top of page
  • Writer's pictureORNA

Former Black Hat’s Perspective on Incident Response Planning for the Unexpected

We were at war, you and I. Not that any actions on your part merited being my enemy, but rather, you had a computer and I wanted to see if I could solve the proverbial puzzles to disarm your security. It wasn’t personal, trust me. I chalked it up as being the nature of the game.

After all, some people are driven by the excitement to solve puzzles, which gives them a profound sense of accomplishment and self-satisfaction. Even though playing the science of anti-security was like a game with infinite levels, it was none other than a wargame. Only one of us was walking away as the victor, which was a choice I left to you.

The circumstances that conceived this kind of warmongering mentality came from having to deal with other hackers. As a consequence, this became the necessary force that cultivated my Incident Response Plan. This needs to be your mindset as well.

This means hackers were prime targets, too - same as you. Therefore, if bad attitudes sparked off a major conflict between individuals or the hacker groups they were associated with, the memory of our failure to protect and defend our reputation as well as our online resources would be immortalized. After all, the internet has a long memory.

Knowing that we could potentially suffer at the hands of a threat actor, especially if we were careless or positioned the wrong individual tasked with protecting our online presence, we had to treat our web security and incident response plan as if it were a matter of life and death, and it was, in a sense.

Let me take you on a trip down memory lane. There was a time when I was at war with a rival hacker group, who were always probing for weaknesses in our web server and our personal online accounts.

When Disaster Strikes Hard

One day, our server admin exposed our database and our rivals quickly seized control of it. The race was on to quickly remediate the exposure as well as secure the accounts by changing our passwords. Plus, I had to reach the admin so I could get a better understanding of what transpired.

But none of that happened, because each one of us was sniped offline with heavy Distributed Denial Of Service (DDoS) attacks, which prolonged our ability to recover. Even our honeypot was useless at that point because I couldn’t access those logs either.

The problem wasn’t the overwhelming attacks we suffered, or the database leak, but rather the gaping hole in our incident response plan, which wasn’t executed according to plan. Compound this with the fact that it didn’t factor in the necessity of setting up access to a redundant server in order to regain control of the affected database we were locked out of or the necessity of extracting event logs by having them rerouted offsite for analysis so we could understand what was occurring.

With our own internet connections completely toasted, I had to hop in my car and drive to a public wireless access point just to begin remediation, which cost us precious time. None of us had been prepared to adapt to such escalating elements simply because we had thrown in all our chips with a standardized playbook that always worked before, but did not factor in attacks we had never experienced. We had no planned defense against the unexpected.

In other words, it was a matter of life and death if we maintained an actionable incident response plan, which in turn allowed our group to flourish. Obviously, the opposite became true, as the attack ended up costing us our base of subscribers and loss of memberships, loss of services, as well as a damaged reputation, which took a long time to rebuild.

The Power of Adaptation

Unfortunately, cybercriminals gain from the mistakes caused by members of an Incident Response Team when they fail to execute their responsibilities according to the rehearsed playbook. But also, when they fail to adapt to new evolving situations. If the attackers become aware of your inability to adapt to new threats, it’s your loss because the attacker will realize this and take it all the way to the bank.

Sporadic incidents may force you to operate in an unfamiliar environment under unrecognizable conditions. Lack of preparedness will likely cause you insurmountable stress and anxiety, which will lead to poor decisions.

A threat actor will be able to interpret your decisions from event logs and other system tools. If this happens, you will enliven their attack focus, knowing they have obtained the upper hand and have demoralized your effects from being effective.

“A military force has no constant formation, water has no constant shape. The ability to gain victory by changing and adapting according to the opponent is called genius”
Sun Tzu, The Art of War.

In totality, the Incident Response playbook must be regarded as the baseline or foundation when responding to a security incident, but it will not always provide all the answers when a threat actor operates outside the scope of what your team has rehearsed.

Therefore, it must serve as the foundation from which all your tactics must evolve because the tactics employed by threat actors are always in a state of evolution. Your Incident Response serves as the center, but cannot remain as your principal tactical mechanism for resolving and preventing all incidents.

Security in stasis isn’t security. In fact, cybersecurity is more like kinetic energy, as it is always moving, shifting, breaking, and rebuilding.

For this reason, it is immensely beneficial to have an agreement among your security team to allow designated team members to covertly launch unannounced spontaneous skirmishes by engaging in simulated Red Team attacks that may not be defined by your standard playbook. This can be useful simply because it will provide opportunities for growth with a margin of trial and error within a controlled environment, without any loss to the company.

Attacks don’t happen on schedule, and if your security team has a practice of simulating attack vectors they are most familiar with, good luck developing a knowledge base on how to respond when an actual threat actor throws a monkey wrench into your rehearsed incident response routine.

“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Sun Tzu, The Art of War.

After all, this is a war. Expect the unexpected.

Threat Actors Gain From Your Mistakes

The one thing I want to demystify is that security incidents do not “pop up.” They are caused. Mostly, these incidents occur either by authorized users who somehow accidentally expose sensitive company information or from threat actors who seek to infiltrate company systems, without being detected.

Back in my day when it came to detection, I was seldom caught intruding on a network simply because it was my practice to operate during nighttime hours, and the targets I typically focused on weren’t equipped with intrusion detection software or equipment of that nature.

Worse, those that were didn’t receive notifications that an intrusion was taking place, and those who did weren’t paying attention to them. The longer it takes to respond to incidents, the deeper a threat actor can burrow in order to maintain connectivity.

The fact of the matter is that it is easier for a threat actor to discover exploitable vulnerabilities in a company's systems than for a competent security team to uncover and fix every single bug or flaw in the network.

That doesn’t mean threat actors have the upper hand here. It only means that vigilance and readiness are key. If your security team is going to maintain the upper hand, then, it is imperative to understand that when it comes to cybersecurity, everything depends on your ability to actively monitor and respond to incidents.

Control your battlegrounds.

An article by

Jesse McGraw

Edited by

Ana Alexandre



Rome wasn't built in a day, but your SOC might be.


Weekly cyber insights

Thanks for submitting!

bottom of page