The nation-state was determined to break into the U.S. oil and gas company’s network, Ben Smith said. And it wouldn’t be denied, even though the company’s security technology seemed impenetrable.
The hackers tried repeatedly to break in, without success. Then they tried something novel: They downloaded a PDF menu from a Chinese restaurant near the company’s offices. “They injected the PDF with malware and put it back,” said Smith, field CTO with security firm RSA. “And then, they waited.”
They would not have to wait long. Sure enough, an employee at the oil and gas firm, hungry for noodles, downloaded the corrupted file and introduced malicious code into the company’s network.
“And that’s how that nation-state got into that environment,” said Smith. “We’re not ready to fight attacks like that. But that’s the world we’re in.”
Speaking at Dell Technologies World 2018 in Las Vegas on May 2, Smith offered guidance on the best ways to avoid and respond to a cyberattack.
1. Keep an Updated Incident Response Plan
Smith said his first question when meeting a new client is to ask whether they have an incident response plan. “Everybody wants to say yes, and most people do say yes, but just because you have a plan doesn’t mean your plan is up to date or is the right plan.” He recalled meeting one CISO who literally dusted his IR plan off before handing it to him.
“If your plan is older than six months, it’s probably out of date,” he said.
Also, it’s a good idea to run through your plan with live drills to see how it might work in action. Finally, keep your plan concise and consider storing it electronically to simplify version control whenever you update it.
2. Align Security Professionals with Business Leaders
When a security incident occurs, your responders need to correctly “read the punch” — or, gauge the severity of the breach. To do that, they need a clear understanding of the business context and criticality of the compromised asset.
“If I’m the analyst, and I have 100 security alerts in my queue, where do I start?” Smith asked. “Wouldn’t it help to know that only three of those alerts relate to a Tier 1 asset?” He argued that in security, “almost everything boils down to asset management. And asset management is not sexy. It’s a drudge because environments are constantly changing.”
Your security staff will do a better job of avoiding breaches if they’re part of the business decision-making process too. Companies are often more vulnerable to attack during mergers and acquisition because they’re integrating separate networks, but rarely are security professionals included early in the M&A process, Smith said.
3. Manage Security Teams Effectively
Information security professionals are in high demand, and retaining high-quality people is even harder than hiring them. For companies that have their own security professionals in-house, Smith advised using tactics like job rotation and mentoring to keep them engaged. For example, promising Level 1 analysts can be tasked with shadowing a Level 2 one day a week. More experienced professionals can be given informal leadership roles that acknowledge their value but don’t require a pay bump or actual promotion.
Most smaller businesses don’t have in-house security. For them, Smith recommends partnering with a managed security services provider. “You want to make sure there’s some skills transfer over the life of that engagement,” he said. Companies should have their MSSP walk them through particular solutions they’ve implemented, step by step. “The good MSSPs understand that this is not you being crafty, trying to figure out how not to renew the contract. You’re trying to get smarter, and most MSSPs will be happy to have that conversation.”
4. Understand the Partner-to-Target Vector
Many breaches begin, not inside the target’s environment, but within the network of a partner or supplier. Smith calls this the partner-to-target vector, and it’s been a hallmark of some of the most high-profile incidents in recent years.
The Chinese takeout menu is a perfect example of a corrupt supply chain becoming the source of a breach. The restaurant wasn’t a formal partner of the oil and gas company, of course, but the company’s employees get hungry and the restaurant was in its neighborhood. RSA itself was subjected to an attack by a nation-state about seven years ago; the hackers were interested in defense contractors that RSA does business with.
5. Hunt Proactively for Cybersecurity Threats
Security teams at many organizations spend so much of their time reacting to alerts delivered by their security information and event management (SIEM) software that they become susceptible to alert fatigue.
A security leader at a major bank stunned Smith by acknowledging that his team had become so overwhelmed by the volume of alerts that it had simply turned many of them off. “To his credit, he did say, ‘Now, I know that’s not the right thing to do,’” Smith recalled.
Indeed, it is not. The right thing to do is to properly configure the SIEM system so that it delivers actionable alerts. Better still, hunt proactively for threats instead of just reacting to alerts. Remember, Smith said, once a bad actor enters a network without detection, he or she can remain there for weeks or months.
Companies that are proactive rather than reactive are more likely to reduce that so-called dwell time. But that requires a security team made up of the right kind of tech experts — curious and vigilant people who enjoy solving mysteries.
For more, check out all of BizTech's coverage of Dell Technologies World 2018 here.