CYBER ATTACK INCIDENT RESPONSE READINESS PREPARING FOR THE INEVITABLE. Rob Sloan

Transcription

1 CYBER ATTACK INCIDENT RESPONSE READINESS PREPARING FOR THE INEVITABLE Rob Sloan Head of Cyber Content and Data Dow Jones Risk & Compliance MARCH 2015 Cyber attacks are not new. The vast majority of organizations will have experienced a malware incident over the last few years and, regardless of the sophistication and scale of the attack, some level of impact and disruption will have been felt. Some organizations, especially over the last year, have learned the hard way how devastating a cyber attack can be. Preparation for incidents is something that we all do, often without giving it much thought. All organizations situate fire extinguishers and instructions around offices, install sprinkler systems, have alarms to warn people of danger and, most importantly, practice evacuations to simulate incidents and understand how processes can be improved. As a result of these awareness programs and preparation, the risk of injury and death to staff in the event of a real fire is minimized. We recognize the threat of a cyber attack and the impact it could have on our business, so why do so many organizations choose not to invest the same level preparing for the inevitable? The day of the ball is not the time to learn how to dance; organizations must be prepared for incidents before they happen. Finding time and resources to do this preparatory work can be challenging for security departments already stretched on resources, and some of the tasks require specialisms not commonly found as part of in-house security teams. One thing is certain though, time spent preparing for an incident is time well spent. Preparation can be the difference between an incident that significantly impacts or perhaps even threatens the viability of the business, and an alert that is part of business as usual. Preparation will look different for each organization and will depend on many factors such as size, network complexity, technical resources, data held, threat of attack, etc. The following is not an instructional guide to every aspect of cyber incident preparedness, but rather a starting point to help organizations understand what might be applicable to them, what they need to aim towards, and to provide some thought leadership on how to achieve the right outcome. THE EVER-CHANGING THREAT LANDSCAPE Cyber risk is an evolving area and it can be difficult for organizations to navigate given the level of fear, uncertainty and doubt published by security vendors and parts of the media. There is doubtlessly a threat to computer networks coming from criminals, hacktivists and nation-states, and that threat is constantly evolving. Many experts suggest a constant rise in sophistication, though I would dispute this. The fact is that corporate and government defenses are not improving at a rate that requires attackers to constantly become more sophisticated. We see more reports of breaches because organizations are getting better at detecting them (more still are notified by third parties) and data breach notification laws and SEC regulations in the US (and worldwide equivalents) are providing more publicly available evidence of attacks. Cyber security has evolved as threats have become better understood. Throughout the 1990s organizations were told that they could protect against attacks with firewalls and anti-virus software. Against the threats of that time largely generic, automated viruses and worms these defenses were for the most part good enough. However, during the 2000s the threat actors changed their modus operandi. Phishing attacks were targeted against organizations with the specific goal of data theft and criminals raised their abilities through exploit toolkits, giving them a capability they had not previously had. The focus shifted to detecting attacks with Intrusion Detection Systems and heuristic detection methods in anti-virus, but detection was only part of the story. During the past five years the emphasis has shifted to responding to attacks. Organizations have had to assume that they were breached and the on-going task was to identify, investigate and respond to breaches quickly and effectively. (1)

2 The day of the ball is not the time to learn how to dance. Assuming breach is an uncomfortable place to be, especially as C-suites are taking a greater interest (and in many cases a direct role) in cyber security. Preparation forms part of a cyber strategy that allows the senior decision makers to understand the level of risk being carried. Organizations will have a risk appetite and they must be satisfied with their cyber security just as they are with their physical and personnel security practices. DOING SECURITY BASICS RIGHT The first step any organization can take is to get a realistic view of how well prepared they are to defend their network. By getting the basics right organizations can lower their overall risk and allow their available resources to concentrate on addressing those risks which are more likely to cause serious impact. The U.K. recently stipulated that any company that wanted to bid for a government contract must be compliant with the Cyber Essentials scheme. This self-assessed cyber test ensured that organizations were taking cyber seriously by committing to deploy five key controls designed to reduce exposure to threats including patch management, malware protection and secure configuration of networks and devices. This list was drawn from the more extensive 20 Critical Controls laid out by the Council on CyberSecurity, formerly curated by the SANS Institute. This set of security controls has been refined over several years and provides the most comprehensive set of recommendations for defending a network against malware. Conducting a gap analysis against the 20 Critical Controls and a capability maturity (or traffic light ) model to highlight areas of compliance, concern and deficiency allows organizations to see exactly where their defenses are lacking and put in place a prioritized remediation plan. Not each of the Critical Controls is equally important and some controls have more of a hygiene effect than directly countering threats. Very few organizations currently deploy all 20 Controls. An assessment such as this can be conducted internally where budget is an issue, but is best conducted by a third-party consultancy who have an intimate familiarity with the controls and how they should be deployed to maximize effectiveness. KNOW YOUR ENEMY An exercise to understand likely threat actors is useful in understanding the capabilities and tactics of those likely to attack your data, and their potential intent should they breach network defenses. In many cases this will inform the necessity, prioritization and urgency of other parts of the program. This is not a technical exercise, but rather a discussion for managers from across the business, drawing on working level expertise to add detail where required. Involving I.T. and security functions is essential, but equally important is to involve representatives from legal and Public Relations who may be aware of activities in the business that potentially raise the risk of attack from a particular group or nation. Threat assessments are required for three types of threat actor: criminals, hacktivists and nation-states. Organizations with a more mature program should further consider how an insider could damage the business through exploiting their direct legitimate access to the network. A good place to start is by looking back at whether the organization has fallen victim to attacks previously. A corporate memory of incidents, their cause, effect, impact and resolution is incredibly important to capture and store thereby ensuring this sort of incident is not solely held in the memory of individuals who could move roles or leave the organization. If your organization does not have a log already in place, it could take different forms depending on size and business function, but generally it will be a database held centrally within the security function and accessible only (2)

3 A corporate memory that records security incidents ensures that lessons are learned from previous events. to those with a valid need to know. Lessons must be learned from past incidents. The log should not solely be restricted to cyber incidents either; historical physical incidents are important as a threat actor may now have a cyber capability that has usurped the need for physical attack and analysis of the log may highlight attack vectors seeking to achieve the same aim. Next, open-source research of cyber incidents against competitors may show wider intent of threat actors to attack the sector. If this is an area where competitors can come together to discuss incidents and share data there is a lot that can be learned. Information Exchanges such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) are a great example of how companies within a sector can work together to expand knowledge of threats. The herd is stronger than any one animal. If an organization is part of the Critical National Infrastructure there may well be government agencies with outreach contacts that can help with the threat assessment. Establishing such links is important and could help facilitate information transfer on a more regular basis. ENGAGING USERS The vast majority of attacks rely on some sort of human interaction, whether that be socially engineering a user to open an attachment or click on a link, or even leaving a USB drive in a car park outside a target office in the hope an employee will pick it up and plug it into a computer. An organization s employees are on the front line and preparing them for the sorts of tactics they may be exposed to is a key strand of any cyber security strategy. Cyber security awareness programs are all too often confined to a single session in the onboarding process. There are two key issues with this: firstly, new employees are overloaded with information in their first weeks and are more concerned with getting into their new roles and making an impact; second, awareness campaigns should be an on-going process rather than a one-off. Organizations should seek to regularly update their employees about cyber attacks and communicate the importance of their role in keeping corporate networks secure. Stressing the significance of protecting company data and reinforcing best practice around s and web use can help identify attacks, but equally vital is a no blame culture which allows employees to report suspicious activity resulting from mistakes. Educating helpdesk teams to recognize when user reports might be indicative of cyber attacks rather than software malfunction, and processes to deal with potentially malicious files and web-links are also vital. Organizations must also take into account the different messages that need to be aimed at different members of staff. For example, those in the C-suite and the administrative assistants who support them often face a higher likelihood of being targeted. Education around cyber security has the added spin-off of helping to protect users at home where the impact of a computer breach could be financial loss or identity fraud. Users cannot be relied upon or expected to stop attacks, nor is that their role. However, if engaged they provide another layer of defense for an organization. All users need to be aware of the problem, the potential for anyone to be a target, and the collective responsibility for data security. SCENARIOS Simulating an exercise can be a very useful way to better prepare for how different attack scenarios might unfold. These exercises can be tailored to the participants and need not be restricted simply to those in I.T. or security. Simple exercises for a handful of participants could be designed and executed in-house, though larger more complex scenarios requiring the participation of senior managers and the C-suite can be run more effectively by outside specialists. (3)

4 Carrying out scenarios should not be an annual event, but rather depend on business requirements. At the basic end of the scale, small teams in I.T. security could simulate a breach of a single machine and how they respond. Or the team could practice identifying an infected host if they were presented with a victim notification from a government agency that may only provide an IP address and time stamp. The purpose is not to be perfect, but rather to identify the gaps in the plans and processes in order that they can be addressed before a live incident. For organizations that have not previously conducted war gaming, this scale of exercise is a perfect place to start. Creating flow diagrams to show the process that can be followed during a real incident may be useful. More complex simulations could involve outages of part of the network, a denial of service attack against a website, intellectual property stolen by a state attacker, customer data lost, or the large-scale public release of corporate documents. Scenarios are limited only by time and resources, and should seek to include senior executives who would be involved in the event of a full-scale compromise and data loss. Public Relations and corporate communications teams will have a role to play, as will legal representatives and data owners from across the business. Predicting the type of incident the organization will suffer is very difficult, though it can be informed if the organization s threat assessment has been completed thoroughly beforehand. Recent incidents that have affected other organizations can also inspire exercises. However, the key benefit is about getting the right people together in a room and making them familiar with the sorts of decision they will have to make should a real incident occur. Exercises can identify gaps in knowledge and understanding and facilitates an environment where those less familiar with cyber can catch up. The executives can better understand the challenges faced at the working level and the I.T. team can see the wider picture of the impact on the business if attackers penetrate defenses. Carrying out scenarios should not be an annual event, but rather depend on business requirements. The executive in charge of the cyber strategy should seek out scenarios based on events in the news or driven by the business. For instance, the impact on Target and Home Depot in 2013 / 2014 from credit card data theft could have inspired retail organizations with credit card data to carry out a similar exercise, while the recent Sony Pictures Entertainment hack could have provided a reason to simulate a large data loss. Other business activities could trigger the requirement for an exercise such as roleplaying the theft of strategy data during a contract negotiation. The exercise is of course useful in identifying gaps, but the real value comes only once those gaps are addressed. One vulnerability often found is that cyber incidents quickly escalate beyond the capabilities of the in-house team. This is not to say that in-house resources are ineffective, but rather that the investigation and remediation of incidents requires specialist tools and skills. Having a non-disclosure agreement or purchase order in place with a trusted incident response provider means there will be no delay in having assistance onsite in the event of an incident. Organizations will wish to consider whether or not to engage an incident response provider already supplying network monitoring services. The areas of detecting attacks and responding to compromises are closely related, but to fully understand the weaknesses in your defenses and how a compromise occurred it is often better to have separation between providers. The risk of moral hazard, where detection of malware or compromise exists to drive response services from the same company, should be avoided. Third-party response services should also aim to engage and utilize inhouse talent to reduce future reliance on consultancy. (4)

5 Security is generally accepted to be a combination of people, process, and technology, but far too many rely solely on the technology. BEING THE ATTACKER One final area is worthy of discussion and it is one which few organizations have fully explored: Red Teaming. Red Teaming has its roots in the military, but can provide real value in the area of cyber. In the cyber sense, the Red Team is formed of security experts, essentially hackers who try to break into a network with an agreed objective, such as stealing a specific database, or gaining domain credentials, or achieving access to data regarded as critical to the running of the organization. The exercise can be conducted remotely, i.e. hacking over the Internet, or can involve a physical penetration of the building (perhaps using social engineering) to gain access to a server room or even a single workstation or Internet connection. A Red Team exercise requires specialist consultancy and generally does not come without significant expense. However, the team will emulate real techniques being used by threat actors to give decision makers a realistic view of the robustness of network defenses. If an attacker can compromise the network and exfiltrate specific data in the course of a few days or weeks, more persistent attackers are equally likely to be successful. Despite the expense, this remains one of the most effective ways to demonstrate to senior managers that business critical data is vulnerable to cyber attack. If the Red Team can gain access in limited time under specific constraints, an attacker with sufficient time, skills and resources will certainly be able to compromise the network. From this, businesses will have a list of recommendations of how to mitigate some of the risks and manage others. This engagement can also serve as an exercise in response preparedness: the attackers can spend time with the network defenders after the attack and show how their activity could have been detected, the tools they used and how an effective response could have made life more difficult for the attackers. CONCLUSION Security, like many business functions, is generally accepted to be a combination of people, process and technology, but far too many organizations continue to rely solely on the technology part of the equation. It is too easy for organizations to fall into the trap of thinking that buying the latest solution complete with flashing blue LEDs and a striking logo easily solves the challenges of cyber security. Organizations invested in solutions that promised the earth in the 1990s and again throughout the 2000s that have continually failed to defend against the evolving tactics of advanced attackers. Technology of course has a part to play in sifting through ever-growing amounts of data and mitigating incidents that do not merit the attention of stretched resources. But regardless of how good the technology solution is at detecting malicious software or suspicious activity on our networks, it is humans who best understand the network and the organization, and the established processes that ensure the correct output is assured from any given set of inputs. Fighter pilots never stop training, despite the fact they have their license to fly. They need to be continuously trained in different situations to ensure they make the right decisions under considerable stress and follow the processes set out for them. It is no different for businesses: the security staff and others need to feel able to make decisions under pressure and have an awareness of the outcomes of their actions. The processes set as a result of exercises will help guide the decisions to the best possible outcome. Cyber attacks might be unavoidable, but that does not mean that there is nothing that can be done in advance. Preparation to reduce risk and avoid compromise in the first place, and process to ensure that compromises are dealt with in a tried and tested, business-as-usual fashion will mitigate the risk of serious business impact. Understanding the current security posture informs decision-makers where (5)

6 Cyber security is here to stay as a business challenge. the organization is; building the cyber security strategy influences where the organization is heading. Much of the work to be done will have to be done in a certain order for maximum effectiveness; many tasks will be on-going and refined over time. The threat landscape constantly changes and measures will adapt and evolve over time. Teams also work better the more often they work together and the more clearly each individual understands the roles and responsibilities of others in the team, and the challenges and constraints each faces. Cyber security is here to stay as a business challenge and organizations must respond if they are to defend their networks and protect their data. CASE STUDY 1: SONY PICTURES ENTERTAINMENT COMPROMISE In November 2014, Sony Pictures Entertainment was attacked, according to the FBI, by the North Korean state. The hackers subsequently released unseen films online, and dumped gigabytes worth of sensitive corporate and personal data. Furthermore, many hard drives were wiped. While it is too soon to assess the long-term impact of the attack on the company, the short-term impact included: Significant interruption of business Legal issues related to the disclosure of personal and commercial data Loss of business critical data Reputational damage Stock price impact Damage to confidence in senior leadership High cost of specialist consultancy to restore network operations and give assurances on security Simulating an incident with the scale and complexity of Sony s breach is very difficult, but the incident can be broken into parts and each of those simulated. For example destructive malware is not unprecedented and organizations should be able to define where [potentially thousands of] new drives will be sourced from, how they would be imaged with the corporate desktop/laptop build, how they would be physically replaced, etc., and how staff would communicate in the meantime. A gap analysis against a security standard such as the Council on CyberSecurity Controls, would have shown any network security deficiencies and highlighted risk to senior managers, allowing for corrective actions to bolster defenses. This case study demonstrates that while identifying business critical data and protecting it is important, the loss of non-critical data such as s and spreadsheets in sufficient volume can be immensely damaging. It is not possible to protect everything, but access controls and encryption can protect the data crown jewels albeit at the expense of convenience. Organizations should review and data retention policies to reduce the volume of non-critical data that is potentially more vulnerable. Security awareness campaigns remind staff to be cautious what they commit to and how to spot phishing attacks. CASE STUDY 2: TARGET CORPORATION DATA BREACH In December 2013, Target was the victim of a criminal attack which netted attackers 40 million credit card numbers and the names, addresses, addresses and phone numbers of 70 million customers. Target was one of a number of high-profile victims in the retail sector through 2013 and Despite being relatively well protected and having invested in next-generation malware detection products, hackers infiltrated the network and deployed malware to pointof-sale devices to harvest credit card data. Data was stored on an internal server before being egressed to Russia. The subsequent investigation showed alerts of suspicious activity had not been acted (6)

7 Corporate and government defenses are not improving at a rate that requires attackers to constantly become more sophisticated. upon by analysts in the Security Operations Center. That inaction cost the company around $148million and the jobs of CEO Gregg Steinhafel and CSO Beth Jacob. Fraud occurred on around 5% of the cards reported as compromised. A number of law suits are pending. Incident response planning is a fundamental part of any I.T. security team s duties. Understanding gaps in how intrusions are detected and reported and the processes attached to them helps organizations minimize the time it takes to investigate and respond to breaches and consequently can mitigate impact. Furthermore, legal and PR teams can role-play strategies for responding to the loss of customer data. Communication with customers post-breach is key in retaining their trust and answering their questions about liability and the risk of identity theft. CASE STUDY 3: ADVANCED SIMULATIONS Crafting and testing a variety of cyberattack scenarios against real networks can be time-consuming and expensive. However, simulations can now be used to assist development of a risk management capability to deal with a wide range of attacks. London based Simudyne ( re-creates organizations within a computer simulation allowing regular exercises with different variables to play out virtually. We take the firm s information security policies, standards, processes and procedures and load them into the computer simulation says CEO Justin Lyon. Data from behavioural monitoring and anomaly detection are incorporated while mathematical techniques based on system dynamics, agent based modelling and discrete event replication ensure the simulation adequately mirrors reality. Advanced simulations, such as those created with Simudyne software, include technical and business process considerations and their interaction with key organisational factors. Any issue that is a real-world factor can be loaded into the simulation, effectively stress-testing systems, training personnel, and finetuning responses. Simulations cannot compete with the human brain s ability to form hunches, but they can maintain consistent adherence to thousands of known data points and their relationships to each other. They also make mistakes cheaper. Learning retention and effectiveness fades over time and live exercises may be limited by budget, travel, schedule, equipment and available roles. Simulations meanwhile offer unlimited customizations, varying situations and scenarios for the same expenditure, replicating data center environments or multi-national conglomerate networks. Building the first exercise is challenging, though once built, endless variants can be run at a fraction of the cost of live exercises. Simulation allows stakeholders to understand the consequences of a single decision. Fighter pilots train constantly in simulators despite the fact they have their license to fly, allowing them to experience a broad range of situations and ensuring they make the right decisions under considerable stress. It is no different for any business and could be the difference between successful incident handling or massive business interruption. ABOUT DOW JONES RISK & COMPLIANCE Dow Jones is a global provider of news and business information, delivering content to consumers and organizations around the world across multiple formats, including print, digital, mobile and live events. Dow Jones has produced unrivaled quality content for more than 125 years and today has one of the world s largest newsgathering operations with nearly 2,000 journalists in more than 75 bureaus globally. Dow Jones is also the provider of Dow Jones Risk & Compliance, which offers data solutions to help organizations mitigate regulatory, commercial and reputational risks. Discover more at dowjones.com/risk These pages contain general information only. Nothing in these pages constitutes professional advice. Dow Jones make no warranties, representations or undertakings about: any of the content of these pages (including, without limitation, any as to the quality, accuracy, completeness or fi tness for any particular purpose of such content); or any content of any other website referred to or accessed by hypertext link ( third party site ). Dow Jones does not endorse or approve the content of any third party site, nor will Dow Jones have any liability in connection with any of them (including, but not limited to, liability arising out of any allegation that the content of any third party site infringes any law or the rights of any person or entity). (7) 2015 Dow Jones & Company, Inc. All rights reserved. 24MARCH2015