Explore cognitive biases in incident response during this BSides Cleveland conference talk. Learn how to develop and practice an effective incident response plan, emphasizing the importance of writing it down, understanding team roles, and knowing when to escalate. Discover the value of remaining calm and skeptical, verifying work at each step, and allowing subject matter experts to lead in their areas of expertise. Examine the role of logs in security investigations, understanding their limitations and potential for misinterpretation. Consider worst-case scenarios for your company and how to prepare for them. Gain insights into creating flexible incident response plans that can adapt to various situations, and understand the critical balance between technical expertise and legal considerations in cybersecurity incidents.
Overview
Syllabus
Intro
A cognitive bias refers to a systematic pattern of deviation from norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion.
Is this server vulnerable to this attack? Was this attack successful?
Incident Response Plan: Write it down Practice it Escalate rather then freak out Understand who does what, and when they do it
Was this device vulnerable to this attack? Was this attack successful? If so this is a SECURITY INVESTIGATION
At each step verify each other's work Let Subject Matter Experts be Experts (Even the lawyers) Keep calm...remain skeptical Understand at what stage to escalate and to whom
Incident Response plans are best when they are general and flexible enough to adapt to the situation at hand.
Logs are a record of an event Logs don't lie, but we screw up what they mean all the time Logs rarely provide the closure you are looking for...or the closure the lawyers are looking for.
What is the worst case scenario for your company? - Your logo on Krebs? Pll posted to pastebin? DDOS from Anon? China stealing your IP? CEO in an orange jumpsuit?
