UA-72240440-1

DEFCON 1 – Turkeys 1, Humans 0

Date: May 1, 2016
Author: MRPE
Comments: 0 Comments
Categories: eCrime, Espionage, Governance & Auditing, Incident Response, Malware Threats, Security/Vulnerability Assessments

“What is your state of readiness for your next threat or incident?  Being prepared, before it strikes, is mission critical for success!”

It was 3:30 AM as I awoke and quickly gathered my hunting gear to head out for a couple hours drive and 2 mile hike in the dark to hunt my favorite turkey hunting spot.  I normally go hunting on opening day but this year was busy with family and work obligations delaying my start by several weeks.  After arriving at the location I outfitted my pack and began my hike in the dark. I heard the geese along the river honking and wondered what was alarming them this time of early morning.  As I approached the river I heard a noise, several noises, and then the sound of heavy hooved animals running rapidly through tall grass.  The mooing followed as the ground thundered – I was surrounded by cattle – and thought of what it must have been like for the pioneers on the prairie with the buffalo of yesteryear.   Having been a ranch owner and cattleman on a small ranch I know how cattle move and behave and feared the worst – they would drive in a straight line away from me for I was in a narrow corridor making all sorts of noise in the process.  I ended up pushing the cattle over a mile which alerted every turkey in the valley!  I was finally able to climb up and around in a steep area to avert the cattle and find my way into my setup spot, but the damage had been done – if any turkeys had been listening for danger – and they do – I was already partially busted.

As I approached my setup spot I was busted again – by deer this time.  Another ‘indicator’ or ‘alert’ species that turkeys often rely upon for ‘eyes and ears’ as they seek to avoid risk at all cost.  As I stepped into a low gully area it was still somewhat dark and I tripped on debris and made a large sound with my stumbling.  At this point I knew the hunt was in fully jeopardy but did my setup and then got quiet for a while before making any turkey sounds.  About 30 minutes later a hen starts making sounds to call out to a Tom.  This is great news, but I realize she is up on the hill behind where I started, and certainly saw me enter.  This is not normal behavior, but it’s later in the season so the hens are likely on nests upon the edge of the hill.  I entered into appropriate calling for the situation and then shut up, knowing a hen would come and check me out.  I sat quietly and didn’t move, in full camo head to toe.  About five minutes later I hear a loud chirp about 10 yards away through the brush.  I’m certain that smell gave me away as a boss hen had come and checked me out.  While I never heard it I’m also certain that all the other turkeys in the area were alerted by the sound and ensuing movement and quickly followed paths away from the area to safety.

After being busted I took a nap hoping it would quiet down; Turkeys tend to have short term memory.  Not today.  I never saw a single turkey.  I had heard gobbling in the morning, when I was calling, but now it’s all quiet.  The turkeys were clearly in DEFCON 1, or defense readiness condition severe.  As I hiked I found a turkey carcass where someone had shot a turkey from several weeks prior.  These turkeys had had a very real threat recently and were now much more aware and cautious!  As I hiked out I saw a coyote and several hawks – all looking for a turkey dinner.  These turkeys were under a constant threat, from multiple threat actors/groups, and my hunt was over.

Do you have an incident response plan and enterprise based risk management policy that mirrors that of the turkeys?  They stay alive by making sure that every single member of their group takes responsibility for both individual and group security.  Does every single person in your company take responsibility for risks that you face every day, eCrime, espionage, and so forth – or does it fall on the IT or security group alone?  Turkeys have well practiced – every day practiced – threat response behaviors such as visual and audible alerts and egress actions to safety.  The boss hen is in charge of event notification and escalation.  Everyone listens to her – and they should – because she has the most experience and authority in the group.  Does your incident response team have that kind of governance authority and accepted leadership or do you have to ask other business owners to help out or do the right thing to mitigate a risk?  Turkeys work as a team and are all about mitigating risk through avoidance and proactive behaviors.  They’d rather chirp and run or glide off a hill to another location, if any risk presents itself.  They have a moderate to high likelihood of death if they don’t.  One of the challenges we have in managing corporate risk is that individuals don’t accept personal risk unless it’s about making sure their job is safe – who will make sure that the company is taken care of no matter what?  Establishing a culture where everyone is responsible and motivated to protect the team, the family, is mission critical.

Finally, think ahead – like turkeys.  When they enter into an environment I’m sure they are like a well trained concealed carry/LEO individual like myself; I’m always counting doors, considering exit paths, identifying where risks may present themselves if a mass shooter or other threat presents itself.  I’m prepared, ahead of time, because that’s my training.  If such an event takes place I have a better chance of a favorable outcome than one who isn’t prepared.  Are you prepared for your next incident or war room situation?  Do you have an incident response retainer set up so that you know who to call and already have the NDA and services agreement completed so you can get help immediately – like within the next few hours?  If you don’t you’re accepting the risk of being having an incident without operational readiness.  When you try to contact someone they may or may not be able to help you, where as an incident response retainer responses within X hours by SLA.  When you try to send over a malware sample to analyze, to aid in identification and mitigation of a threat, will it be blocked because of IT policies in place, further delaying your ability to respond to an incident when trying to coordinate with an external contractor?  If you had prepared ahead of time, and tested your response plans and policies, you wouldn’t be learning these things for the first time – you’d be doing what you’d already practiced before.

Make sure you’re ready for the next threat – that everyone takes responsibility – and you have an incident response policy and partner ready at the helm.