Shostack + Friends Blog


Major Cyber Incidents Investigations

I'm thrilled this how to guide for standing up new investigations is available. The cover from the MCIIB how-to.

Victoria Ontiveros, Tarah Wheeler and I have a new report out at Harvard's Belfer Center, How to Stand Up a Major Cyber Incident Investigations Board. We document the lessons and tradeoffs that we learned about or crystalized as we worked on Learning from Cyber Incidents. We took the name from Steve Bellovin's work on the subject to avoid confusion with the newly created CSRB. Also, Victoria and Tarah have a talk on the subject at Blackhat, No One Is Entitled to Their Own Facts, Except in Cybersecurity? Presenting an Investigation Handbook To Develop a Shared Narrative of Major Cyber Incidents.

The goal of this document is to provide guidance for any organization that wishes to set up an independent cyber incident review board. The document serves as a blueprint for an independent review board which may be needed by private or public organizations, such as municipalities, counties, hospitals, utilities, or other organizations that anticipate experiencing cyberattacks and wish to maximize their learning from them. We offer considerations and analysis throughout the document to present alternative options and insights. An organization such as a think tank, local or federal government agency, university, or other non-profit organization may also set up a MCIIB. Such a Board would conduct investigations of major cybersecurity incidents and deliver a report outlining the sequence of events, contributing factors, and recommendations for security practices.