This week I was at SANS London learning about forensics. I’ll post a proper writeup on the the course a bit later (it didn’t actually finish until this afternoon), but I thought I’d attend one of the SANS evening talks to learn something new and flex my rarely-used journalistic muscle.
The talk I watched was by Steve Armstrong of Logically Secure, and was entitled Explaining Incidents to Executives in Ways They Understand. As an incident responder, this title attracted me, and I’d recommend the session to anyone who has the chance to go and see it, but there was one story and strategy in particular that I thought was worth exploring here on the blog.
Steve explained the concept of an OODA loop – a cycle developed by John Boyd, a colonel in the US Air Force, which stands for observe, orient, decide and act. The problem many firms face in incident response, he said, is that this circle is too large because executives cannot decide what to do and responders do not have visibility of the decision-making process.
On this theme, Steve recalled a time one of his clients had just repelled an attack from a nation state-backed APT when it was faced with another similar attack from a different nation. In response he closed the OODA loop as tightly as possible, pulling infected systems and blocking indicators of compromise immediately, without waiting for investigations and approvals. It was hard work, but it pushed the attackers back to tactics like phishing.
“The morale boost for the organisation was phenomenal,” he said of the results of what he called the hostile asset recovery method (or HARM), “because just once they said, ‘There is the line. You have crossed it. You have f****d with the wrong guys.’ It was nice to say it was a Russian APT and we gave as good as we got.”
There was a bit more to the story and a lot more to the presentation – it lived up to its name, and as I said before, I advise you to see it if you can – but it was great to hear a first-hand account of how effective strong action can be in the face of a threat. Steve said he remembered thinking at the time that this was “the way IR should be”, and it’s certainly an incident response tactic that I’d like the chance to see in action in future.