Cybersecurity News that Matters

Cybersecurity News that Matters

[RSAC 2023] Skeptical mindset is vital for cyber incident response

by Kuksung Nam

Apr. 27, 2023
1:10 PM GMT+9

RSA Conference 2023 ― San Francisco ― It is crucial to keep a skeptical mindset in responding to cyberattacks, especially in the first several hours, according to cyber incident response professionals on Wednesday.

“If you are somebody who is thinking about getting into the incident response space, something that you will learn is that you have to be a skeptic,” said Lesley Carhart, the principal industrial incident responder at Dragos, during a panel discussion at the RSA Conference. “What we do a lot of times in the first 24 hours is to think about why it might not be as crazy and severe as it really is.”

According to the expert, who has been in the incident response profession for 15 years, skepticism enables incident responders to be cautious about confirmation bias, a tendency to lean toward the information that supports what one already believes in. “When you’re doing good science, you are always trying to disprove your hypothesis,” said Carhart. “That is what we are doing in incident response, too.”

Wendi Whitmore, the senior vice president for Unit42 at Palo Alto Networks, added that a skeptical mindset could allow investigators to utilize the critical decision-making skills that could determine the true aspect of a cyberattack.

In addition, this process could work in victims’ favor in the first hours after a ransomware attack, according to the expert. Ransomware is a hacking method in which attackers hold victims’ data hostage through encryption and unlocked the information after the payment is made.

“The more information that you glean from the potential attacker in those first hours, the more time you will be able to buy your organization to make a decision,” said Whitmore. “Attackers tend to always use time as a pressure valve on victims, and that is something that organizations can use very effectively against them.”

Katie Nickels, the director of intelligence at Red Canary and a certified instructor of SANS institute, asserted that being skeptical does not mean “not doing anything.” “If someone comes out with a blog post or a tweet saying it is Russia, stay focused on scoping the incident,” said the director. “Let’s not trust every random opensource thing. We can be skeptical, but still take action.”

Subscription

Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

  • Kuksung Nam
    : Author

    Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and...

    View all posts
Author:
Stay Ahead with The Readable's Cybersecurity Insights