In our recent Fireside chat episode, we had a very well known author and cybersecurity professional, Dan Lohrmann, presently the CSO and Chief Strategist at Security Mentor Inc, and Bikash Barai, Co-Founder FireCompass discuss a bunch of things on how to effectively run a cyber crisis drill with the US Government and tabletops for enterprise board members. Below is a summary of the discussion for your reference.
A Real-Life Crisis Example
Dan Lohrmann spoke about The NorthEast blackout of 2003, when even though the US government was prepared for Y2K, and yet 3 years later there was a power blackout in Michigan. While the govt thought it was another terrorist attack, and everyone thought it was a hacker attack but turned out it was not.
The point to note here was, no amount of preparation can really set you up for what is to come, and no situation will be a replica of each other. While the teams had prepared for Y2K. this blackout was still a different scenario.
Dan also mentioned that “security needs to be enabling, security folks need to come up with solutions and not just the problems”.
An Exert From A Large Scale Cyber Crisis Drill
With about two decades of experience in working with the US government, Dan had some very interesting stories about cybersecurity drills to share with us.
The US government conducts an exercise called the Cyber storm that happens every two years. Currently, the government is on the 7th cyber storm and it is a week-long exercise.
Talking about the 1st Cyber Storm that happened in 2006. Dan mentions a scenario like what was shown in Die Hard 4, a catastrophic environment. A 9/11 kind of scenario was created, which was made up and yet real. Some of the biggest things were considered blown up, like the data center and most other things were hacked for over two days. The security team was overwhelmed and done by the end of it.
However, after two days, they were told to train the team. They had to get a bull mainframe, a general comprehensive operating system. This was necessary to pay the employees. The two bull mainframes that the team had were unusable.
When they contacted the bull headquarters in France to get a bull mainframe. The real cost of $12Million was hiked to $45 Million, considering it was the last piece that was in demand. The team managed to get it in $23Million after negotiation.
Before ending the exercise the last step is to have a “Hotwash”, where everyone discusses what went wrong, how the responses could have been better, and how in the future one can avoid these scenarios.
A fact pointed out during this time by a very well-known security professional was that the amount paid for the bull mainframe felt like extortion and as if you are held for a ransom. And in 2003 ransomware was farfetched, but today it’s a reality. It’s the number one story in cyber threats, while it gathered momentum in 2013 or 2014, by 2019 it became the biggest threat. And last year the attacks doubled.
Dan mentions “The point to consider here is one can’t predict today what’s going to happen in cybersecurity 5years from now. Coz the bad guys are constantly trying to infiltrate the networks. They are constantly trying new ways to make money”
Conducting Table Tops For Enterprise Board Members
Here are some of the points discussed by Dan about conducting tabletops for enterprise board members.
- The board members as a part of the exercise, because the leaders need to know what happens when there is a data breach or a ransomware attack.
- You need to have leaders from legal and finance and of course the CIOs and CISOs on board. Also, experts in different business areas, because you do know which area would be hit. For example, if a hospital is hit, the response will be different from a bank. So the leaders from different sectors need to be involved in a government drill.
- Next, we go to CSRC ( computer security resource center), to ask the experts what would be the role of each team during the exercise. For Example, what the legal team will be doing or the tech team will be doing when such a situation arises. Questions such as “should the ransom be paid?” can be asked too.
Bikash mentioned that while driving a similar drill with an organization, something similar was conducted. Like deciding what each department should be doing at a time like this. For example, the PR and media team should be drafting responses.
The idea is to convert this into action items for each team. And the exercise can be broken into two parts. Where on the 1st day, people will get to know what they are supposed to do, and then the next time action items can be made.
To this Dan mentioned that most people who are coming to this drill need to be prepared in advance, they need to come with a plan. If a tabletop is stretched for too long, the continuity is lost. The role of cyber insurance agencies is important too when an attack scenario is pictured.
In one of the ransomware attacks that happened to a non-profit organization in Michigan, their data was encrypted, and they had not done a good job of taking it back up either. So their backups were encrypted too. Even though they had cyber insurance, they did not wish to pay. But the insurance company said it’s the company's decision but they could talk to the bad guys to bring the ransomware amount down and they did bring it to $1.2Mil from $5Mil. And if they had not paid the ransom they would need about $8Mil to restore all their data.
As a takeaway Bikash says “ I would like to say that when you do these exercises in one go you expect people to come prepared. And in my experience when people don’t know what to come prepared with, you do need a second round to make action items”.
Things Absolutely Important For Tabletops
Dan put down these points that are very important for conducting tabletops -
- Prepare people in advance with a scenario before it hits them - like study real-life attacks that happened in the same industry.
- Let people know of their role in managing the crisis.
- Throw some curveballs at the people who are participating, for example, you select a few people and remove them from the exercise and ask them to be spectators. This is only to create a scenario, where you assume that few very critical people are not present in the scene during the attack, and in that case how the situation is handled.
- A lot of people get through the exercise and then feel they are done for a year. But there needs to be an action item for everyone.
- Ask people for feedback in the end.
- And make sure people are attentive when the tabletops are going on.
Bikash recalls “ I remember one of my failure cases. Where few stakeholders entered the room about half an hour late and missed the complete context and the setting. So during the session, they mentioned that they can revive everything from the backup and we threw this curveball that the backup is encrypted too. This created a lot of confusion in the room. So I completely agree with what you mentioned about people needing to be on time and attentive when such exercises are on”.
Dan adds “You want to always grow, the exercise should have goals and outcomes. But what is most important is, every time you do these exercises, the people are different so the nature of the exercise changes. Each time the participants are different and their nature of response would be different.”
Predictions for 2021 - Trends
Some of the cybersecurity trends discussed by Dan and Bikash for 2021 were -
- Ransomware will evolve and change, we have already seen too many of these threats in the last year. The prediction is: it will only grow this year.
- With work from home becoming more and more common, multiple risks and threats are getting introduced. A lot of vendors are saying that your home network is a headquarter for hackers.
- Cloud adoption is on the rise, so cloud security is becoming more and more important.
Bikash mentions that “ The attack surface has changed so much for organizations. People today don’t know all the assets they have or their complete attack surface. And it is continuously changing. Even the home routers, and people who are working from home, are all now part of the extended attack surface. And teams are creating new cloud assets and no one keeps a track of that. And the cloud is something that scales everything, it can scale security and it can also scale insecurity.
While I am a big believer in the cloud and I believe cloud, in the long run, will be more fruitful if it is utilized correctly. But what is scary at this point is that people are still not doing their cloud configuration correctly and there are about half a million open databases on the cloud currently.
I also want to emphasize response and recovery plans for organizations, coz it’s not always about protection. If an attack happens one needs to recover too.”
To conclude they agreed that the industry is slowly moving towards consolidation, with zero trusts and cloud.