6 Practical Tips for Protecting your Agency Against 2017’s Top Threats
Data breach statistics are staggering. Through the end of March 2017, there have already been over 300 major breaches and over nine million records stolen. It’s a challenging problem and one that doesn’t come with a lot of solutions. Part of the problem is understanding what the patterns are. Today’s attacks have several stages from initial reconnaissance to object completion, as depicted in the Cyber Kill Chain which describes the phases of a targeted attack. What’s particularly interesting about the Kill Chain is that threat actors gather a great deal of information about their victims before engaging and weaponizing their attack.
This is key, because if you understand this approach and the level of effort that goes into the attack phase, it becomes clear that the actor knows the victim much better than the victim knows himself – putting the victim at a significant disadvantage. This plays out in statistics which show that the time between an organization being attacked and finding out that they’ve been compromised is, on average, 226 days!
But how can you protect your agency or organization from these threats? Charles Johnson, a cybersecurity expert with DLT partner, Alert Logic, outlines essential steps all agencies should take in this 30-minute webinar. By way of summary, here are six key learning moments.
1. Been Attacked? Don’t Pull the Cord
Once they discover they’ve been attacked, many organizations automatically pull the plug on their network or website. It may seem right at the time, but, in fact, it can be the worst thing to do. Instead, Alert Logic stresses that you first understand where you are in the Cyber Kill Chain process before you take action.
2. Before You Act, Ask Yourself Some Questions
There’s a significant downside to moving too fast, not least of which is that it leaves you with no way to determine attribution. In addition, you may end up paying a bunch of cybersecurity consultants a lot of money to help with investigation efforts that you’ve inadvertently compromised simply by pulling the plug. Instead, stop for a minute and ask yourself a few critical questions:
• What is your primary objective? If you’re in the middle of buying a piece of hardware or software, does it make you more secure? How do you operationalize a piece of software and what is the primary benefit of doing so? Where does it fit into your strategy for the protection of key assets?
• What about the Cyber Security Incident Response plan? (more on that below)
• Is there a downside to quietly observing the actions of the attacker? This is a question that’s rarely asked. If you have the ability to gather that type of forensic data it may prove beneficial for you to understand where your vulnerabilities are and where that expenditure in software really makes sense. But, most importantly, learning more about the attacker will expose where the risks in your organization lie.
3. The Plan is the Thing
Before you buy a tool or consider a service, you really need to understand what’s most important to you. It may be data or a service you provide to constituents or employees. Whatever it is, you must prepare and identify the appropriate protection mechanisms and cascade your protection profile out from there.
Next, identify what potential threats exist in process and procedure as well as malicious activity. Do you have a plan to communicate relevant parties and notify stakeholders and the public of a breach?
You also need a mitigation strategy to cover the vectors that you’re most vulnerable for, and the compensating controls that are weaker in your environment.
In cases where you aren’t able to mitigate an attack your plan should include a containment strategy. You’ll also need an eradication strategy, this involves understanding attack patterns and tools that are leveraged in the most common attacks.
The recovery process, also part of your plan, is an ongoing one and can last 2-3 years depending on the efficacy of an attack. Finally, go through the lessons learned at each phase of your cyber incident response plan.
4. Roles and Responsibilities
As you plan to protect yourself from threats, consider the roles and responsibilities that support your strategy. This is very much a CISO- or CIO-driven strategy – they need to set and communicate the plan across all tiers of the agency or organization from the top down.
Key roles and responsibilities include:
• Incident notification/communications – Who owns this? Sometimes this is the role of the leadership of the organization, whether a CISO or the head of a police department. They can help communicate with others outside the organization as well as with employees, contractors, vendors, and law enforcement. Notifications should be easy and planned in advance so that those impacted have a clear understanding of what the risk is and what the response will be.
• Help desk – The help desk is always on the receiving end of the brunt of the attack. If there are legitimate needs during an attack campaign the help desk won’t be able to service them because of fall-out from the attack. They must be equipped to help during the phases of an attack, but they also need to prepared to be the frontline of defense.
• Technical team – The technical team responsible for responding to the attack should comprise people who understand the services that you’re working to protect and can gather forensic artifacts to inform your response strategy. If you have a small team, then you may need to rely on consultants, but, in most cases, this team will include IT staff. These roles and responsibilities include triage (fix known issues and return system to normal), forensics (root cause analysis and chain of custody), network security (infrastructure assessment), and malware analysis (reverse engineer, zero days) – all of which need to be tightly defined. You’ll also need depth in the team so you can handle multi-day triage and mitigation.
• Legal/HR/Public affairs – These teams will have a huge role to play since government agencies – state, local, or municipal – are required to keep citizens informed, while adhering to regulatory compliance.
5. How Does This All Work with the Cloud?
The cloud makes things interesting, since you don’t have control of the infrastructure. While you may have an SLA with the cloud provider, your roles and responsibilities are similar to those described above. Remember, protecting your data or applications in the cloud is always going to be your responsibility, unless a third-party is managing it. Be sure to ask the cloud service provider the right questions and understand their cloud security model, etc.
6. Test the Plan
The most important thing in a plan is to test it. Update your response templates regularly and conduct live tests, such as penetration testing, to see how effective your tools are.
The Bottom Line
Assume that at some point you will be breached. Having a plan and clearly defined roles and responsibilities will ensure that when an attack occurs, you’re not scrambling to understand what to do. If you have the ability to do so, consider the Cyber Kill Chain in your response, observe the adversary without tipping them off to understand the full extent of the breach and attacker intent.
Don’t forget to use all the tools at your disposal. For example, use cloud networking tools to isolate compromised infrastructure and orchestrate recovery efforts.
Test, test, test. Run your incident response team through regularly scheduled and surprise exercises and engage your cloud provider in those plans. Finally, if possible, when you consider tools and services, make sure they can manage hybrid infrastructures so you’re not adding to the workload of the response team.
If you have 30-minutes check out the webinar – Protecting Yourself from the Top Threats in 2017 – which includes an example from Tewkesbury Police Department as to how they handled a ransomware attack and lessons learned.