The Human Element of Incident Response – Part Two
By Vanessa Pegueros
DocuSign Chief Information Security Officer
There is an extraordinary amount of money and time spent on detection and response relative to cybersecurity, and much of this conversation is technology focused. In this series of articles, DocuSign CISO Vanessa Pegueros explores a different aspect of incident response — the human being. She asserts that people ultimately orchestrate incident response and the care and development of employees should be at least as important as the development of technology, and she offers items to consider relative to developing the human elements of incident response.
Part Two – Recognizing Level One Trauma Within Your Organization
In my previous article, I discussed the need to focus more on the people-related aspects of incident response. In this piece, I will focus on how the human body responds to dangerous situations and the impacts of long term trauma.
The human body is an incredible incident response system organized to achieve one very critical goal: survival. The brain is the orchestrator of this survival system and is composed of three key parts.
The most basic level of response occurs at the brain stem level and is known as the reptilian brain. The reptilian brain is responsible for sensation, arousal regulation, and initiation of movement impulses. I will refer to this as the level 1 response. The next level, the level 2 response, is the mammalian or limbic level of the brain, which involves feelings, motivation, interaction and relationship. The final level of the brain, level 3, is the neocortex, responsible for thinking, conscious memory, symbols, planning and inhibition of impulses.
In the level 1 response, the sensory input from our eyes, ears, nose, and touch provide information to the thalamus, which passes the information to the amygdala to interpret the criticality of the input. If the amygdala determines that a bodily threat exists, it sends information to the hypothalamus to secrete stress hormones and initiate the physical response to the threat.
The level 1 response happens in the fastest amount of time and involves the least amount of brain processing, compared with all other response levels. The level 1 response consists of reactions such as immobility, arousal and running.
In cybersecurity, we would like our teams to operate at the optimal level when dealing with an incident. But we must recognize that the incident may actually invoke a level 1 response in some of our team members. So, we must ensure that the long term impacts of the event do not set in for the individuals and that we have, in effect, blunted the automatic and natural level 1 response.
If we do not help manage that experience, some long term impacts of trauma cited by the National Center for PSTD include: reliving the event, avoiding situations that remind you of the event, negative changes in beliefs and feelings, and feeling keyed up (hyper arousal).
Research by Peter Levine has shown that long term trauma sets in when the victim is not allowed to successfully escape from the situation (feels trapped) and experiences fear and helplessness. In cybersecurity, ransomware is a great example of criminals playing on the level 1 response of individuals and organizations. Malware infects a user’s computer and prevents escape by encrypting the user’s data and holding it hostage unless the user meet the demands of the attacker.
And as criminals realize the effectiveness of this attack, the technical sophistication of crypto ransomware makes the victim response more visceral. Criminals invoke the next level of trauma through forms of ransomware like Jigsaw crypto-ransomware, which is engineered to prevent escape and penalizes the victim for not reacting faster in the manner desired by the criminal. The ransomware accelerates the number of file deletions as time elapses until payment is made. This significantly increases fear and helplessness by escalating the consequence.
It is incumbent upon security leaders to recognize when our teams are operating at a level 1 response. Some of the signs include: inaction and not knowing what to do; overreacting and inability to think through the situation; poor communication around actions taken; and inability to develop options to address the problem. If our teams are operating at a level 1 response mode, they cannot shift to operate at levels 2 and 3, which is where we need them to be in order to deal with the complexity and challenge of today’s attacks.
In the next article, I will discuss some critical elements that must be in place for your incident response programs, as well as preparing your team for these cyber-attacks and incidents.