feeding my own misguided insanity

CyberSecurity: A Case Study of the Need for Change

October 15, 2015 Shem Radzikowski One Comment

It’s not every day that you get to play the role of the chief information officer (CIO) of a Fortune 100 company.  However, in light of recent high-profile cybersecurity breaches, let’s imagine for a moment that you are a CIO who is busy preparing to deliver a rather sobering cybersecurity briefing.

This is the first of a series of articles that I’ll be posting on CyberSecurity and Advanced Persistent Threats (APTs).

Much of what will be covered has been obtained from numerous sources — publications, whitepapers, conferences, blogs, personal experience and interviews — in the hope of presenting actionable guidance within a contemporary setting.

CyberSecurity Incident Briefing

Being the bearer of bad news is never easy, particularly so when the news is likely to derail a multi-billion dollar corporation.  And so, having completed the postmortem on a sophisticated hack that ran circles around your cyberdefences, you have been called in front of the chief executive officer (CEO) and the board of directors to deliver your briefing.

You take a moment to compose your thoughts and then begin to speak:

It took the attackers only six minutes to circumvent the perimeter defenses. From there, they achieved domain administrator privileges in less than 12 hours. In less than a week they fully compromised all 30 of our global domains. They harvested more than 200,000 credentials, giving them the ability to log in to the network masquerading as any of us, they could even change our investment elections in our 401(k)s or transfer money out.

There was no place on our global network they could not go and only a handful of computers they did not have easy access to, only 10 percent of our manufacturing facilities are behind firewalls, segregating them from our network. The attackers were in a position to electronically transfer millions of dollars out of our bank accounts through our accounts payable system. Their tools did not set off any alarms, our antivirus software did not trigger any alerts.

They had direct access to our manufacturing environment and could affect both the quality of our production processes and safety on our shop floors. They had access to our most sensitive intellectual property, including our past, current and future plans for major acquisitions and divestitures as well as the results of the billions of dollars we have invested in a decade of research and development.

And, in the end, they were able to steal all the data. We were not able to stop them, or even see them in our network.

While helpless panic filled the boardroom, it also marked a dramatic shift in the way the organization viewed cybersecurity.  This watershed moment granted a previously neglected aspect of operational security the mandate to rethink its mitigation strategy.

The Need for Change

The above example was a case of too little, too late.  And although the damage here had been done, many of the board members held non-executive positions at other Fortune 100 companies.  Their minds were busy assessing the likelihood of similar cybersecurity failures at these other organizations.

The questions they were asking: “What if someone does this to us again? How would we fare? How are we positioned to make an attacker’s tasks difficult, to detect that an attack scenario is underway, and to respond to attacks we detect?[1]

The ten assessment scenarios shown in Figure 1 were developed by Ernst & Young’s attack and penetration teams based on their previous encounters with advanced persistent threats (APTs).

Ten Assessment Scenarios

Figure 1: Ten Assessment Scenarios

These ten scenarios, although not an exhaustive list, can serve as a good starting point for organizations trying to come to terms with an adversary whose differing motives and increasingly sophisticated attacks pose significant risk to their operations.

Visualizing the Biggest Data Breaches

Only a very small proportion of attacks receive national or international media attention.  The vast majority of organizations, unless required by law, will try to minimize the negative press and never fully disclose the scale of a hack.  After all, would you trust a bank to look after your money when they struggle to secure their own corporate website?

The scale of the problem can be seen in the Figure 2, and even these have been filtered to show breaches where total losses amounted to at least 30,000 records per incident.  For a fully interactive and up to date version of the data visit the source.

World's Biggest Data Breaches

Figure 2: World’s Biggest Data Breaches

Conclusion

The incident briefing, as described by our CIO to the CEO and the board, reflected an urgent need to fundamentally shift how the enterprise approached cybersecurity.  This need was driven primarily by one key fact: The threats that enterprises face by being connected to the Internet are evolving at a much faster pace than the information security architectures, technologies and processes they have deployed to thwart them.[2]

The threats that enterprises face by being connected to the Internet are evolving at a much faster pace than the information security architectures, technologies and processes they have deployed to thwart them.

While following prescriptive guidance will dramatically improve an organization’s preparedness in thwarting attacks, it is worth noting that guidance alone is no silver bullet.  Transforming the security posture will only be helpful if such transformation is performed on a a continual basis.

Advanced Persistent Threats are actively engaged in reshaping their attack philosophies.  If organizations are to mitigate such efforts, they need to be equally nimble at embracing novel approaches to cybersecurity.

Footnotes
  1. The Ernst & Young (EY) engagement encompassed the design of a broad series of assessments not intended to measure compliance with policy or conformance to leading practice/technology controls, but rather to focus on assessing the company’s cybersecurity posture in the face of attacks other Fortune 100 companies had recently suffered. ^
  2. ISACA has designed and created Responding to Targeted Cyberattacks primarily as an educational resource for security, governance and assurance professionals. ^

Bibliography

1.
Advanced persistent threat [Internet]. Wikipedia, the free encyclopedia. 2015 [cited 2015 Oct 7]. Available from: https://en.wikipedia.org/w/index.php?title=Advanced_persistent_threat&oldid=668868277
2.
A Quick Guide to the Worst Corporate Hack Attacks – Business, Financial & Economic News, Stock Quotes [Internet]. Bloomberg.com. [cited 2015 Oct 9]. Available from: http://www.bloomberg.com/graphics/2014-data-breaches/
3.
Connecting the APT Dots | Security Intelligence | TrendLabs – Trend Micro [Internet]. [cited 2015 Oct 8]. Available from: http://blog.trendmicro.com/trendlabs-security-intelligence/connecting-the-apt-dots-infographic/
4.
Cybersecurity: Defending Against Advanced Persistent Threats. The MITRE Corporation [Internet]. [cited 2015 Oct 8]; Available from: https://www.mitre.org/publications/project-stories/cybersecurity-defending-against-advanced-persistent-threats
5.
Detecting APT Activity with Network Traffic Analysis – wp-detecting-apt-activity-with-network-traffic-analysis.pdf [Internet]. [cited 2015 Oct 8]. Available from: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
6.
Five Things Every Organization Should Know about Detecting and Responding to Targeted Cyberattacks [Internet]. [cited 2015 Oct 7]. Available from: https://webforms.ey.com/US/en/Newsroom/News-releases/News_Five-Things-Every-Organization-Should-Know-about-Detecting-and-Responding-to-Targeted-Cyberattacks
7.
Cha AE, Nakashima E. Google China cyberattack part of vast espionage campaign, experts say. The Washington Post [Internet]. 2010 Jan 14 [cited 2015 Oct 7]; Available from: https://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html
8.
IEEE Brings Together Top Security Specialists to Thwart Hackers – IEEE – The Institute [Internet]. [cited 2015 Oct 7]. Available from: http://theinstitute.ieee.org/technology-focus/technology-topic/ieee-brings-together-top-security-specialists-to-thwart-hackers
9.
[Infographic] APT Myths and Challenges | Malware Blog | Trend Micro [Internet]. [cited 2015 Oct 8]. Available from: http://blog.trendmicro.com/trendlabs-security-intelligence/infographic-apt-myths-and-challenges/
10.
Practice of Network Security Monitoring | No Starch Press [Internet]. [cited 2015 Oct 7]. Available from: https://www.nostarch.com/nsm
11.
ISACA. Responding to Targeted Cyberattacks [Internet]. 2013 [cited 2015 Oct 7]. Available from: http://www.infosecurityeurope.com/__novadocuments/68602?v=635526169065300000
12.
ISACA. Responding to Targeted Cyberattacks – Google Books Preview [Internet]. ISACA; 2013. 88 p. Available from: https://books.google.se/books?id=trumJJrkZcwC
13.
Seculert_Report_on_Perimeter_Security_Defenses.pdf [Internet]. [cited 2015 Oct 7]. Available from: http://info.seculert.com/hubfs/Project_Kiwi/Seculert_Report_on_Perimeter_Security_Defenses.pdf
14.
TaoSecurity: What Is APT and What Does It Want? [Internet]. [cited 2015 Oct 7]. Available from: http://taosecurity.blogspot.se/2010/01/what-is-apt-and-what-does-it-want.html
15.
The APT Lifecycle [Internet]. Seculert. [cited 2015 Oct 7]. Available from: http://www.seculert.com/the-apt-lifecycle/
16.
What APT Is (and what it isn’t) [Internet]. [cited 2015 Oct 7]. Available from: https://www.academia.edu/6842130/What_APT_Is
17.
Home, About, Blog, Data, Books, Workshops, et al. World’s Biggest Data Breaches & Hacks | Information is Beautiful [Internet]. [cited 2015 Oct 9]. Available from: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

, , , , , , , , , , , Security, Thoughts

One Comment → “CyberSecurity: A Case Study of the Need for Change”

  1. Mert 8 years ago   Reply

    Great article Dr. Shem. as you suggest, the security mindset should shift from incident basis to a continual basis with the assumption of continuous compromise. this will lead to more adaptive and hopefully less costly defenses

Leave a Reply