an example. Norris, a martial arts expert and actor who is now 75 years old, would “still kick your arse” because he responds to his strengths and sees his opponent's every move. “His OODA loop is so tight," said Armstrong.

For example, he said that a Sysadmin or IT security team could observe an intruder on the network, decide a plan of action and remediate. If you can't react this quickly, “something will out-manoeuvre you.”

He urged attendees to think about their plan, their communication (for example, how are they going to communicate if their network has become a hostile environment?) and how they can scale up operations? The whole plan, said Armstrong, needs to involve everyone – including legal and management.

He warned too of perceived skills and actual capability – comparing young children to doing martial arts. “Attackers can see the inefficiencies of your team – they know you're not Bruce Lee. So you've got to make sure you look at the team, look objectively at what they're capable of doing. If they're not [up to speed], look to infill with help, or onsite training.”

Skills are not the only problem though, with Armstrong warning too of a lack of visibility due to poor logging and weak knowledge of their own networks. Getting legal on-board is vital too as they are “decisive” in affecting the leadership, but warned that they will put in more hoops in the IR process and also “won't let you hack the hackers”.

Plus, if you're going to bring in external support, you should be organised and open because otherwise they won't be of great support. 

In short, Armstrong said your IR team needs to be like Scooby Doo. Velma is the guru, the hacker, who is "sneaky and never sharing information", while Fred and Daphne are described as managers (they “grin too much so therefore must be managers”, joked Armstrong). Shaggy and Scooby are the main stars, as they are the “actual workers” that work as the bait.

Sean Mason, VP of incident response at Resolution1, said that the landscape is mixed when it comes to IR plans: “There are many organisations that have taken the time to invest properly in intel, detection and response capabilities and those organisations are generally more mature when it comes to actually performing incident response. Will these organisations still make mistakes? Quite possibly, however, by ingraining IR practices into the DNA of the organisation, they tend to make it muscle memory over time and the fundamentals, communication issues, and leadership gaps are overcome with time.

“On the other side of the fence are those organisations that have not invested in IR capabilities. I would agree that they suffer in every regard when it comes to not only dealing with an incident, but even having the capability to detect malicious activity. In my experience, companies in this position tend to botch almost every single aspect of an incident- even if they are calling in third party help - because they simply don't know what they should or should not be doing and leadership is issuing commands with limited insight and information."

Mason was less sold on the OODA loop because, unless specifically for governments, “it further illustrates how far apart Information Security teams are from speaking business language”.

“We can agree to disagree on the usage in this space, but the more mature teams will understand the concept but never use the term. That said, I agree that organisations need to be fast and agile when it comes to response. I've said for years that an incident is a perfect exercise in Agile Project Management - essentially executing short sprints to accomplish your objectives. Additionally, as you are dealing with human adversaries, you need to be able to quickly pivot and match them, move for move, sometimes in a matter of seconds or minutes. Speed is perhaps the most important- and most overlooked- aspect of incident response there is.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews