Cisco warns responders: Drop ego, assimilate with the IR playbook
Pay your dues, noob, or talk to Dunning and Kruger
Cisco wants incident responders to be more self-conscious.
The Borg's seasoned computer security incident response team boffins Gavin Reid and Jeff Bollinger say a knock to the ego will help combat the Dunning-Kruger effect in which over-confidence and a steering away from the rule book can lead to dangerous oversights.
The pair paint a picture of a junior incident response operative running malware in sandbox. On execution the malware runs through various commands and contacts a command and control server.
The fictional flunk ceases their analysis once the domain is captured, assuming that the malware is simple.
That misses a series of failover domains which are discovered when an experienced by-the-book incident response boffin analyses the malware.
Junior is not unintelligent, Reid and Bollinger say, merely a victim of the Dunning-Kruger effect under which unskilled people suffer from illusory superiority.
"'Not knowing what you do not know' may be the challenge many incident response teams need to overcome, rather than outside influence," the pair say.
"It is extremely important to have a well thought out and documented playbook to ensure a consistent approach, regardless of skill-level.
"A measured, consistent, and creative approach to incident response and security monitoring delivers the most effective and efficient results for your organisation."
Crudely put, Dunning and Kruger found the more hopeless a person is, the more they tend to overestimate their skills. Test subjects in the bottom performance quarter had a larger illusionary complex than those in the top whose reflections best represented reality.
The bias effect has a flip side too in which skilled incident responders may underestimate their competence and assume difficult tasks that are easy for them will be easy for noobs.
Incidence response boffins can peruse the six stages of IR penned by Griffiths University IR wonk Ashley Deuble, which covers preparation, identification documentation, containment, and recovery. ®