Rebooting from a Cyber-Punch: Easy, Messy, Gory?

Pratima H

INDIA: Allergies are the most neglected gifts bestowed to humanity.

Because people would rather royally turn a blind eye and handkerchief to the small signs that forewarn. They dismiss that sneeze, they brush away those slight stirrings of pain, they think it all ‘oh so harmless’. Everything is an inconsequential snowflake.

Until the day everything goes off-piste. Till that deer-in-the-headlights moment. That doomed millisecond when the avalanche comes rolling mercilessly.

And the travesty of it all: it was all right under your nose, all this time.

That’s why the equivalent of First-aid training in CPR (Cardiopulmonary resuscitation if you may) is called for in many moments of life (and near-death).

People and companies need to learn how to get the heart (and the arteries of any business anatomy) pumping back before it’s too late. They also need to know this as a reflex, coz; hey this is the one time where conference rooms, sandwiches and tribunals just can’t be squeezed in.

For those who have blissfully ignored the signs- now that the attack has unfolded, they need to salvage whatever they can. And SOON. Tick Tock, Tick Tock.

Chinks can turn into Craters

We all remember Sony Pictures Entertainment’s massive fiasco in 2014 that hairballed into the shutdown of several films’ production; not to forget the leak of unreleased films, sensitive employee data, and spools of internal emails that came as collateral damage. That was enough but apparently not. Litigation twisted the knife further when irate former employees sued the company for failing to protect their personal data, and successfully won an $8 million settlement with Sony in late 2015.

The anecdotes can go on and on. Target. Home Depot. Card Frauds. POS fiascos. Yahoo. Delta. Ashley Madison. The list is in progress.

The reality is fuzzier than we would imagine it to be. According to Forrester's 2016 surveys in this area, 53 per cent of enterprise respondents were willing to admit they had been breached. What jumps out is this: there was also a segment, some four per cent that were uncertain whether they had been breached. Forrester minces no words when it states that incident response is one of the most overlooked areas of information security. It is impossible to prevent every breach, and when they do occur, security pros find themselves inadequately prepared to respond.

Now insert some irony here - many breaches are discovered by a third party, not the breached party. The 2016 Verizon Data Breach Report, demystifies this alley when it shows that of all internal discovery methods combined, only less than nine per cent of victims discovered data breaches of their own accord.

After the 2014 intrusion data expose of 76 mn households, JP Morgan

Chase planned to double its cybersecurity budget to half a bn dollars in 2016

Without a proper plan in place ahead of time, it’s extremely difficult to contain or stop the incident once detected and preserve appropriate forensic evidence while you help restore IT services, Forrester adequately warned.

The Intel Security’s McAfee Labs December 2016 Quarterly Threats Report leaves no room for conjecture here. On one hand, 67 per cent of respondents reported an increase in security incidents; and yet, enterprise security operations center survey found 93 per cent acknowledging that were unable to triage all potential cyber threats.

If we look at an average, organisations are unable to sufficiently investigate as many as 25 per cent of security alerts while 26 per cent mentioned operating in a reactive mode despite having a plan for a proactive security operation. And this is when new ransomware samples increased 80 per cent since the beginning of 2016.

Keith Barker, CBT Nuggets trainer, a networking veteran who has also authored numerous technical books and articles serves it without any candy floss. “In the event of a security breach, if a company is not prepared, it is gonna be DEVASTATING.”

The coming years are not going to spare any relief it seems. Get ready for new corporate-incentivised insider threats that may clash with customer data, corporate profit and other performance goals, Forcepoint has spaed. Get ready to roll with surprises as organisations migrating their already vulnerable environments to the cloud would find limited security benefits without proper preparation as the underlying foundation that runs virtual machines may increasingly come under attack.

Beazley Breach Insights – January 2017 findings that are based on its response to client data breaches in 2016, point out that organisations appear to be particularly vulnerable to attacks during IT system freezes, at the end of financial quarters and during busy shopping periods. More cliff-hangers are on their way as evolving ransomware variants are further enabling hackers to methodically investigate a company’s system, selectively lock the most critical files, and demand higher ransoms to get the most valuable files unencrypted.

Meanwhile, of the 97,000 network devices that Dimension Data discovered, the number of devices that have at least one known security vulnerability increased from 60 per cent in the 2015 Report to 76 per cent in the 2016 Report – the highest figure at that in five years.

So, how to come out unscathed is not even a possibility. The best next thing is how to come up as soon as one can bounce and with the least business, penal and litigatory damage? Getting out of that cataleptic freaking-out mode would be a good start of sorts.

Expect the worst – the best start

In a 2016 report ‘Planning for Failure: How To Survive A Breach’ Forrester analysts John Kindervag, Josh Zelonis, and Heidi Shey rightly caution that with enough time and money, cybercriminals can breach the security defenses of even the largest enterprises. You can’t stop every cyberattack. "However, your customers do expect you to respond quickly and appropriately. A poorly contained breach and botched response have the potential to cost millions in lost business and opportunity, and ruin your firm’s reputation." they make the weather-warning clear.

Ransomware attacks were over four times higher in 2016 than in 2015 and will double again in 2017: Beazley Breach Insights – Jan 2017

Barker urges the need for readiness on policy, procedure and the same also being well-communicated to all parties that matter. From how to talk to media to how to have a Business Impact Analysis in the event of a compromise; so much should be well considered and well-laid-out even before going for a new virtual system or a network change. The Impact Analysis is particularly indispensable for mission-critical businesses. “Ask yourself frankly. What are my crucial business elements? What about confidential information?”

He emphasises the need for a running a DR plan in advance too. “Figure out how soon you can recover from a breach. In the world of virtualisation, data centres are backed up but this advantage has to be leveraged well by having solid plans for identifying data-sensitive critical parts, security-preparedness and back-up procedures.”

To come back in an operating mode! That’s the first and the toughest question here, as Vidit Baxi, Director - Technology, Lucideus (that provides security and ethical hacking training as well as IT Risk Assessment and Digital Security Services consulting) puts it. Investigating into the entire scope and visceral understanding of an act and patching it comes next. Baxi contends that the most important thing is the time it takes to come back and patch the loophole so that it doesn’t lacerate anything further.

Litigation, noncompliance and significant fines are as much of a consequence as the downtime and damage the business suffers, thanks to an unexpected breach. Recall how the PCI Data Security Standard requires an organisation to “enable processes to provide for timely forensic investigation in the event of a compromise to any hosted merchant or service provider.” Forrester outlines.

There is clearly so much striking at the same time.

So what can turn an enterprise from a sitting duck into a phoenix?

To get going, as Barker captures it brilliantly: If you see something, say something

Kill that Post-Mortem Mentality

To periodically test for malware and brute-force attacks is good, but social engineering is a massively-ignored area here. Barker stresses that in the US the idea of consciously picking out vulnerable chinks and pointing them out is a hugely encouraged one. Do not let anything pass if it smells odd, no matter how small it looks.

Would you want to learn how to cut over from a failed primary site to a back-up hot site after the outage has occurred? No, that’s what a DR (Disaster Recovery) plan is for. So, why would you want to develop your incident response plan in real time while cybercriminals are pilfering intellectual property? Forrester’s report authors ruthlessly ask here.

A well defined incident management program provides a script to follow when incidents occur, Kindervag, Zelonis, and Shey explain.

TalkTalk’s 2015 breach cost them about an estimated £42 mn in response costs

and profits halved to £14 mn from £32 the year prior: Forrester

An incident response plan, like a business continuity or an IT disaster recovery plan, is your immediate response to a specific threat. To be effective, you need to establish an ongoing incident management program that lets you identify the potential risks so that you can create appropriate response plans, test those plans, and keep them current, they advise.

Some Ante-mortem steps before the Piper arrives:

• It ‘can’t’, repeat, ‘can’t’, repeat again, CAN’T be a Knee-jerk reaction. It has to be anything but a panic attack. So the reaction has to be thought of months before any such thing even bubbles in the air. Whether it is data recovery, fire-wall analysis or redundancy-planning, the readiness has to be cemented well ahead of any attack.

• Prior to an incident occurring business-unit data owners should meet and forge understanding of data and its implications with IT security folks.

• Institute dedicated incident response staff with advanced forensics capabilities. Compare this to the status-quo: Only 22 per cent of network security decision-makers at enterprise organisations report increased spending on their incident response program as a result. And we are talking about those enterprises that have already suffered a breach.

• Consider DRPC (Disaster Response Preparedness and Coordination) which is a must for businesses like BFSI ones for many other reasons. Go back to the basics- have an Incident Response team in place.

• Invest in engaging legal staff during the incident management planning and response. They can provide guidance on the legality of potential searches and the requirements of evidence collection, while they do the obvious: to defend the incident response plan.

• Look out for expertise in breach notification, incident response, and privacy areas. Proactively, that is.

• Yes. Puhleez be Proactive. Let go of ‘I hope it works’ attitude and seek out loopholes before the adversary does. It appears that a major government did that recently by going to the dark web and soliciting for vulnerabilities in the voting system through SQL Injection System tools. Although it was a decade-old form of attack, they discovered it by anticipating it from the attack side.

• Identity theft protection organisations along with the notification providers, for apt monitoring of your victims’ financial accounts as remuneration; or something more pre-emptive: contracts and arrangements drawn up in advance for being activated immediately following a breach event.

• The secret is strategy and design. Design should work from the epicenter of rebooting as soon as possible. It is easy to get up and running today with the options that virtualisation and DR systems furnish, but you should know how, and without the guesswork when the attack strikes.

• Plan for some uncomfortable but blunt questions in advance: How will notification providers alert your customers to an incident? What compliance regulations are in place? Who do you contact when the investigations show signs of criminal activities?

• Put in place proper escalation mechanisms for network operations center (NOC) and security operations center (SOC).

• Start where you are, Ask what authentications are being used. Try to have a good plan around using virtual machines, both before and after testing. Limit access severely to people as per business and system rigor.

• Have relevant and adequate visibility into networks and firewalls so as to detect abnormal patterns and user behavior in networks and IT environment before it is too late

• Security is never full-proof. Accept that. Go for strong forensic investigations as soon as you can.

(Courtesy: Forrester Reports, Experts from CBT Nuggets, Lucideus)

Now that you know of all this, also think of some peri-mortem stuff. One must understand the extent of the incident and what information the attackers compromised so that you can determine if you need to contact law enforcement and send breach notifications to affected parties, such as your customers, partners, and employees.

How to manage this level of readiness though? Some toe-dipping that should be as good as knees going deep in harsh trenches. In other words, Rehearse for the Quakes. Make some room for after-shocks too. (Part 2 of the story tells more)