RSA Conference 2023 ― San Francisco ― It is crucial to keep a skeptical mindset in responding to cyberattacks, especially in the first several hours, according to cyber incident response professionals on Wednesday.
“If you are somebody who is thinking about getting into the incident response space, something that you will learn is that you have to be a skeptic,” said Lesley Carhart, the principal industrial incident responder at Dragos, during a panel discussion at the RSA Conference. “What we do a lot of times in the first 24 hours is to think about why it might not be as crazy and severe as it really is.”
According to the expert, who has been in the incident response profession for 15 years, skepticism enables incident responders to be cautious about confirmation bias, a tendency to lean toward the information that supports what one already believes in. “When you’re doing good science, you are always trying to disprove your hypothesis,” said Carhart. “That is what we are doing in incident response, too.”
Wendi Whitmore, the senior vice president for Unit42 at Palo Alto Networks, added that a skeptical mindset could allow investigators to utilize the critical decision-making skills that could determine the true aspect of a cyberattack.
In addition, this process could work in victims’ favor in the first hours after a ransomware attack, according to the expert. Ransomware is a hacking method in which attackers hold victims’ data hostage through encryption and unlocked the information after the payment is made.
“The more information that you glean from the potential attacker in those first hours, the more time you will be able to buy your organization to make a decision,” said Whitmore. “Attackers tend to always use time as a pressure valve on victims, and that is something that organizations can use very effectively against them.”
Katie Nickels, the director of intelligence at Red Canary and a certified instructor of SANS institute, asserted that being skeptical does not mean “not doing anything.” “If someone comes out with a blog post or a tweet saying it is Russia, stay focused on scoping the incident,” said the director. “Let’s not trust every random opensource thing. We can be skeptical, but still take action.”