When the kids at the schools where I speak ask me what I do for a living I don't tell them I postulate about quantifying the loss of opportunities when we delay a response to an incident or malicious cyber-attack. I tell them I help the world fight cyber attackers. Just happens that this work gets me thinking about how to make us better at battling back. That's where this blog series started with a really bad couple of weeks of Friday afternoon calls from customers who had run out of options and now needed someone else to come in a help them.
In my last two posts in the series I postulated that there was a quantifiable loss of opportunities when we delay a fast reaction to an incident caused by a malicious attacker. I even came up with an equation for it: TID – TCA = ∆T = LO, Time of Incident Detected – Time to Call for Assistance = Delta Time = Lost Opportunity.
From the time we detect that something bad has happened (or been happening) to the time we call for expert assistance we lose many different types of opportunities. Attacks become evasive once detected which may cause them to move to the exfiltration phase of their campaign:
- Start grabbing data quickly without being concerned with remaining hidden
- Wipe their tracks by deleting any evidence they can making the ability to find what has happened incredibly difficult to near impossible
- Shift their back-end operations and decommission IPs or servers or leave them in a state that provides no additional help for an investigator further covering their tracks
- Become aggressive and start deleting data
- Making networks unusable
- Cause mayhem and mischief as a means to redirect your efforts so they can finish their campaign
- If there is a significant delay between detection and reaction the victim organization could be considered negligent in their response, which may bode poorly with regulators and shareholders.
- Then some “good guys/gals” will lose their job. This is the worst thing that can happen for the obvious reasons and some less obvious like the underlying faith in the field of information security at the C-Level.
Determining the amount of loss in these situations in financial terms is irrelevant. From the conversations I have with peers, partners and clients we all agree, the longer you wait the greater the cost. You may lose financially, you may lose credibility, but worse than all of this, you lose to the adversary. You give them the opportunity to do more damage, hone their skills, gain more ground, and overall win.
If you want to have a dollar value for an incident then I suggest The Ponemon Institute's data breach calculator.
My advice after years of being in Information Technology, make the call immediately to an incident response provider or internal IR team. I charge nothing to speak with a customer about their situation and provide guidance. Better not to wait until Friday afternoon and cost yourself a lost opportunity.