Lessons in War
Can Decision Cycles help us maintain the initiative in cyberspace?
As our world gets increasingly complex we must choose the levers we use to influence it with care. One way to look at this is through the lens of decision cycles.
For those not familiar with this concept, decision cycles are the cyclic process through which we perceive a stimulus, understand its implications, decide on a response and implement that decision. (There are a number of models and references). Simplistically, if we can make effective decisions quicker than our opponents, then we will, theoretically, hold the initiative.
The decision cycle lens is a useful one for those responsible for making decisions about cyber related issues as it throws any dangerous policies into harsh relief.
Most businesses work in a world where their policies, and here I’m talking about management intent rather than paperwork, refresh on a 12 month cycle based on standards which tend to refresh on a 5 year cycle. I note many will be smiling ruefully at this optimistic view!
In today’s information environment many of our risks are changing on a much smaller (faster) cycle, measured in days and weeks rather than months. Our operational tempo is defined not just by the speed of change, but by the way that the speed of change is accelerating.
This presents us with an exciting challenge; if we rely on static policy and processes – and many organisations still do – then we must expect our adversaries to outmanoeuvre us, and our risks to out evolve.
Where does this take us? Decision Cycle theory gives us a number of areas where we can hard wire agility into our business systems.
* Firstly, we can ensure that our warning, reporting, alarm and monitoring systems (Technical and Procedural) are tuned to report those events that most concern us.
* Secondly, we can ensure that we fully understand our own vulnerabilities and sensitivities, and the impact that adverse events will have on our operations. We can test and exercise those scenarios that most concern us. We can challenge our own assumptions. This will enable us to understand impacts and qualify outcomes more quickly.
* Thirdly, we do need to understand our own options, their limitations, and review these on a regular basis. This will enable us to make decisions more quickly.
* Finally, we need to ensure that our implementation of these decisions are well planned and where possible, practiced. We must also review effectiveness at every level and make changes that are required at any part of the cycle.
All of this would seem to be common sense… though is often not done in practice. There are many reasons for this, ranging from technical inertia to process stagnation. The important thing is that we acknowledge and track our challenges – then we can mitigate the changing risks.
If we are able to design agility into our business systems and processes, and if we tune our organisations so that we can take a proactive posture, then we can keep the initiative. The simple decision cycle model then gives us an easy way to challenge our posture on a regular basis to establish where and when change is required.
This is not rocket science, but many of us do seem to find it surprisingly hard. This simple model is one way of stepping forward and bringing effect to bear in our defence.
What is Red Team engagement?
By Andrew Linn, Principal Consultant
The news this year has been full of high profile hacks on large organisations. These have included viral and ransomware attacks which have brought associative notoriety to a number of mysterious hacking groups and their victims: Shadow Brokers captured US National Security Agency (NSA) tools in April while The Mr Smith hackers breached HBO’s security in August.
Of course, anyone reading the news knows these were not isolated incidents. Other notable attacks included WannaCry ransomware, various forms of Petya malware and Cloudbleed. With ingenuity, intelligence and malicious intent on their side, hacker groups use their collective skills to exploit any weaknesses in an organisation’s cyber defences. So how can an organisation defend itself from the bad guys? By working with the good guys through Red Team engagement.
To counteract the offensive strategies of gifted hackers, you need equally gifted counter-hackers. Red Teaming is not a penetration test; it is more of a philosophy which involves acting as a potential adversary. The Red Team focuses on the objective of the engagement and examines this from a number of different angles pulling together a plan of attack using a range of different techniques and abilities; testing procedural, social and physical components of security in addition to technical controls. Penetration testing techniques and skills form one aspect of Red Teaming but the service goes well beyond that; to the use of an adversarial mindset to determine strategy and policy making.
In practice, Red Team engagement involves working with ethical, skilled and experienced professionals who act like true hackers, simulating internal and external hacking attempts to test the response on a client’s system. With client permission, the Red Team seeks to break through the hardened perimeter, using the weakest identifiable point, to gain access to the organisation’s system. Using common hacking techniques they seek to gain a foothold; tunnelling traffic back through ports that are commonly open within a business, usually via the web, so they can communicate with their own servers on the outside without being detected. These benign servers are then used to control devices, which have either been placed or hacked, on the inside of the client’s organisation.
In addition to a rigorous examination of the organisation’s security controls, a Red Team engagement will exercise incident detection, response and management. This can be linked to a wider incident simulation process testing procedures and response capability throughout the business.
Opening up an organisation’s entire network and allowing a third party to effectively breach security defences requires a high degree of trust. Experienced, highly qualified Red Teams are few and far between. At SRM our Red Team is comprised of ex-police High Tech Crime Unit officers, qualified ethical hackers and includes holders of the Offensive Security Certified Professionals (OSCP). At SRM OSCP training is part of our ongoing professional development programme.
It’s not a question of if, but when
Why board level commitment is a vital part of cyber defence
It is difficult to defend against an attacker who only needs to succeed once. Security systems might defend an organisation 99 times out of 100 but faced with a relentless campaign which identifies and targets any cracks, it is almost inevitable that at some point, somewhere, the attacker will succeed.
Data and personal information are valuable commodities and their theft is the most common form of cyberattack. Recent high profile hacks have demonstrated the vulnerability of even very large organisations like TalkTalk and the NHS. These prompted the Government in November 2016 to announce a £1.9 billion investment to help UK businesses protect themselves.
Imminent new legislation is also in place to help provide organisations with a robust data protection framework in which to operate. If the hackers are the criminals, these are the laws that the relevant authorities (the Information Commissioner’s Office) enforce. Failure to comply with the new Data Protection Bill and General Data Protection Regulation (GDPR) from May 2018 will result in significantly higher levels of fines. And this has certainly focused the attention of many of the FTSE 350 boards surveyed in the recent Government Cyber Health Check.
The report found that awareness of GDPR is good, with 97 per cent of firms saying they are aware of the new regulation. But levels of readiness vary. 71 per cent said they are ‘somewhat prepared’ to meet the requirements of GDPR but only 6 per cent are confident that they are fully prepared.
This is perhaps not surprising given that only 13 per cent say that GDPR is regularly considered at board meetings. This is dangerous thinking. When it comes to data protection it is simply not reasonable or effective to make it the sole responsibility of the IT department. The same is true of cyber defence. These are board level issues and need to be embedded into the board’s approach.
It is no longer acceptable to simply be reactive; every board should be proactive and include an assessment of the current risk and review any potential security issues on its agenda on a regular basis. A security sub group can effectively manage this vital aspect of the business but it must have board level endorsement and input. The aim should be to implement a company-wide cyber security strategy which is constantly challenged and re-enforced.
Given the fact that the threat landscape is always changing, another essential element of every organisation’s cyber defence should include a strategic plan in the event of breach. To minimise its impact swift remedial action is vital. A strategic plan will help to ensure effective business continuity and protect from loss of income and reputation. This plan may include working with Retained Forensics (PFI) experts. Not only can they assist the board in the implementation of a robust and strategic defence, but if (or when) a breach occurs their detailed knowledge of a company’s systems will ensure business continuity and minimise the damage to finances and reputation.
How a retained PFI can mitigate risks
Government 2017 Cyber Security Health Check reveals many FTSE 350 companies are not prepared
Security by Design.. a little thought can save a great deal of expense!
Security consultants talk about “Security by design” … and to be fair, most of us believe in it! The trouble is that to much of society, it is at best, an intangible aspiration, and at worst… a mindless industry cliche. As a result the benefits are often missed in practice. This is particularly true in many smaller organisations where it is often seen as an expensive luxury.
There is a perception that cyber security is a complex technical issue that is beyond most normal folk. Whilst there are some aspects of Cyber which can be horribly complex, there are also powerful actions that we can all take to make ourselves a harder nut to crack… regardless of our technical ability or our role in society or in organisations.
The key is to acknowledge that we are not alone, and that our actions (or lack of them) influence the way potential attackers behave….and the opportunities open to them. We can make a potential attacker’s job hard or easy just as we can make ourselves appear an attractive target… or make it clear that we are not worth the effort.
This is more than basic cyber hygiene (eg antivirus, passwords and firewalls – these are, I’m afraid, a given) …it is about how we think and how we behave. Specifically, it is how we set ourselves up – as individuals or as organisations.
For example, as individuals…rather than blindly carrying everything around on a laptop, we might decide that particularly sensitive information needs special protection and we might decide to make it less available to an attacker … perhaps we might decide to save it on encrypted drives or keys and lock it up safely with our critical paperwork when we are not using it. In doing so we are applying the common sense and thought processes we use with our tangible belongings – to our intangible ones; our information.
For larger infrastructures, a little thought about structure can give defenders a significant advantage over attackers. We can make sure that access to our systems are controlled and force everyone entering a system to pass through or over areas that are closely monitored. If we are working on particularly sensitive information, we might choose to change the frequency that we test our systems. We can seek to create an environment where we have the upper hand!
This logic isn’t new…Think of medieval spiral staircases which were generally designed to favour a right handed defender..(though I note that in the fortresses of the Kerrs, an Anglo-Scottish Riever family who were reputed to be mainly left handed, the spiral allegedly went the other way! Someone had clearly thought about it!)
If we treat our intangible and invisible information assets in the same way that we treat our physical valuables… then we can make things a lot harder for an attacker.
If we fail to control our own behaviour and our environment then we will undermine even the most effective (and expensive) technology. A little thought and common sense can save a great deal of expense.
Game of Thrones: data theft and pen testing
‘Hi to all mankind’. Thus began the email sent to journalists by hackers who have reportedly stolen 1.5TB of files and videos from entertainment giant HBO. What has made the headlines is the fact that the script for next Sunday’s episode of Game of Thrones has been released. The HBO hackers conclude their email saying that ‘HBO is falling’ and it is perhaps chilling to consider the vulnerability of even the largest and best-protected companies to breach and data theft.
In April Netflix was also compromised and refused to pay a ransom demand. Ten episodes of its series ‘Orange Is the New Black’ were leaked by a hacker group known as TheDarkOverlord. It is not yet clear whether the HBO hackers are seeking a ransom payment. Yet although advance plot lines for a TV series make headline news, there is another important aspect to consider. Namely the sensitive corporate data held by HBO which may now also be in the hands of unprincipled criminals.
HBO confirmed this week that it had experienced a cyber incident ‘which resulted in the compromise of proprietary information’ and that it is examining the breach. Forensic investigation will reveal how the system was breached and enable the company to secure its systems. But assuming that a company the size of HBO has access to the very best cyber defence, what more can they do?
First of all it is worth pointing out that anything to do with Game of Thrones is a huge headline draw. With 8.9 million people reportedly watching the finale of Season 6, hackers will have been particularly motivated to succeed. Yet all organisations which hold data are vulnerable to a greater or lesser extent. Those with a strategic plan which includes regular penetration tests, network security testing and vulnerability assessments are, however, better placed because they have created inbuilt responsiveness.
Expert pen testers put themselves into the mind of potential attackers, exploring and exploiting all opportunities. As systems become more complex, the ‘attack surface’ continues to grow and the potential number of ways a hacker gains access is ever expanding, making this technique increasingly valuable.
As an additional precaution, organisations should defend their systems by assuming that they have already been breached and that a hacker lurks quietly within. If information is encrypted and secured with high difficulty passwords regularly updated, hackers may just prefer to concentrate their efforts on easier prey. When it came to the fate of the Seven Kingdoms, perhaps the hackers felt the effort was worth it, but, like Jon Snow, let’s make their lives as difficult as possible.
SRM can advise on all aspects of Information Security Testing as well as providing a full range of consultancy services.
Information Security Testing & Compliance