When you ar in search of the RIGHT solution to solve your security lapses or incident, how can you better chart your investigation and analysis to find out more on the relevant who, when, where, what, how and (importantly) why of this predicament. It is all about asking the GOOD questions. Read on..
The problem isn't a lack of security solutions or some like to say "point" solution. There are many and variants of solution to address the cyber threat faced today. However, it is not the lacking of it that complicate or make the cyber threat statistic still rising and more in the future.
(In fact - Seeing more is NOT necessary good, but NOT even ambivalent of what is good is definitely bad. Knowing which 'cat' we are trying to skin is paramount to get us right in the first step. In fact), I am glad that others 2] also see the need to be more inquisitive - curosity does not "necessary" kill the cat - we learn from mistake but we need to make mistake or not taken granted past mistakes)
It's that the 'right' solutions aren't always being implemented, and the fact that with the right "mix" and "use" of the solution, we can be better off. Those means need not be security solution - it is simply doing first thing right by asking ourselves the RIGHT cyber savvy questions.
What do I meant by that?
You can check out my first article 1] or the strategy changes to stay ahead of the cyber chase of the perpetrators.
Asking the right cyber questions help to focus our overall strategy, and delve into HOW we can better answer our REAL questions to address the current predicament (or advise) our management (perpetrator favourite target no '1') query - "How are we doing today?" in a short, concise and high confidence reply.
Nothing beats knowing your nemesis agenda in each of their cyber kill chain phase. This helps each individual to strategise and enforce effective and efficient controls (and getting the right solution) to detect, deny, deter and fend them off out nemesis mult pronged attempts.
What is the main gist coverage in this article ?
I came up with a simple (hope it is) list of question that may come in handy to aid any cyber professional better assess and eventually ask the "right" question. This comprises of simple mixture of Who, What, When, Where, Why and How centric questions. The takeaway is not about the number of question to be put across and think through but importantly, one should not be daunted even if asking wrong questions and making this as need to and in all effort ask right contextual question to your environment at the very beginning.
In short, we are just trying to find the root cause and swiftly close up gaps that are (or going to be) exploited.
The list - start of soul searching and sanity checks.
Who matters most (or you can trust most) in your organisation?
Who is the your (and "their") VVIP, Investors, System Owners, and Decision Maker ?
Who are the external parties e.g. main supplier , contractor, cleaner, security guard, etc (in other words outsiders) ?
What is your Organisation Business Objective and key critical ICT or non-ICT asset?
What is your first worry when Cyber attack or disaster befall on key asset is made known to you?
What is your stakeholders first worry when Cyber intrusion / breach befall on the key asset is made known to them?
What is your Organisation tolerance to those cyber incident (0% or 100%) ?
What are the potential threats and trigger that your asset cannot tolerate on ANY intrusion / breach?
c) (Likelihood of (a) and (b) )
Where is your organisation 'safest' and most secure cyber point (many of others' assumption) ?
Where is your organisation 'weakest' and most insecure cyber point (always your assumption) ?
When and Where is your organisation past known intrusion / breach occur ?
When and Where is your organisation past unknown (no typo here) intrusion / breach occur ?
d) (Objective to address (c) )
Why these matters most (again) in organsation (recap)?
Why do you think you be under attack and why the "other side" target you (recap)?
What will be your list of priority to secure and protect from top to bottom of importance?
What are the ultimate motive behind in the known attacks?
Why (then) do you think that you can be under their target list ?
Why (then) do you think that you are always not aware of unknown attack and reactive in response ?
e) (Means to focus on (d) )
How are those key asset in your organisation affected in phases?
How are those action take place in stages ?
How are those techniques revealed in their phase of attack ?
How are signs and symptom revealed in their phase of attack ?
Move forward with those questions - Cut the Chase
f) Decide the risk level based on threat exposure and business asset value upon breached
(What) Likely Threat and its Actors, Known Critical Asset (ref Asset inventory management)
(What) Business impact level (ref Asset breach and inavailability to meet business objective)
(Who) Stakeholder and Response team well informed
g) Readiness check for continuous monitoring in proper
(Who) System owner, internal and external supporting personnel and Security OPS team
(What) Scope cover all known Critical Asset and newly identified assets for onboarding
(Where) Scope the Indicator of Compromise (IOC) in area of networks, Web, INfrastructure, Information and Identity and Identify the source of the IOC
(How) Compliance of Policy, Standard, guidelines and best practice references
(How) Proper Personnel security awareness in proper and updated timely
(How) Trust and Verify by sharing and clearing all doubts and outstanding issues surfaced
(How) Delegate (and Absolve) the key role and responsibility to the parties involved above
(How) Mitigate and Remediate exposure to reduce overall impact level (ref recovery SOP)
(How) Robust Incident response framework to isolate, contain and recover timely.
h) Readiness check for incident management in proper
(Who) Aggregate all possible indicator of compromise as part of investigation
(Where) Leads and Symptoms in Audit trail, security logs, Application/Systems/network related metadata, external and internal insight and social intelligence
(When) Time of prior incident (D-n), incident (D) and after incident (D+n)
(How) Use of standard to communicate across as form of intelligence sharing e.g. STIX language to define set of cyber threat intelligence idioms
I hope the article can help and feel free to share and add on (or even correct) the list since there are many means ("ways"). Ultimately, this is to benefit not one but the swarm of cyber community. This list is also part of requirement you may want to explore on candidates or vendor to further advice.