Rehearsals and drills are part of life. From a young age we’re taught to “stop, look and listen” before crossing the road. It becomes a reflex, something that children just “do” in order to be safe.
I have no desire to be in an emergency on an aircraft, but I’m confident that if ever the situation arises, that I will know to pull the mask sharply towards me in order to start the flow of oxygen. These instructions have been drilled in to me until I know them off by heart.
Martin Lee, Technical Lead, Security Research, Cisco Talos
Similarly, every work place takes the threat of fire seriously. Fire exits are clearly marked, fire extinguishers available, and every once in a while, a fire evacuation of the building is rehearsed. Everyone knows what the fire alarm sounds like, where the nearest exits are and how to make their way to the assembly point.
I’m confident that if ever I do discover a fire, I’ll know how to react, and importantly what number to phone in order to summon a team of experts to rush to the scene and swiftly deal with the incident.
But what about other incidents? It’s surprising to read in a government survey of large companies that although 54% of boards view cyber risks as a top business concern, 68% of boards have not received any training in how to respond to a cyber incident, and 10% have no plan whatsoever.
Newspapers are peppered with stories of organisations who have fallen victim to cyber-attacks. The devastation caused across the world by the self-propagating worms WannaCry and Nyetya are also evidence of the risks to which organisations are exposed.
These incidents should not be seen as the inevitable punishment of the poorly prepared. Any published incident can be used as case study, a real-life example of a cyber breach, which can be used to improve the security posture of any organisation.
Content from our partners
Ultimately, a case study should stimulate debate and reflection. The key questions to consider are: Could this happen to us? How would we identify if this happened to us? How would we respond? How could we reduce the likelihood of this happening?
Identifying Attacks
Identifying a fire is easy. Flames, smoke and heat are a giveaway. Buildings have smoke detectors to raise the alarm when a hint of smoke is discovered. Cyber incidents are not necessarily so easy to spot.
A system infected by ransomware is clearly an incident. However, an unresponsive website may be caused by many issues, or it may be a denial of service attack. Identifying what is happening requires having access to someone with the skills to analyse what is happening.
Malicious network traffic can be identified through the triggering of network signatures or connections to blacklisted destinations. But this only functions as a warning system if the correct network signatures or blacklists are enabled, and only if someone is watching for alerts.
Walking through a case study allows an organisation to reflect on whether they would detect such an incident, and how the alert would be raised.
For example, a system hit by ransomware is likely to be discovered by an end user, but would the user know who to contact to resolve the issue? Similarly, if another worm similar to WannaCry was to enter the internal network and make multiple connections to devices on port 445, how would this be identified? Who would determine that this was malicious activity?
Responding to Attacks
Detecting an incident is only half the story. Once an incident has been detected, a swift response is required. Practicing responses highlights the gaps between what is desired and what can be delivered. Once a deficiency is identified, it can be addressed and resolved so that when an actual response is required, the result is smooth and effective.
In many cases, it might be clear that specialist skills or external liaison is required. In these cases, do you know who you will call? Is the number you have still valid? Do you know the name of the person to whom you will talk? Do they know you?
Periodic rehearsals allow relationships with third party providers to be established, so that when an actual incident occurs the call does not come out of the blue, the provider knows who you are and what they are required to do.
Don’t neglect the non-technical response. Clear communication of the incident will also be necessary. What will be communicated to clients? By whom and when? What are the legal implications if a vital data set was to be leaked? Who will advise and what are their requirements?
Practice Makes Perfect
Everyone understands the concept of a fire drill, it is put in place to ensure that people know how to respond in a genuine emergency. The nature of cyber incidents requires the same approach. Identify likely scenarios, conduct them as a walk through exercise first and then simulate an incident to test that your detections and responses are as expected.
At each stage adopt a Plan, Do, Check, Act model. Plan what you are going to rehearse then do it. Check what worked and what didn’t work as expected. Act to make improvements and changes based on what was learnt.
It’s unlikely that any response to a real incident will ever be perfect, but through practice you can ensure that real-life incidents will cause as little disruption and have as little impact as possible.
Implementing a cyber-drill today will help you prepare for the cyber-attacks of tomorrow.
