2nd March, 2020
As we approach 2020, cyber-attacks have become more and more prominent, with major headlines such as “Company Z announces new data breach affecting 57 million riders and drivers,” “218M [individuals] Compromised in Data Breach” and “Company X Hit by ‘NotPetya Ransomware Attack” circling social media on a seemingly daily basis.
The story of NotPetya was widely documented online by the InfoSec community back in June 2017 which targeted the shipping giant, Maersk. Within 7 minutes, NotPetya had destroyed most of Maersk’s IT infrastructure, destroying 49,000 laptops, 1,000+ applications and ruining its enterprise service bus and VMware vCenter cloud-management servers, amongst others.
NotPetya is memorable for a couple of reasons – first being the devastating consequences when it was unleashed in the wild and the rapid speed at which it spread. Secondly, the extensive impact on Windows based-systems and an unintended consequence of bringing into focus nation-state-sponsored cyber weapons falling into the hands of proxy adversaries.
But how exactly do large organisations deal with being attacked and as a customer-facing organisation what steps do they take in order to minimise the financial and reputational damage these data breaches can cause?
TO HIDE OR NOT TO HIDE?
Some large companies have been found to hide such events, for example, Uber discovered the data breach of 57 million customers and drivers in late 2016, however, they waited almost a year before acknowledging the breach had happened.
Whilst financially this may have caused less damage in the short term, in the long term their reputational damage would likely have taken a much more significant hit due to lack of trust and customer respect which Uber showed. Delaying announcing a breach like this could have likely been devastating to a smaller organisation.
At a recent talk, BlackHat Europe 2019, A.P. Moller Maersk A/S Chief Information Security Officer, Andrew Powell, narrated Maersk’s response to NotPetya, which provided a very interesting insight into how Maersk dealt with falling victim to such an attack. According to Andrew Powells’ methodology, the key to this is plain and simple; ‘transparency.’
Being transparent to their customers, as well as to the public, Maersk found themselves in a strong position with organisations and customers reaching out to them offering support.
By being transparent, Maersk were also able to focus on the issue at hand, without having to try and cover up the issue, allowing them to respond to the cybersecurity incident as efficiently as possible.
It sounds simple, right? So why are more organisations not doing this? Complacency? Maybe, but how many employees actually know what to do in the event of a cybersecurity incident, and can they then translate their company’s policy into something actionable?
Ask yourself, how would you deal with a cybersecurity incident involving the world’s fastest-propagating piece of malware ever seen to date? Every minute you hesitate, you’re responsible for the loss of tens of thousands of pounds – and even worse, your organisation’s reputation.
SO WHAT ACTIONABLE STEPS CAN BE TAKEN TO PREVENT A CYBER THREAT?
1. PREPARATION IS KEY
Andrew Powell refrained from using buzz words like ‘frameworks’ and ‘policy documents’ – these are great in principle, perhaps if your business is working towards its next ISO rating, but meaningless to the average employee.
With IoT constantly evolving and BYOD fairly widely employed, frameworks and policies can quickly become outdated and difficult to implement effectively. It’s everyone’s responsibility to know what to do when they encounter a cyber-threat, whether it’s a simple phishing email or something more sophisticated; denial-of-service or network intrusion, employees should be aware of the steps they need to take to prevent the spread of a cyberattack.
Additionally, all employees should be sufficiently trained in basic cyber skills as well as how to respond to an event if it were to occur.
2. PERSONAL RESPONSIBILITY
Making sure everyone is accountable – ensuring everyone in the structure of your organisation cannot plausibly deny their responsibility in identifying and responding to a cybersecurity incident is paramount.
Incorporate training at the grass route level. Maersk is a Danish company. In Danish, safety and security is the same word, they utilise the same mindset and importance of cybersecurity as we do for health and safety.
4. THE RESPONSE PHASE
There should be a process of fast-track/ immediate actions, triage and the golden hour principle, which are phrases that are more aligned with today’s law enforcement agencies than the InfoSec community.
Communication is a key part of the response – what happens if your infrastructure is affected? Business telephony systems rely heavily on VoIP, does your business have a contingency plan while remaining secure?
Any company’s response should be multi-faceted – not limited to eradicating the threat, but to include the lessons learnt to prevent a similar occurrence in the future. Powell talks about employing post-attack solutions such as endpoint detection and response, privilege access management, and a threat intelligence platform.
Cybersecurity should be at the core of everyday business, as such every employee should be trained on Cybersecurity, including what to do in a cybersecurity crisis.