In-brief: Tim Bandos, who helped build DuPont’s Incident Response team, stopped into The Security Ledger studios to talk about his experience, and his advice for other companies.
We’ve been hearing a lot about sophisticated hacks targeted at sensitive organizations in recent weeks. A story about hacks of The Democratic National Committee with links to hacking groups with ties to the government of Russia soon expanded to include a wide range of Democratic party groups including the Democratic Congressional Campaign Committee or DCCC and the campaign of Hillary Rodham Clinton. More recently there have been reports that The New York Times was, itself, the target of a hack aimed at specific reporters.
A recurring feature of the reports are revelations about how long the attackers had access to the compromised network – a period of time that often stretches for weeks or months. There is also uncertainty about the origins or source of the compromise. One reason for both the long-lived hacks and the uncertainty about their origins, experts say, is the difficulty even sophisticated firms have doing incident response: the act of studying adverse cyber incidents, understanding them in detail and learning about them.
But what does incident response entail? And how can companies that don’t have an IR function build one?
To answer those questions, Security Ledger sat down with Tim Bandos, the Director of Cyber Security at Digital Guardian* and a seasoned information security and IR professional. Prior to joining that firm, Tim spent more than a decade as a lead incident responder and security professional helping the chemical giant DuPont – number 101 on the Fortune 500 list, a top holder of U.S. patents on everything from Teflon to Kevlar, to build its incident response team.
Tim’s job gave him a front row seat to some of the most sophisticated and targeted hacking attempts around. DuPont was the victim of a string of serious breach incidents, including a malicious insider, Gary Min, who made off with hundreds of millions of dollars worth of proprietary information. Tim said there’s no silver bullet for stopping sophisticated attacks. Bandos, who was at DuPont for 12 years, said that, despite its high-profile, DuPont didn’t have any formal incident response team or function when he first started working there, even as the drum beat of sophisticated “advanced persistent threat” (or APT) attacks began to beat.
“In reality, we didn’t have anything at all even at the time we had those breaches occurring. Even for the first couple years, it was really just myself and another guy. We were building up that organization and the processes. We weren’t necessarily handed a blank check to build this global incident response process and have all the tools at our own discretion. It was difficult. We had a budget. We had to figure out innovative ways to get visibility in the environment leveraging open source tools.”
Those budget constraints are likely even worse at smaller, less affluent companies, Bandos said. Still, having a defined incident response process can help overcome budget limitations, at least providing a structure for teams to respond to and address adverse incidents. That kind of structure and organizational discipline is more important than any single tool, Bandos said.
I think a common misconception is that there’s a technology out there that can prevent this from happening. But in reality, (attackers) are always going to find that one hole to get in. As long as you develop your maturity as an organization, I think it’s minimizing that initial infection to detection. That’s how I measured our success a lot of times.
Tim dropped into the SL studios to talk about his experience and give us his thoughts on how to best build an incident response function. You can check out our conversation here.
(*) Digital Guardian is a paid sponsor of The Security Ledger.