Prepare for the worst!
It would be natural to try and protect the all information with the best controls but, in reality, the cost of such a policy is unrealistic in the vast majority of situations.
Therefore the best planning that can be done is to expect the worst situation to arise as an attack on the most valuable information held.
Then, with any luck, the plans put in place will be more than enough to deal with any situation that might arise.
The start of any incident is recognising that something untoward has actually happened. It is vital to get to grips with the event as quickly as possible and ensure there is sufficient information to determine what has happened so as to drive the next steps to take.
In one incident, it was thought a physical breach had happened. In fact it turned out that the suspected incident was actually a simple video recording that had been fed into a surveillance system and so no breach had actually occurred.
The initial investigation should determine as quickly as possible:
- What information is at risk (where is the breach). This must include being aware of the state and status of that information. Is it, for example, current, encrypted, personal or sensitive?
- When the breach took place. The attacker dwell time in this context, is the time between a breach occurring and its detection, and it is quite possible for this to be many days if not months. Reducing the dwell time to as short as possible should be the target.Recent information shows that the industry average dwell time has fallen from around 200 days in 2014 to around 70 days in 2016 which is good.If it is recognised, however, that the attacker is likely to take no more than 6 days on average to achieve their desired results in a targeted attack, but there is still a very long way to go.
- Whether the attack is ongoing or complete. If it is ongoing then time becomes even more critical bearing in mind the times given above.
- The main method(s) used for the breach, if not the actual perpetrators and tools used. It often takes significant forensic work to determine this precisely.
- The primary purpose of the attack or at least whether this is the intended target or merely a way of trying to access another more valuable target, up the supply chain perhaps.In one case, a firm was directly targeted due to data they held on their clients’ business interests which related to raw materials, of interest to certain state actors.
Naturally the initial investigation will not provide full answers to some (all) the questions but a start must be made and speed is of the essence. Especially if the attack is ongoing, it is critical to establish and recognise that fact so that immediate actions can be taken.
These actions might involve closing connections within the organisation, with other partners and/or to the internet. This should be done to reduce the risk of further development of the attack, exfiltration of information, and spreading of the attack to other areas.
Clearly in order to do that, monitoring of the traffic on the network is fundamental otherwise anomalous traffic, perhaps showing where the attack is taking place, will not be identified.
The closure of connections could be done in a number of ways from the physical such as unplugging a cable, through to reconfiguring the firewall to block particular IP addresses internally or externally.
This also might mean setting rules on the intrusion prevention system (IPS), if installed, to detect new connections.
All this should be documented in an incident management plan that is tested on regular occasions. Testing can be done by “war gaming”, bringing in specialist firms to pretend to be the enemy attacker and to help hone the skills, confidence and competence of the in-house staff.
Alternatively if the in-house staff are good, they can develop their own versions and test each element of the plan over time not forgetting the whole must all work together in the end.
If you work in a large company, public body, or even in a critical smaller organisation, all the above must be done with proper awareness of the very high levels of interest the press and regulators will have in your incident.
A media management plan and ways of dealing with all the stakeholders including staff, media, regulators, suppliers and clients/customers is critical.
This must be tested at regular intervals perhaps by mock TV interviews or prepared press releases.
In one major incident in 2015, a Chief Executive was asked live on television if her customers’ personal information (that had been hacked) was encrypted. Her lack of adequate response led to much anguish and ill comment in the press and elsewhere. Reputational damage occurs very quickly but takes a very long time to repair.
Author - Andy Taylor - Lead Cyber Assessor, APMG
Originally published - 22 June 2017