New, by me: ODIN Intelligence, the police tech firm whose website was defaced last weekend, was hacked. A huge trove of confidential police data was exfiltrated and provided to transparency collective DDoSecrets. The data contains tactical plans of police raids, and use of surveillance, like facial recognition.

More: https://techcrunch.com/2023/01/21/odin-intelligence-breach-police-surveillance/

I don't often just rant at the void much anymore, but here's one that really gets me...

The fact that you are a Big Company and Powerful will not save you from a cybersecurity incident.

The fact that you can put pressure on your cybersecurity contracting and consulting companies through $$$ does not change the fact that you might need their actual real life assistance someday.

I consistently see some very powerful, large companies buying incident response and services contracts across the industry and using their weight and brand power to try to skip things like retainer on-boarding, critical document sharing, and preparatory exercises.

Oh. My. Sweet. And Fuzzy. Lord.

I understand that you are very busy. I understand that it is hard to get everybody on a call, and find the right documentation. I understand there are lawyers and bureaucracy that make it more difficult to share certain materials. I understand you're getting a retainer because your insurer or regulator says to.

This changes nothing. If you really need to call an incident response / digital forensics consultant (and you probably will), they're going to need that information and preparation. No amount of money in the world will be able to magic away necessary prep work. No amount of money thrown at the compromise will make it go away without work - unless you intend to replace your entire domain and computer network (also a lot of work). Your insurer will not fix it. Your brand will not fix it.

The requirements your legitimate retainer company put forth exist for a reason. They are not to steal your money or retainer hours. They are to make sure that an entirely unrelated team to your operations and technology will be able to walk in during a crisis and meaningfully assist without days of ramp up time. We need context to be able to do that. Network maps. Response plans. System and facility access directions. Understanding of your organization and comms plan.

That can't be wished away with money. Anyone, absolutely anybody legitimate in DFIR on planet Earth will need that information. If we don't get it ahead of time, we will be getting it on expensive hour burn before we can actually start to put out a fire.

That's all I have to say about that.

#cybersecurity #infosec #databreach