Incident Management as a Platform: Scaling Incident Response

In the cybersecurity industry, the term “IR” stands for Incident Response and is almost synonymous with thoughts of urgency, burnout, and lack of predictability. Over the past decade, the IR space has grown rapidly and has felt the impact of the cybersecurity labor shortage more than any other part of the industry. At the same time, these challenging dynamics have often resulted in lucrative careers for practitioners and exceptional financial results for IR service providers. The phrase ‘if it ain’t broke, don’t fix it’ comes to mind. However, that dynamic has stifled innovation over the years and ultimately served as a key driver for launching MOXFIVE in 2019.

Incident Response: The Historical Model

Traditional IR firms leverage a classic professional services business model, aiming to identify the incident’s root cause and support legal counsel’s effort to determine the victim’s legal exposure. Over the past two decades, the investigations have evolved from credit card theft with intent to sell credit card information on the dark web, nation-states stealing corporate intellectual property to improve competition, single system ransomware for immediate financial gain, Business Email Compromises (BECs) with intent to trick corporate employees into fraudulent payments, to most recently enterprise-wide ransomware. While the technical complexity of these attacks has varied over the years, the ability for threat actors to exploit organizations’ growing dependency on information technology (IT) shifted the focus of IR from largely a legal challenge to an increasingly technical challenge that needs to be solved quickly.

Enter Incident Management as a Platform led by MOXFIVE Technical Advisors.

The Platform: A Virtuous Cycle

A platform is a business model that creates value by connecting producers and consumers, such as Amazon, AirBnb, Uber, Etsy, and eBay. In essence, successful platforms allow producers to sell faster and allow consumers to save time and money when buying.  The result is a virtuous cycle where all participants benefit.  Importantly, trust is a key characteristic of successful platforms - if producers and/or consumers do not trust the platform, they will not participate and the value is lost.  Related, it is important to note that while many software companies use the term “platform” as part of their marketing strategy, often they are selling their own software direct to a consumer which does not constitute a platform business.  

At MOXFIVE, we often discuss Airbnb and its success at “scaling the handcrafted experience.” Airbnb set out to change the travel experience, not develop the technology. Along the way, Airbnb developed technology to accelerate and scale the customer experience. In the end, Airbnb became a huge success because they were able to attract enough hosts (producers) to offer travelers (consumers) more options to find what they were searching for and saving travelers time and money, ultimately improving the travel experience for all travelers. This resonates with us at MOXFIVE as we focus on improving the IR customer experience by leveraging a platform approach to create the virtuous cycle between victims of attacks and specialized service providers.

The Need for Scale

MOXFIVE’s Incident Management as a Platform approach introduces scale to the IR customer experience by focusing on speed and efficiency.  We do this by avoiding the pitfalls of the traditional professional services firm business model which focuses on headcount to drive capability and success. Instead, MOXFIVE focuses on getting victims the technical expertise and resources they need as fast as possible through rapidly and transparently engaging the appropriate specialized providers based on the details of the incident. From the collective experience of having responded to thousands of cyber attacks, our Technical Advisors clearly define the technical problem for business leaders and legal counsel.  Once everyone understands the problem that needs to be solved, MOXFIVE brings the specialized providers to the table and manages the incident response process through to completion.  By focusing on connecting the consumers (victims) with producers (vendors), we have created a platform that is positioned to lead the execution of technical workstreams at a scale unmatched by traditional professional services firms.  

Consider how the industry is currently fighting ransomware. While threat actors scale by employing affiliates to amplify attack volume, traditional IR firms are hiring additional headcount (resources) to keep up.  To be fair, IR firms have gradually been positioned – and arguably pushed – to play the role of ‘all things technical’ without specialization for two reasons:

1. Clients and lawyers generally prefer to deal with as few vendors as possible and;  

2. The growth model of professional service firms incentivizes saying “yes” to all business opportunities that are even remotely relevant.

However, additional headcount cannot alleviate the fact that IR firms are built to specialize in forensic investigations versus a broad set of technical offerings. It’s a business model challenge, not a headcount challenge. Consider the typical client needs when responding to ransomware:  

• Forensic Investigation: Investigate the incident to determine the root cause and help determine potential legal liability due to unauthorized access of sensitive data  
• Containment: Mitigate the ongoing threat through mechanisms such as password resets, malware blocks, network blocks, implementation of MFA, and more
• Business Recovery: Assess viability of backups and restore, rebuild or decrypt impacted systems and applications. Additional support with EDR deployment is often needed as well
• Reinforce: Assess and implement appropriate solutions to harden the environment going forward  

Now, consider the various curveballs that may arise when responding to a ransomware attack, which fall outside of traditional IR firms’ capabilities:  

• Active Directory (AD) & Domain Controllers (DCs): Often enough AD is down or unstable and specialized assistance is needed – building new DCs or potentially rebuilding the domain – to begin recovery efforts
• Virtual Desktop Infrastructure (VDI) Environments: Not all EDR solutions can provide visibility and protection in popular VDI environments, such as Citrix, resulting in the need to adjust the response strategy ‘on the fly’
• EDR Deployment: Either a manual deployment may be required, which is labor- intensive, or a sophisticated workaround needs to be architected to automate deployment

• Help Desk Support: Depending on the size of the organization, executing a password reset for all users may overwhelm existing IT staff and warrant additional (emergency) help desk support
• Data Classification: Depending on the data an organization houses, innovative data mapping solutions may be leveraged to reduce legal and regulatory risk
• Network Segmentation: When EDR solutions do not support legacy operating systems, micro-segmentation can securely segment unsupported systems, mitigate risk and allow bringing the business back online despite not having 100% EDR coverage
• Data Recovery: When decryption is not possible, data recovery efforts focused on recovering corrupted or deleted data can serve as a last resort for getting system backups or files recovered

These requirements and capabilities were too much for one organization to consistently and reliably deliver, until now.  MOXFIVE’s platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance they yearn for in this time of crisis, and at the same time facilitates the delivery of all technical needs required, consistently and efficiently.  

Time for Change

If asked, I bet most organizations who had to foot the bill for IR services expected a better experience and more value given the price tag.  As the industry struggles to keep pace with more disruptive cyberattacks and the ever-growing digital dependence of victim organizations, we cannot expect last decade’s playbook to facilitate the much needed change.  MOXFIVE’s Incident Management as a Platform approach creates a virtuous cycle where all participants achieve a better outcome - our ecosystem of partners benefit from being able to focus on their specialization and deliver value versus selling their value, and our customers save time and money because of the efficiencies our approach brings to the table - or better said, creates a new ‘table.’

If you have questions or need help with a current incident, we're here to help. Contact a MOXFIVE Technical Advisor at ask@moxfive.com or use our Contact form.

‍