Podcasts
Word Notes
Ep 62
Word Notes 8.10.21
Ep 62 | 8.10.21

incident response (noun)

Show Notes
Transcript

Rick Howard: The word is: incident response.

Rick Howard: Spelled: incident as in data breach or cyber attack, and response as in a coordinated effort to react to an event.

Rick Howard: Definition: A collection of people, process, and technology that provides an organization the ability to detect and respond to cyber attacks.

Rick Howard: Example sentence: After the data breach last month, we improved our incident response program by creating new standardized operating procedures to limit the damage in future attacks.

Rick Howard: Origin and context. In 1986, a 75 cent discrepancy in the Unix accounting system at the Lawrence Berkeley Laboratory, or LBL, led to one of the first documented cases of cyber espionage. Back in those days, we charged users for the computer time they used. 

Rick Howard: Detailed first in a 1988 Communications of the ACM article entitled "Stalking the Wily Hacker," and then more fully realized in the Cybersecurity Canon Hall of Fame book "The Cuckoo's Egg," published in 1989, Dr. Clifford Stoll followed a seemingly innocuous trail of breadcrumbs that eventually led to the discovery of East German hacker mercenaries, working for the Soviets, with the ultimate goal to break into U.S. Military networks.

Rick Howard: Although Dr. Stoll never called his investigation "incident response," for all intents and purposes, he created the incident response field in that investigation. In 1988 and close on the Wily Hacker's heels came the first ever internet distributed denial of service attack called the Morris Worm. A 23 year old Cornell university graduate student named Robert Tappan Morris was experimenting with the idea that a computer program could spread itself silently across the internet. His experiment got away from him and according to the FBI, within 24 hours, Morris's worm had directly infected 6,000 of the 60,000 computers that were then connected to the internet at the time, rendering them unusable and creating an internet traffic jam for the remaining unaffected computers. 

Rick Howard: In the aftermath, the Defense Advanced Research Projects Agency, or DARPA, sponsored Carnegie Mellon University to establish the first Computer Emergency Response Team / Coordination Center or CERT/ CC to handle these global cyber events in the future. Between the Cuckoo's Egg and the Morris Worm, incident response was born.

Rick Howard: Nerd reference: Dr. Clifford Stoll is one of Infosec's most colorful characters, and in 2011, he retold his legendary incident response story on the AT&T YouTube channel.

Dr. Stoll: Oh yeah, it was 1986. I'm doing astronomy over in Berkeley, California. And one day I'm walking in and I noticed the accounts are off to the tune of 75, 85 cents. My accounting inside my Unix machine is out of balance. So I start looking at start poking and I noticed that it looks like there's somebody using my Unix machine without permission in a account from a friend of mine. Joe FinTech is being used without any permission. Somebody has changed the password to it. 

Dr. Stoll: Maybe I have a hacker, somebody who's coming in who has super  user privilege. They're able to get in and manipulate anything they want in my machine. They have the same license as the system administrator has. Thinking about it, and I come back and say, how can I find it? How can I prove this? Maybe it's this, maybe it ain't. How can I prove it? Yes. Prove it. No.

Dr. Stoll: Eventually it took a year of tracing things back and finding that, oh yeah, the guy would come in and he was stealing military stuff. We're not a military installation, but this guy thinks he thinks that we are which shows he's not around here. Meanwhile, we're tracing backwards. Tracing from Berkeley, California, to Oakland, across AT&T long lines to trace them back to Virginia and from there up into a satellite, but then it turns out to track him back further, it would take two hours or so. And the guy was smart enough, he was clever enough, that he'd only connect for a few minutes at a time. 

Dr. Stoll: How are we going to catch this guy? You have to keep them online for a couple hours in order to track him across the ocean. But, we need something that he'll go for. So, I'll set a trap, I'll make a file in my system that's so, so interesting, full of all sorts of bogus national security things, filled with all sorts of neat things that somebody will say, oh, wow. I got to read that. 

Rick Howard: Credits: Word Notes is written by Nyla Gennaoui. Executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.

Word Notes
Podcast Info
HOST(S):
Rick Howard
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Tuesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Tanium
Tanium

Tanium provides unified endpoint management and security trusted by the world’s most sophisticated organizations to help them confidently manage performance, address threats, and ensure compliance. Learn more.