* Posts by Matthew Turnbull

1 post • joined 15 Jul 2015

Been hacked? Now to decide if you chase the WHO or the HOW

Matthew Turnbull

Why?

I'd argue there's a third question to consider, which can change our relative perception of the other two. "Why"?

"How" is obviously an important part of the analysis - where were you weak, and what are you going to change so you don't get hit the same way again? It should also be feeding back into your post-incident risk review, to determine whether appropriate controls were not identified, not implemented, or deemed inappropriate. It's an area that sits almost exclusively with the technical areas of the business, and is entirely reactive.

"Who" seems to do nothing more than feed our innate desire for retribution, and as such serves no useful purpose. Unless...

"Why" were we a target? If we can understand what made us attractive, and what the (currently unidentified) ultimate actor gained from the effort, then we gain a whole different perspective on "Who". If, for example, we determine that the end goal was a boilerplate Cryptolocker for ransom, then it is likely that we were not an explicit target and "Who" is indeed an irrelevant distraction.

But what if someone went after sensitive intellectual property related to an as-yet unreleased product or invention, for commercial gain? If that's the case then the "Who" becomes a whole lot more important - if I know who has stolen my intellectual property then I have an option on various damage limitation exercises (injunction, PR, bringing forward product release, etc.) that are still very useful tools to protect my as-yet uncapitalised development investment. We have a time window where we may still be able to influence the ultimate outcome of the incident, if we ask the right questions and respond appropriately. This certainly seems to justify rebalancing the analysis effort.

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021