Think before you act
08:00 Friday, 19 November 2021
UK Cyber Security Council
There is a little-known skill in cyber security: doing nothing. It isn't a skill that's unique to cyber security, either: it's transferrable to a wide variety of applications.
In the event of a suspected security incident, it is very easy to jump immediately to a conclusion. Now, if the suspicion is the result of a user calling the Service Desk having been presented with a ransom demand when they opened their budget spreadsheet it would be understandable to spring into action to deal with a ransomware attack. But as well as being understandable, it would also be wrong.
Yes, what you think is a random ransomware attack, brought on by a user clicking something dodgy in an email, might be precisely that. But attackers are cunning and clever, and what you think is the primary attack might well merely be a distraction, to take the attention of you and your incident response colleagues away from a more in-depth, serious attack that is being perpetrated elsewhere in your systems. After all, if an intruder has been able to find their way through your defences into a core system, the chances are that selling a dummy with a purported ransomware attack is relative child's play.
So when the call comes in, the first thing to do is stop, take a deep breath and take stock. This is particularly important if you have had a call from a user - or even a techie - who is not a specialist in security, because with all due respect to both of the above, you're the security specialist and they are not. How many times have you looked into a user's "virus infection" or "hack" to discover that the cause of their "mysterious" file disappearance was user error, or that a colleague had re-organised the shared folder, or that a scheduled, GDPR-focused data disposal script had removed files because it was a policy requirement.
Network managers, in particular, will tell you that when something on the network breaks, the last thing you should do is touch anything. Well-built networks with resilient switches, routers and links can be configured to self-heal in the event of a component failure, but the self-healing process can take a little while - a few minutes, even - as the remaining elements need to interact with each other to agree a new topology and route map. During this time, manual intervention will only ever make things worse.
Security systems don't work in quite the same way, in that aside from clustering key components (firewalls, SIEM servers, and so on) broken security does not self-repair. And this is why the skill of stopping to think, take a step back, take stock, consider the wider picture, perhaps ask colleagues for opinions and contemplate a few "what if" scenarios is an absolutely essential one in a security specialist. Just as a skilled network manager does not fret if they have confidence in their understanding of the network they built and manage, so a skilled security specialist should have confidence to stand his or her ground and tell those around them: let's wait just a moment and think about this properly.
And it can be particularly hard because an actual security breach may bring reputational, financial and regulatory impact. At this point we could quote Kipling: "If you can keep your head when all about you are losing theirs …", but the telling part of his work If - which seldom gets quoted - is the next phrase: "… and blaming it on you". Kipling wrote these words roughly a century before the first information security specialist winked into existence, but his writings do have a certain prescience when one considers the finger-pointing that can happen in the event of a cyber incident.
And this makes doing nothing more difficult than ever. Which means that the skill of doing nothing is one that one has to work at, and to grow over time. The more one does it, the less difficult it becomes (it would be wrong to say "easier" as this would imply it is in some way straightforward) because taking a little time to think will more often than not pay back in the identification, analysis and eradication of an attack and the recovery therefrom.
Prevarication is, of course, an immensely bad thing and will always end in failure. But learning to stop, think and evaluate before starting to act is a skill worth developing.