Cisco Blogs

Learning From Others: Incident Response and Catastrophic Compromise

October 20, 2010 - 1 Comment

In May, I talked a bit about compensating controls and their value in layered defenses. The Wall Street Journal recently detailed what appears to be another significant failure of detective controls, as Dubai police worked with national governments to apprehend suspects in the assassination of Mahmoud al-Mabhouh. Authorities in Dubai posted about 30 minutes of video footage to YouTube shortly after al-Mabhouh’s January death. The videos showed a significant amount of coordination and investigation to tie together more than two dozen suspects over several locations throughout Dubai. Now, nine months later, despite this tremendous investigative effort, the trail shows few signs of progress. But when looked at from the perspective of incident response, even a spectacular failure can be a successful lesson learned for tomorrow.

Responding to a Catastrophic Incident

It is perhaps unfair to compare the resources and motivations of the public sector dealing with an international crime, particularly an assassination, with anything else handled in the private sector. Police investigations are funded and pursued under entirely different paradigms than organizational investigations into security breaches. But if you will permit me to make a base generalization for purposes of comparison, I think there are lessons to be learned. Namely, that what we are seeing is one group (the Dubai authorities) responding to an incident of tremendous importance that not only falls within their core mission of law enforcement, but also has ramifications for their partnerships politically, as well as reputationally. In this generalization, I believe that we could draw some insight into how our own organizations could deal with incidents that strike at or near the heart of our own organizational risk sensitivities.

Imagine if you will that this is the analog of your own organization facing one of its most catastrophic risk scenarios: determined, well-funded attackers make a calculated and surgical strike against a key asset, and successfully compromise it completely.

How will you:

  • Notice that it has been compromised?
  • Distinguish unexpected access from unauthorized access? (e.g. how do you overcome anti-forensics?)
  • Recreate the attack scenario?
  • Document your response?
  • Pursue recovery or restoration of the asset?
  • Educate yourself and your organization to prevent / mitigate recurrence?

Invaluable Intelligence

Intelligence (of the information gathering and processing sort) was invaluable in the Dubai police force’s response to this incident. In each case, having skilled, perceptive, and knowledgeable operators processing the incident intelligence was a key factor. Suspicions about the murder scene led to a review of security camera footage; keen eyes noticed that the deceased al-Mabhouh was not wearing the same shirt at the time of death as he was seen in on the last known footage of him alive; a search for the shirt uncovered broken bed slats, which prompted an investigation into a struggle and possible murder; and so on.

The Wall Street Journal’s recounting of the investigation highlights a number of impressive accomplishments:

  • Correlating the suspect list
  • Tracking suspects’ activities through multiple venues, including other hotels, the airport, and a nearby shopping mall
  • Tying communications not among suspects, but by suspects to a set of Austrian phone numbers
  • Noticing small details, such as suspects approaching and then retreating from a vehicle (which suggests it may have been a vehicle they were expecting)
  • Reviewing 10,000 man-hours worth of video content, manually and with facial recognition and other specialized software

What we see here is not just organizational preparedness (collecting and correlating video footage), but also a capability to extract subtle information that leads to further information about the attackers. Each new connection uncovers an opportunity to recognize more patterns, uncover additional suspects, identify additional resources used, and ultimately lead to the source of the attack.

Calling it Quits

But at nine months since the attack, and with many leads turning up empty or as dead ends, what success can be hoped for in this case? Surely those most closely associated with the operation have retreated to safety by now. At what point might your organization have to decide enough is enough? What continued costs should be incurred to pursue some measure of success? And in the course of the investigation, how can costs be controlled from Day 1 to ensure that an investigation can run its course most thoroughly before reaching the tipping point into ineffectiveness, throwing good money after bad or spending more in response than the compromised asset was worth?

Promoting education and repeating lessons learned is the cornerstone of solid incident response. If at each opportunity an organization can learn from its past failures as well as successes, then future incidents are less likely to be as impactful. Better still to learn from incidents that others have paid the price for, and apply those lessons to your own organization proactively.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. A great deal of damage has been done to organizational reputations and a great deal of information has been lost in organizations that do not have fully effective incident response programs in place.