A Former Black Hat’s Perspective On The Importance of Incident Response Planning

Every connected device on the internet exists as a nexus state, like a global mesh of neurons firing through brain synapses, as critically important information passes through this enormous hive of constantly flowing data near the speed of light. The equilibrium of the entire organism depends on each component working in tandem to do its part – one misfire, one inoperable piece of this complicated machinery could cause the whole thing to come crashing to a halt.

According to statistics from WebARX Security, 300,000 pieces of new malware are developed daily by threat actors. Additionally, Forbes reported that on average 30,000 newly created websites are hacked on a daily basis. Once a site’s source code has been modified to distribute malicious payloads to its daily visitors, the infection could theoretically propagate endlessly. Is your company ready to do combat against the vices of threat actors? Or do you intend to call someone to “take a look at it” after your proprietary data has been stolen and sold on the Darkweb?

The above statistics mean that a user will face an untold number of new hidden threats every single day, regardless of experience. Since there is no indication that cyberattacks will be on the decline, it is important for every user down the chain of command to familiarize themselves with their company’s local network policies, for Administrator’s to stay alert, and especially for Computer Security Incident Response Teams (CSIRT) to be ready to go at a moment’s notice.

Maintaining a healthy and secure network requires vigilance, and not merely from an Administrator’s position on the network. Weak points don’t always begin with hardware misconfigurations or buggy software – they often involve weaknesses in the chain of operators, from the systems Administrators down to the general user.

Therefore, the relationship between users, their devices, and their knowledge and practice of local network policies and an Incident Response Plan can ultimately help detect, mitigate and possibly deflect the harmful impact a threat actor can have.

When You Are The Weakest Link

Many years ago a small group of teenagers, high on energy drinks and electronic music, broke into a bank’s command center. Under normal circumstances, they usually broke into networks after business hours, when they were the least likely to get caught by a vigilant admin. But to try and evade detection even when the network is buzzing during working hours seemed like a thrilling proposition. They got through an undefended opening into the network using Telnet. From there, they were able to escalate privileges and establish a remote desktop connection and log in as an Administrator.

They were now able to access the desktop. Next, they made a bee-line for the Event Viewer and immediately proceeded to modify the logs, erasing evidence of their intrusion. For their next move, they intercepted and analyzed all the data traffic flowing through the network while poking around for any interesting sensitive information.

After all, oftentimes when there’s one hacker, there’s more, because we have a tendency to want to share our exploits and successful break-ins with others.

I was one of those people.

The Administrator was active on the network but was egregiously unaware of the sudden flurry of activity taking place during his shift. It was a curious circumstance, because as a former network security analyst, as long as I was doing my job, it would have been virtually impossible for me not to notice an intrusion taking place. After analyzing the packet traffic we intercepted, we soon realized why the Administrator hadn’t noticed the intrusion: he was preoccupied with another workstation downloading, let’s say, personal content that was most certainly in gross violation of company policies.

…oftentimes when there’s one hacker, there’s more, because we have a tendency to want to share our exploits and successful break-ins with others.

I was one of those people.

Had we harbored the typical malicious intent to siphon off customer information and compromise accounts, this could have gone badly for the parties affected by the intrusion. Yet we were only interested in the hardware.

Incident Response Planning For Every Scenario

A Cyber Incident Response Plan implements security measures in the event of a security breach, where the correct decisions can give trained personnel the opportunity to bring the network or affected devices back under their control in the most efficient manner possible.

Regardless of the scenario, whether it be gross negligence, a simple lack of oversight, or even a highly skilled intruder that is able to defeat even the best security, if a threat actor gains access to a protected computer system, it would be prudent to assume that the whole network has been compromised until that possibility has been eliminated. This is one of the reasons why Incident Response Planning is so crucial: otherwise, it will be near-impossible to effectively assess and prevent damages in the limited timeframe available.

Responding to breaches can be a very challenging endeavor. If the responders are not conducting the investigation in a coordinated manner, the outcome could cause extensive, and preventable, damage to a company’s reputation and financials.

The following is a basic guideline that has been condensed and modeled after Wembley Partners’ Cyber Incident Program in-a-Box, which in turn takes into account the Incident Handler’s Handbook published by SANS, serving as a standard for IR plans and a must-have for any serious CSIRT:

Components of a World-Class Cyber Incident Response Program

Final Thoughts

Cybercrime is predicted to escalate exponentially in the years to come and is predicted to cause damages amounting to $6 trillion USD worldwide this year alone, making cybercrime the world’s third-largest economy after the United States and China.

It is a matter of life and death to a company’s brand to maintain a competent staff of IT personnel who know and understand what is at stake if someone falls asleep at the wheel. This is especially important in 2021, with threat actors funded by entire countries lurking in the shadows looking to reinvigorate their respective economies via ransomware or by stealing valuable intellectual property.

As threat actors test and implement new sophisticated methods of intrusions every day, it is imperative to devise, test, and operationalize a Cyber Incident Response Plan in order to thwart and mitigate the possible damage caused by an intruder who may not be motivated by curiosity.

In retrospect, no intrusion is truly innocuous, simply because regardless of the individual motives of a hacker, we never close the door behind us if and when we leave. That door then becomes an opportunity to be found and exploited by the next threat actor, continuing the cycle of abuse until a competent incident response team discovers and fortifies that proverbial door.

An article by

Jesse McGraw

The original article can be found here


GhostExodus is the former leader and founder of the hacktivist group known as the Electronik Tribulation Army. Naturally, he is passionate about cyber security, being a former threat actor and insider threat. Aside from InfoSec, justice reforms and other social impact initiatives are topics important to him.