Discipline Under Fire: Learning Cyber Incident Response from Military Tactics

In the heat of contact, there’s no room for indecision. As a former Royal Marines Commando, we are taught that commanders at all levels must rapidly assess the situation, make critical decisions, and act while maintaining a strict command structure and discipline. This precision under pressure ensures not only the success of the mission but also the safety of the soldiers.

The same can be said in cybersecurity incident response, leaders must act with informed urgency. When a breach occurs, the speed of your response is crucial to limit damage. But this isn’t a blind race against time. It's about quick, yet measured actions — triaging the threat, containing the breach, and understanding the full scope of threat actors’ access before developing a solid eviction plan. All while maintaining clear communication and command. Here, as on the battlefield, a disciplined approach under duress defines the difference between a successful counter-intrusion operation and a hasty, unsuccessful eradication with long-lasting consequences.

Throughout my time in incident response, I've have witnessed organisations that do manage crises just as I’ve talked about above, with “military precision”. More recently (and worryingly) however, the scenario is one of chaos - hurried and disorderly actions driven by panic at the senior leadership level that exacerbates the situation, inflates costs, and prolongs the recovery. Ultimately this risks a future breach to save money (potentially driven by organisations wanting to spend less due to the economic climate? – but that's a blog for another day). Haste is often counterproductive, underscoring the necessity for a measured, strategic response akin to a well-executed military manoeuvre.

As an incident response (IR) manager, I’m often pulled in either just after or as these “panicked” decisions are being made – it’s my job to not only advise on the technical aspects but guide the clients through the incident with the ultimate goal to ensure the organisation comes out armed with the strategies and practices necessary to better withstand future cybersecurity threats.

The military's disciplined approach to high-pressure situations offers invaluable lessons for orchestrating a cohesive and effective response to cybersecurity threats. In this blog, we will delve into some of the key strategies incident response managers can learn from military operations at each phase of the incident response cycle.

Understanding the Parallels:

By linking the stages of an attack to the incident response life cycle, we can clearly see the parallels between the two:

• Battle Preparation | Preparation: Just as soldiers prepare for battle, cybersecurity teams must have incident response plans ready, ensuring tools, systems, and protocols are in place before an attack occurs whilst ensuring everyone knows their role and is proficient with the tooling.
• Reaction to Fire | Initial Detection: Upon taking fire, soldiers respond immediately. Similarly, cybersecurity teams must quickly detect and respond to breaches with predefined action plans.
• Locate Enemy | Identification: Troops must locate the enemy; incident responders need to identify the source and scope of a cyber-attack to understand the impact and strategize their response.
• Suppression | Containment: Suppressive fire limits the enemy's capabilities, just like containment measures in cybersecurity that prevent the spread of an attack. This gives you the breathing space needed to make informed decisions.
• Attack | Eradication: A military assault neutralises the enemy using a formulated and well communicated plan, just as cybersecurity teams must remove the threat from their systems.
• Reorganisation | Recovery and Lessons Learned: After the attack, military units reorganise and prepare for the next action, which may come sooner rather than later. Cybersecurity teams similarly must recover from the incident, restoring systems, and applying lessons learned to strengthen defences against future attacks.

Throughout all of these stages speed, precision, and coordination are all critical.

• Rapid action - is essential to address threats quickly and mitigate damage.
• Precision - ensures that the response directly targets the threat without causing additional issues.
• Coordination - guarantees that all units or team members work in sync, each aware of their role and the broader strategy.

This structured approach, despite the urgency of combat, emphasises discipline and order, ensuring each phase is executed effectively and safely with the highest chance of success.

Strategic Haste vs. Reckless Speed:

All military commanders are taught that after coming under effective enemy fire, they need to pause, reflect, assess, and plan. This is known as the “condor moment”, and it allows the commander to formulate the best and safest plan that has the highest likelihood of success before moving forward with the next phase of the attack.

The biggest mistake I see from an external perspective are organisations not taking that “condor moment”. Instead, they rush headfirst into a “Wack-a-mole” style containment phase whilst trying to recover with a “restore as fast as possible” mindset (often at the expense of this investigation) which they believe will save them the most amount of money. This is often driven by senior leadership, who have unrealistic time to recover expectations – Often I must have the difficult conversation explaining that there is no magic bullet, it’s going to hurt – but if we do this properly, you’ll come out of it stronger and more prepared for your next incident.

So how should it be done?

From an investigation perspective we’re looking to answer three main questions:

• How did the threat actor get in?
• What actions on target did the threat actor take?
• What is the risk to your data?

Answering these allows us to develop a comprehensive eradication plan and follow-on actions that the organisation will need to take in addition to informing legal and communication teams.

Failure to properly conduct this aspect of incident response can lead to oversight of crucial details, misallocation of resources, or even aggravation of the breach. Intelligent action involves a structured response, where each step is deliberate and informed by best practices and situational awareness. This approach ensures that the response is not only quick but also effective and precise, addressing the root cause of the breach and mitigating potential fallout.

When is enough, enough?

In the eradication phase of incident response, as in the attack phase of combat, haste is indeed necessary, but it must be balanced with the need for thorough planning/investigation. Determining when to shift from investigation to action involves constantly assessing whether:

• There's insufficient intelligence, necessitating further investigation.
• Most critical intelligence is known, though more might be uncovered with additional probing.
• All threat actor actions are identified, we have a complete intelligence picture, and the investigation can conclude.

Deciding to eradicate the threat at any of these stages carries risks. Too soon, and you might not fully understand the breach; too late, and the damage could escalate. Each decision point should be carefully considered against the potential risks and benefits.

• Insufficient Intelligence: Eradicating a threat without enough Intelligence might lead to only addressing surface symptoms, not the root cause. This can result in the attacker retaining access through overlooked backdoors.
• Partial Intelligence: Acting with most of the information may miss deeper insights into the attacker's methodologies or additional compromised systems, leading to potential reinfection or incomplete remediation but mitigations could be put in place.
• Complete Intelligence: Waiting until every action of the threat actor is identified risks prolonged exposure to the threat, increased chance of data loss, and potential legal and compliance implications. However, it provides the most comprehensive understanding for complete remediation.

In each case, the risks range from incomplete eradication to extended system compromise. Balancing the need for detailed understanding with the need to limit damage is a critical skill in incident response management.

Key Takeaways:

I've covered a lot, but if you take nothing else away, remember these three points:

Preparation is key - Having a well-drilled, experienced incident response team ready to go at a moment’s notice is crucial, but your decision-makers need to be prepared too.

Assessment is critical - Before leaping into action, take a measured step back - your condor moment - to fully assess the situation. This pause can provide clarity and prevent costly mistakes.

Eradication is controlled - Execute eradication measures in a methodical and coordinated fashion. Rushed actions can lead to oversight and incomplete resolution of the security incident.