In the midst of all the recent articles about information breaches, a trend is emerging. We seem to be hearing more lately that prevention of breaches, while not to be ignored, should not be the sole focus of digital or physical security programs. More news articles, tweets from the infosec community, and even commercial products are talking about the importance of detection and response.  If the last year has taught us anything it’s that if someone wants to get in your network or steal your data, they can. What does this mean to pentesters, security awareness folks, or those of you who like to hack all things? It means an increased focus on social engineering tactics so commonly used to infiltrate systems, but specifically a focus on how to spot such tactics in the wild and what to do when you see them. Now, we’ve already spent no small amount of time going over various ways to identify social engineering when you see it. In keeping with the recent talk about the importance of response though, we’d like to offer some thoughts.

What comes after the huffing and puffing?

Do you know the story about the three little pigs? Remember that third little pig who built a house of brick, but also kept an ear out and knew to stoke up the fire when he heard the wolf coming down the chimney? Of course, you need to have your technical controls in place, just like the house of brick. But remember that attackers can use phishing to deliver malware. They can be close enough to walk through your front door, talk their way onto a computer, and take what they need back out the front door on a flashdrive. Someone half-a-world-away can call up the help desk and elicit your own staff to hand over information they didn’t know is valuable. In short, where there is a will there is a way. Remember also that identifying the vulnerabilities to SE is only half the equation.

The next step takes us back to our mantra, Security through Education. Education should include how you want your people to respond to suspicious activity once they do spot it. If you are a pentester, do you try to find out how many of the people you phished actually reported the suspicious email? Does your security awareness program track how many vulnerabilities were reported by your own people each year? Because hey, stats on your success might be helpful in getting your budget approved! Incident Response Plans aren’t just for fire-drills or (hopefully never, but you gotta plan) active-aggressors. You also need a response plan/policy for information breaches if you want to cut off a compromise in progress and hopefully limit the amount of data lost. We’ve come up with some response points that can be relevant to either red or blue teams.

  1. What technical controls does the organization have and how public is that knowledge? Hint: if the head of the IT department has a glowing recommendation on LinkedIn from an InfoSec vendor with whom they are currently working…the knowledge is public.
  2. Does the organization have a policy in place to mitigate an information breach?
    1. How can employees verify if someone is really allowed to be where they are in the building? And how and to whom should employees respond if they think someone is in the building who shouldn’t be?
    2. How can employees verify someone’s identity on the phone? And how and to whom should employees report a suspicious email or phone call?
    3. Do the people receiving the reports of suspicious behavior have a way to verify or respond to potential threats?
  3. Who has access to high-value data (financial transactions, technical controls, etc)? Are they receiving updated security awareness training on social engineering on a regular basis?
  4. Does the security awareness program include ways to politely question suspicious behavior (digitally, on the phone, or in-person) as well as some discussion of the critical thinking skills to process the answers they are given?
  5. If employees were polled, would they know the policies already in place for detection and response? Hint: planning is great but it doesn’t really help if no one knows what the plan is.
  6. If a breach is suspected, do the right people know who to call to figure out what was accessed, how the breach occurred, and how to close off the access point (or even determine if the bad guys are still there)?

It’s encouraging to see and hear more attention being given to identifying and investigating suspicious activity and persons in the moment because it means more people are talking about how to respond to SE tactics. Breaches happen (bumper sticker material right there, folks!) but we can take steps to mitigate the threat and potential damage. Keep in mind our third little pig. That pig didn’t walk around paranoid of his own shadow but he was aware of his surroundings enough to know when something wasn’t right and he knew how to respond when it happened.

Plan ahead if you want to enjoy wolf stew!