What Next, Hordes of Locusts?
It is said that any threat with enough resources or motivation will eventually find a vulnerability in a system. As I watched the overflowing Hudson River decimate the park, marina and restaurant behind my office, that theory became a staggering reality.
On Sunday, Troy, NY experienced its worst flooding since 1977. With record rainfall from Hurricane Irene, many area dams were at risk of failure and creeks and rivers were over their banks. Homes were flooded and vehicles were destroyed. Boats were lost from marinas, washed down the river along with tons of trees, barrels and other debris. The crowds of people who had gathered in front of the now-underwater Dinosaur BBQ added to the chaos.
Today however, just hours after the event, our city is already getting back to normal. Walking through the areas hardest hit by the flooding, it’s clear that recovery is well underway. The crowds have dissipated, the police tape is slowly disappearing, and businesses are getting back to normal operations. This recovery is occurring in large part because the first responders, law enforcement, FEMA and DHS personnel that responded to the disaster were prepared.
No one could have anticipated that Upstate New York was to be hit by both an earthquake and a hurricane in the same week. In fact, we were probably more likely to see a unicorn. But a good Incident Response plan assumes that we won’t necessarily have all of the intelligence, resources or time that we need to counteract a threat. A good Incident Response plan can also mean the difference between a business returning to normal operations, and a total disaster.
Security incidents come in all shapes and sizes. One day you may be responding to a malware outbreak, the next day you may be responding to the $250,000 that has been siphoned out of your company’s bank account. Irrespective of the type of organization, a good Incident Response plan should address the following:
- Containment – Whether isolating the latest worm or preserving evidence of a databreach for litigation, your containment strategy will vary depending on the incident. The most important considerations in this step are minimizing damage and neutralizing the threat without affecting your downstream mitigation options. It is important to understand your threat before enacting a containment strategy – an active shooter requires different counteractions than a perimeter attack.
- Mitigation – Once the threat is contained, it should be addressed. Again an understanding of the threat is important. In many instances, expertise in evidence preservation and chain of custody is critical, particularly in situations where legal proceedings are anticipated.
- Recovery – Rebuilding systems, restoring from backups or providing counseling for employees are all essential steps in the Incident Response process. Effective recovery requires advance planning and preparation, but it will provide significant returns if done properly.
Lastly your Incident Response plan should be governed by policy and handled by a team specially trained in response procedures. It’s not unusual to outsource some of your incident handling efforts. In fact, asking an internal team to perform technical forensics tasks or to understand the intricacies of evidence preservation could be like asking the Pakistani Army to capture bin Laden – it could get very messy and leave you without the desired outcome.
I had lunch in downtown Troy today, and if I hadn’t witnessed the flooding firsthand I would’ve never guessed that large parts of the city were underground 24 hours prior. Thanks to preparation, a trained team and a good Incident Response plan, today’s pizza tasted just like any other day.