[BreachExchange] Why staging a fake attack is only real thing to keep you secure

Audrey McNeil audrey at riskbasedsecurity.com
Fri Dec 22 14:53:17 EST 2017


https://www.csoonline.com/article/3244255/disaster-
recovery/why-staging-a-fake-attack-is-only-real-thing-to-
keep-you-secure.html

Being a Northern Californian, you can imagine that the Napa County
wildfires in October and November impacted me. Granted that, while I did
not suffer the monetary or psychological loss those directly affected by
this disaster endured, being just 50 miles of the southern tip of the
wildfire for weeks does teach you a thing or two.

For instance, gathering our most “important” stuff, keeping it in an
accessible location for a quick exit, sleeping lightly at night, getting
N95 masks, keeping our dog inside all day…these were some of precautionary
measures I took. And I guarantee you, no mock drill or random alert would
have caused me to act the way I did once our family was under direct threat
from a powerful and unpredictable predator.

The digital enterprises of today (read: all enterprises), could be
threatened any time by similar wildfires…aka cyberattacks. The usual
growing number of culprits – insider threats, phishing, denial of service,
ransomware… There are precautionary measures that most enterprises take to
protect against this – SIEM tools, firewalls, anti-malware, backup,
encryption, etc. But when a real-world attack happens and these porous
defenses are exposed, heads roll. And the same pattern repeats. A new
regime, more tools…

Extending my Napa County wildfire analogy a bit more, what if you were
reallybeing threatened – and you had some advance warning. What would you
do? Imagine you’re a healthcare facility, and had 24 hours before a
ransomware attack was set to encrypt all your patient records, thereby
halting all patient care. What would you do? Or what if you were an energy
company that was going to be hit with a DDoS attack that would last a week,
crippling all your smart energy collection and billing systems? Where would
you run?

The big issue with security prevention these days (and in the past, too) is
that we keep spending more and more to protect against the attack that we
hope never happens.

What if you turn that question on its head? Stage an attack here and now
(and keep it staged with a very small team)? You could start with the “you
have 24 hours before this attack happens” scenario, and see how the teams
react. That day will bring forth all the training (or lack thereof) to
prepare for the attack – asset identification, remediation measures,
notification planning, compliance and legal ramifications, etc.

Or, panic sets in – people running around crazily not knowing what to do.

Either way, you’ll know where you stand.

For the more adventurous, you can make it even more real: stage an attack
without any advance warning. Drives are encrypted and held to ransom,
websites (internal ones, preferably) are defaced, customer records are
stolen, network connectivity is impacted. See how the systems – both human
and digital – respond. And once a semblance of normalcy returns, attack
again.

If you think this is too Draconian, the only other alternative to this is
speculating what you might do when the attack happens. Confirmation bias
would propel us to believe that we are safe (and that our competitors are
not). And like the Napa fires, where I thought I knew where all our
critical assets were – #wrong – laboriously had to start inventorying the
same.

What are our critical assets, how do I bring them together, how long would
it take to grab the bags and run? These are existential questions that I
never asked until – pardon my French – the shit started hitting the fan.

And this is exactly where most enterprises find themselves today…or worse.
Because the fires seem so far away. Acknowledge that you will be hit,
sooner than you imagine. Create a fake event – that looks and feels real to
most of the enterprise – and see how you respond. It will open your eyes.

Then go back and identify the missteps. Did you not know where your
critical assets were? Did you not know whose credentials were going to be
compromised, aka your biggest liabilities? Did you not have a policy to
disclose when and how customer data – if impacted – needs to be disclosed?
Did you know the clauses of a cyber-insurance policy if you had one?

The Napa County fires certainly induced a sense of urgency and alacrity
into our household. Keeping that hygiene and discipline in place is a
challenge, as the threat of the fires recede. Ditto for the enterprise.
Awakening and consistent enforcement is critical. Otherwise we will all get
wiped out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171222/c62ddb9d/attachment.html>


More information about the BreachExchange mailing list