Have You Added Personas to your Incident Response Program?

Tuesday, October 23, 2012

Tripwire Inc


Article by Shawna Turner-Rice

Given the wide variety of vectors in the threat space, most incident response programs have some sort of palate of test sets they can run; essentially different scripts for different “kinds” of incidents. Another way to change the perspective on your preparedness is to consider the personas that could be behind the incident. By putting a proverbial “face” to the simulation, you could learn new things about your preparation levels.

In software development, the UX use of personas is about distilling what is the most valuable functionality for the target audience. This discipline is identified as being of particular value when the system is complex, and I haven’t met anyone dealing with security lately who seems to think we aren’t poster children for complex environments. While the security industry as a whole talks about how there are at least 3-5 differing “styles” of attacker; I think as defenders that we can go further by combining our understanding of those styles with the discipline of User Experience Design to improve our defense play book.

The traditional 3-4 “styles” of attacker we’ve identified are:

  1. Money driven (looking for ways to convert information into cash, either directly or indirectly)
  2. Intellectual Property seeking (typically associated with “APT”)
  3. Embarrassment causing (typically associated with Hacktivism)
  4. Internal actor (this is nuanced based on the impact of phishing, and that it may overlap with the other 3 goals).

If you’re interested in more details about these personas, some documentation I saw just this last week, and there are lots more beyond these available from a Google Search:

So, how can you use this information? If your Incident Response team primarily does table top exercises, starting one of those with a defined list of what would make each of these personas happy should allow insight into how differing goals for attackers render can change perceived risk levels dramatically. You can couple that changing risk profile with an understanding of your vertical to see if items that perhaps were below the risk threshold when you focused on only one type of attacker rise up when there are 3 different types.

For bonus points, you can work with your business continuity / risk officers to identify how at risk your individual organization or vertical is. Additionally, it’s always a good idea to know what criteria / thresholds should make you re-evaluate those risk levels. An example is that just this week banks were told to go to high alert; specifically due to DDoS attacks that fit the “cause embarrassment” persona.

If your Incident Response team does active red and blue teaming, this could be a way to add some spice to their life. Allow some research time, since there’s some really good documentation out there identifying the differences in exploit behavior; and to emulate those attack models might be unusual and require some additional corporate support.

For the gaming activity using the persona that’s out to embarrass a company, you may want to consider designating a “home” server to serve as a pastebin equivalent. This allows you to create a metric for how long it took for data to show up on the “home” server to measure the attacking team. The defending team can be measured via the timeline it takes to identify the access / egress methods.

For Intellectual Property seeking simulations, the metrics might be different. You could consider measuring the attacking team based on how long they were able to go undetected in an area. A way to do this might be to allow the attacking team to browse selected real file systems and place “gotcha” items in those directories. Time to detection is a valid metric for both attacker and defender on those added / modified items.

For any activity you do, it’s important not just to measure how well the organization did in a stress test situation, but to evaluate where your opportunities for improvement are. In my experience, personas are a great way to communicate a rich context very quickly once they are introduced. If you’ve used personas, I’m sure people would love to hear your experience as well! Drop a note here, or tweet me @STurnerRice.

Cross-posted from Tripwire's State of Security

Possibly Related Articles:
Information Security
Enterprise Security Risk Management Social Engineering Incident Response
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.