SlideShare a Scribd company logo

The chaos of a corporate attack

F-Secure Corporation
F-Secure Corporation

In our Cyber Security Insider series of eBooks, we take a look at three critical topics around advanced cyber security. This is the first part of the this Ebook series. Article link: https://business.f-secure.com/the-cyber-security-insider-series

Software
1 of 24
Download to read offline
CYBER SECURITY INSIDER – EBOOK 1/3 How one company’s sensitive data was breached and what they did next Thechaosof acorporate attack
2CYBER SECURITY INSIDER – EBOOK 1/3 Cyber security inreallife
Thepurpose ofthiseBookis nottoscareyou 3CYBER SECURITY INSIDER – EBOOK 1/3
4CYBER SECURITY INSIDER – EBOOK 1/3 Cybersecurity inreallife You already know how frequent and public cyber security incidents are becoming. You already know how far-reaching and long lasting their impact can be on a company’s reputation and customers. And you already know that the bulk of the blame ultimately falls on a company’s management. What you (hopefully) don’t know is what a cyber security incident looks like from the inside – how it happens, how much it distracts C-level leaders and how companies get affected internally. More important, if you’re like most C-level leaders, you don’t know how best to respond to a major cyber security incident – how to deal with a distracted business, how to deal with the reputation damage or how to deploy a coherent crisis management plan. Over the course of this Cyber Security Insider series, we’ll show you how CISOs are protecting their organizations, as well as the best practices you can and should be applying. The purpose of this eBook is to tell you about a specific case where an attacker breached a company’s infrastructure and extracted sensitive data, despite their existing security measures. In it you’ll learn how the breach happened, and how the company reacted to resolve the incident. You’ll see how these sorts of incidents play out and how companies should – and shouldn’t – react to them. Let’sdivein.
The commoditization ofadvanced threats
6CYBER SECURITY INSIDER – EBOOK 1/3 The commoditization ofadvanced threats Advanced persistent threats (APTs) are usually associated with well-resourced, highly organized attackers like nation states. The trouble is, once these tactics are used in state-sponsored attacks, the techniques and procedures employed quickly become publicly known. Which means cyber criminals with fewer resources can start to use them too. For instance, we’ve seen cyber criminals utilize APT-style attacks that deploy sophisticated crypto-ransomware inside businesses without traditional mass-infection vectors like phishing and exploit kits. Put simply: cyber criminals are constantly evolving to become more organized. And the ecosystems they rely on to buy tools and tactics are only becoming more commoditized. So corporate defensive perimeters are increasingly susceptible to even the most common tactics. We only bring this up to remind you that while the methods attackers use to breach companies may be highly sophisticated, they’re also unfortunately common. A fact that was all too clear in the case of Corp X (not their real name).
7CYBER SECURITY INSIDER – EBOOK 1/3 The breach
8CYBER SECURITY INSIDER – EBOOK 1/3 The BREACH In the autumn of 2015, Corp X, a large service provider listed on several international stock exchanges, with major financial institutions as customers, discovered a breach in their company network. Having initially discovering the data leak, Corp X’s IT department began investigating what sort of data was being leaked, who was leaking it and how they were doing it. But since they’d never performed a forensic investigation of this magnitude before, the team had access to a very limited skill-set, few investigative tools and practically no threat intelligence information. So after a few weeks of probing and getting nowhere, they reached out to us and our team of white-hat security experts. (We only mention this to explain when we got involved.) By this point, Corp X had collected evidence that data had been extracted from their network and sent to an unknown Chinese IP address. Given this evidence, the first big question was about where the leak came from: Was it an internal actor (an employee, contractor, affiliate or member of the supply chain)? Or had an external party gained access to the company’s internal network?
9CYBER SECURITY INSIDER – EBOOK 1/3 OPEN SOURCE INTELLIGENCE Even without publicly available sources, attackers use ‘social engineering‘ (such as calling individuals in the target company to gather information) to get the information they need. After careful forensic analysis, it became clear this was the work of an outsider. Next, a closer examination of the time-line of events indicated that the attacker selected Corp X as a target some time prior to the attack. In fact, they had planned their attack strategy based on information gathered during an early research and reconnaissance phase. With a wealth of public information available, including the company’s own web pages, social media, partner and affiliate sites, and contractor sites, the attacker developed a detailed picture of Corp X. Once the attacker had the right information, he designed an attack that hit a specific set of employees and targeted a weak spot in the organization’s infrastructure. Specifically, he crafted a social engineering campaign that targeted Corp X’s CFO and direct reports with an elegantly worded email directing the recipients to a compromised website. Someone in the group took the bait. And that’s when the initial breach occurred. The BREACH
10CYBER SECURITY INSIDER – EBOOK 1/3 The email We took a look at the email ourselves, and nothing about it looked suspicious. Like the site it linked to, the content of the mail related directly to the group’s responsibilities. This was no ordinary phishing campaign. It wasn’t a badly written email sent en-masse hoping for gullible victims. This type of attack, commonly known as spear-phishing, relies on a carefully handcrafted, well-researched, plausible message directed at a small group of people with a common, focused set of interests. They’re incredibly easy to miss. In fact, one of the targeted employees became suspicious and sent their own copy of the mail to Corp X’s IT department. Unfortunately, with little threat intelligence to guide them, they performed their own investigation and concluded that nothing untoward was going on. The email was designed to direct the victim to a legitimate, non-malicious site. However, the attacker had compromised the site at an earlier time and inserted a specially crafted ad-banner into it. This ad-banner functioned non-maliciously for every visitor except for the group of victims in question. Then, it delivered a malicious payload – specifically designed to evade that system’s anti-virus system – onto the targeted victim’s computer. The BREACH
11CYBER SECURITY INSIDER – EBOOK 1/3 ‘Living off the land’ Once the payload was successfully executed on the victim’s computer, the attacker gained access to Corp X’s internal network. From this point on, he moved laterally onto the CFO’s system, and from there, further into the organization’s network with stolen credentials from their active directory. Once a foothold had been secured, he covered his tracks by deleting all evidence of the initial breach. By impersonating employees, the infiltrator was able to operate undetected inside Corp X’s internal network, a state commonly known as ‘living off the land’. During this period, he was able to spy on employees and accumulate critical data that he would then upload to his own systems. It was during one of these uploads that the IT department at Corp X first flagged the activity. Further forensic analysis revealed the full extent of the attacker’s theft – 7GB of data had been stolen. And the intruder had complete access to Corp X’s network and data for close to nine months before he was finally caught. The importance of proactive cyber security Corp X caught a lucky break in noticing the data leak when they did. The upload was being executed during office hours, late in the afternoon, and on a busy workday. Had it’s IT staff been putting out fires or performing other critical tasks at the time – as was the case with all the other uploads the intruder got away with – they probably wouldn’t even have noticed it happening. The BREACH
12CYBER SECURITY INSIDER – EBOOK 1/3 The aftermath
13CYBER SECURITY INSIDER – EBOOK 1/3 The aftermath At this point, Corp X knew how the intruder gained access, how long he’d remained undetected, how much sensitive data he’d collected and how he was ex-filtrating that data. Now it was time to respond. And it wasn’t going to be easy. Once they’d determined the scope of the crisis, Corp X began setting up an incident response process. This involved: - Taking potentially breached systems offline - Freezing compromised accounts - Setting up network access restrictions As the forensic investigations progressed, it became clear just how much data had been ex-filtrated from Corp X. So a major incident management process was initiated. It was at this point that Corp X’s leadership team was first informed about what had happened – how a major data breach had occurred and that private customer data had been stolen by a then unknown third party. The next decision made was to inform stakeholders and – due to the nature of the data leak and Corp X’s client base – financial supervisory authorities. So during the weeks that followed, Corp X’s leadership team would have to give the incident their full attention. Next, contingency and recovery plans were drawn up, the legal department was brought in and briefed, and stakeholder communications and official company statements were drafted. Soon after, the first customer communications were sent out.
14CYBER SECURITY INSIDER – EBOOK 1/3 The floodgates open As you’d imagine, Corp X received a deluge of client demands. Key account managers and service representatives were hammered with questions from unnerved customers. After breaches like this one, everyone’s focus shifts. The single most important thing at this point is to make sure you communicate the right things and understand the best way to communicate them. ‘Whathappened?’ ‘Howdidithappen?’ ‘Whendidithappen?’ ‘Whydidithappen?’ ‘Howdoesitaffectme?’ ‘Howareyougoing tofixthesituation?’ ‘Whenareyougoing tofixthesituation?’ ‘Arethereanylegal implications?’
15CYBER SECURITY INSIDER – EBOOK 1/3 Everyone’s overworked The legal department, communications department, incident response team and leadership team all worked themselves into the ground trying to feed the appropriate answers to all these questions. In fact, it was only months later, that the panic slowly began to subside at Corp X. Clear communications were sent to customers, legal processes were understood and initiated, forensics were completed, and systems were slowly recovered to normal. Employees that had been fully focused on reacting to the incident were able to get back to their normal jobs. Those affected by the incident response measures could, once again, get back to work. The importance of a clear plan for crisis management During a major incident like this one, the more facts about the severity of the situation come to light, the more panic starts to set in. Multiple departments get tied up, employees and leaders have to stop thinking about their day-to-day business and customers get increasingly irate. Often, critical systems and services need to be shut down, leaving some staff without the tools they need to work. Everyone involved is usually fatigued and stressed. It’s during these moments that you realize how important it is to have a clear plan for crisis management. Think about it: every company conducts infrequent fire drills. They’re important because they make sure everyone knows how to react in the event of an actual fire – before the fire happens. But when it comes to cyber security, most companies have no clue what they should do when something goes wrong. By defining a clear plan for crisis management and then rehearsing that plan, you ensure everyone – from the top down – knows what they need to do to ensure safety and get back to work as soon as possible. That might sound paranoid, but what’s more likely to happen, a fire or a breach? The aftermath
16CYBER SECURITY INSIDER – EBOOK 1/3 The fallout It took over six months to get from the moment the breach was first noticed to the moment its impact was fully understood. Unfortunately, the story didn’t end there. Corp X suffered substantial losses from this incident. Some of them are easily quantifiable: business and productivity losses during the escalation period, closed customer accounts, incident response costs and up-front legal fees were all fairly easy to calculate. But the long-term reputational repercussions are a whole lot harder to measure. In fact, Corp X is still involved with ongoing legal proceedings. The data that was stolen is still in the hands of the thieves, and it remains to be seen whether any of it will be leaked to the public, or used against the company in some other way (it’s not uncommon for companies to be held to ransom). Even a full six months after the intrusion was discovered, Corp X still has a massive mess to clean up. Moving forward During the weeks and months that followed, Corp X performed a full risk assessment analysis and put major plans in place to improve their security. These plans included implementing additional hardening of infrastructure, deployment of new security awareness measures, executing security culture improvements in the company, and drafting up recovery plans for future incidents. The aftermath
17CYBER SECURITY INSIDER – EBOOK 1/3 Y axis: Stakeholder focus/Demand on resources X axis: Time Thetimeline ofCorp X’s attack Y X IT discovers the anomaly The threat is escalated to Security Monitoring and Incident Management (MIM) Internal stakeholders are notified Clients begin demanding an explanation 1 2 3 4 5 7 8 9 10 11 12 13 6 The CMT briefs affected business units The Incident Response Team (IRT) gets involved The Financial Services Authority (FSA) demands information The National Data Privacy Ombudsman demands information The comms teams start preparing statements An external PR company is brought in The 1st forensics report reveals the breach is larger than expected The issue is escalated to the management team The CEO starts preparing a statement Corp X freezes certain processes The CMT isolates a suspected system Corp X reports to the FSA Closed accounts start to hinder internal operations A major security improvement program is initiated Two risk assessments are conducted Corp X starts scoping its new security program The IRT, MIM and CMT are organized 14 15 16 17 18 19 20 21
18CYBER SECURITY INSIDER – EBOOK 1/3 Fivebig lessons from CorpX’s experience
Notwo companies areidentical. Butthereare alotoflessons tobelearned frombreaches likeCorpX’s 19CYBER SECURITY INSIDER – EBOOK 1/3
20CYBER SECURITY INSIDER – EBOOK 1/3 Fivebiglessons fromCorpX’s experience Here are five big ones: 1. Static defenses aren’t enough. No matter how many static defenses you put in place, a persistent attacker can always breach your perimeter. This isn’t to say your investments in things like endpoint protection, anti-virus and anti-malware software aren’t necessary. They absolutely are. They just can’t be the only protection you count on. A bulletproof vest is necessary – it just doesn’t make you invincible. 2. When it comes to breaches, speed is of the essence. Since you can’t stop every perimeter breach, your focus needs to be improving the speed with which you react to issues. If Corp X had caught their breach within minutes or hours (rather than months) the intruder wouldn’t have had nearly enough time to acquire the data he needed. Speed’s also about making sure you plug similar holes before an intruder tries again. 3. Define a contingency plan for cyber attacks. Nobody ever has a clear contingency plan for cyber attacks. As we mentioned earlier, without a plan, you wouldn’t know what the consequences of shutting down network connections, freezing user accounts, and taking critical resources offline are. A coherent plan accounts for worst-case scenarios before they happen so you’re ready to act in case they ever do.
21CYBER SECURITY INSIDER – EBOOK 1/3 Fivebiglessons fromCorpX’s experience 4. Investigations start with great forensics. Intruders will always try to cover their tracks and hide where they’ve been, what they’ve had access to, and what they’ve done. Being able to trace an incident back to its starting point is the only way to fully understand what happened, what needs doing and which next steps to take. As Corp X’s IT team found out, without the right forensic methods and tools, their hands were tied. 5. Cyber security is all about threat intelligence. Unless you have access to threat intelligence data – samples, indicators of compromise, and an extensive knowledge of the tactics, techniques and procedures (TTP) used by attackers – you can’t know how to react. But it isn’t just about the data – it’s about having the human expertise to use that data.
22CYBER SECURITY INSIDER – EBOOK 1/3 Getting cyber security Right
23CYBER SECURITY INSIDER – EBOOK 1/3 getting cybersecurity right Needless to say, this isn’t the kind of learning experience anyone at Corp X wants to repeat. But here’s the thing: nothing that happened to Corp X can be considered out of the ordinary. Attacks like this happen all the time. And they don’t use any particularly advanced techniques or technologies. The attacker just needs to be patient and persistent. If the first group of victims hadn’t taken the bait, another group would’ve. What’s far less common is for these kinds of breaches to even get noticed. As we mentioned, Corp X was lucky to spot what they did. And if they were like most other companies, they’d have had to wait for an external party like law enforcement to alert them to any suspicious activity. It’s also worth noting that Corp X wasn’t a particularly exciting target from an attacker’s perspective. A lot of companies think they aren’t interesting enough to be targeted. But the reality is that even the most ‘ordinary’ businesses are viable targets. (Again, we don’t bring any of this up to scare you.) But the more we talk to companies about their breaches, the more we notice the same patterns. The C-level invariably admits they treated cyber security like little more than an insurance policy. They’re always surprised the attack happened. They’re always the first to concede their risk management strategy wasn’t good enough. And they always wonder what could have been. We hope learning about what Corp X got right (and wrong) helps you figure out what your company needs to get cyber security right. This is too important to ignore. And too many corporate leaders are flying blind.
24CYBER SECURITY INSIDER – EBOOK 1/3 We’re f-secure And we’ve been a part of the security industry for over 25 years. It’s why we’ve become a trusted advisor to both industries and EU law enforcement agencies across Europe. In fact, we’ve been involved in more European crime scene investigations than any other company on the market. Our Cyber Security Services help companies react faster, learn more and respond more intelligently to threats and breaches of all sizes. So if you’re one of the smart ones and you’re getting serious about cyber security, we should talk. Next in the cyber security insider series In the second part of the Cyber Security Insider series, we’ll take a look at what CISOs in Europe are doing in order to prepare their companies to handle the type of advanced threats we’ve talked about.

Recommended

Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breachF-Secure Corporation
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceF-Secure Corporation
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsF-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace F-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceF-Secure Corporation
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 

Recommended

Post-mortem of a data breach
Post-mortem of a data breachPost-mortem of a data breach
Post-mortem of a data breachF-Secure Corporation
 
How do you predict the threat landscape?
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
 
Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!Got hacked? It’s too late to run now!
Got hacked? It’s too late to run now!F-Secure Corporation
 
The Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceThe Real Costs of SIEM vs. Managed Security Service
The Real Costs of SIEM vs. Managed Security ServiceF-Secure Corporation
 
Security A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsSecurity A to Z: Glossary of the most important terms
Security A to Z: Glossary of the most important termsF-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espace F-Secure Corporation
 
Les attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceLes attaques menées depuis la France dans le cyber espace
Les attaques menées depuis la France dans le cyber espaceF-Secure Corporation
 
Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?Cyber security webinar 6 - How to build systems that resist attacks?
Cyber security webinar 6 - How to build systems that resist attacks?F-Secure Corporation
 
Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF-Secure Corporation
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Corporation
 
The State of the Net in India
The State of the Net in IndiaThe State of the Net in India
The State of the Net in IndiaF-Secure Corporation
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windowsF-Secure Corporation
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsF-Secure Corporation
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big businessF-Secure Corporation
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業F-Secure Corporation
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?F-Secure Corporation
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetF-Secure Corporation
 
Psb mobile security
Psb mobile securityPsb mobile security
Psb mobile securityF-Secure Corporation
 
Internet gatekeeper
Internet gatekeeperInternet gatekeeper
Internet gatekeeperF-Secure Corporation
 
Powerful email protection
Powerful email protectionPowerful email protection
Powerful email protectionF-Secure Corporation
 
Best corporate end-point protection 2013
Best corporate end-point protection 2013Best corporate end-point protection 2013
Best corporate end-point protection 2013F-Secure Corporation
 
Virtual Security
Virtual SecurityVirtual Security
Virtual SecurityF-Secure Corporation
 
Surfing Safe on the Road
Surfing Safe on the RoadSurfing Safe on the Road
Surfing Safe on the RoadF-Secure Corporation
 
Business Suite - Gain control of your IT security
Business Suite - Gain control of your IT securityBusiness Suite - Gain control of your IT security
Business Suite - Gain control of your IT securityF-Secure Corporation
 
Client Security - Best security for business workstations
Client Security - Best security for business workstationsClient Security - Best security for business workstations
Client Security - Best security for business workstationsF-Secure Corporation
 
WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 

More Related Content

More from F-Secure Corporation

Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3F-Secure Corporation
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2F-Secure Corporation
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeF-Secure Corporation
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF-Secure Corporation
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Corporation
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windowsF-Secure Corporation
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsF-Secure Corporation
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big businessF-Secure Corporation
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業F-Secure Corporation
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?F-Secure Corporation
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetF-Secure Corporation
 
Best corporate end-point protection 2013
Best corporate end-point protection 2013Best corporate end-point protection 2013
Best corporate end-point protection 2013F-Secure Corporation
 
Business Suite - Gain control of your IT security
Business Suite - Gain control of your IT securityBusiness Suite - Gain control of your IT security
Business Suite - Gain control of your IT securityF-Secure Corporation
 
Client Security - Best security for business workstations
Client Security - Best security for business workstationsClient Security - Best security for business workstations
Client Security - Best security for business workstationsF-Secure Corporation
 

More from F-Secure Corporation (20)

Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3Defending Servers - Cyber security webinar part 3
Defending Servers - Cyber security webinar part 3
 
Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2Defending Workstations - Cyber security webinar part 2
Defending Workstations - Cyber security webinar part 2
 
Cyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat LandscapeCyber security webinar part 1 - Threat Landscape
Cyber security webinar part 1 - Threat Landscape
 
F secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and managementF secure Radar vulnerability scanning and management
F secure Radar vulnerability scanning and management
 
F-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior controlF-Secure Policy Manager - onsite security management with superior control
F-Secure Policy Manager - onsite security management with superior control
 
The State of the Net in India
The State of the Net in IndiaThe State of the Net in India
The State of the Net in India
 
Best business protection for windows
Best business protection for windowsBest business protection for windows
Best business protection for windows
 
Six things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutionsSix things to take into account when choosing cloud solutions
Six things to take into account when choosing cloud solutions
 
Small and midsize business security is big business
Small and midsize business security is big businessSmall and midsize business security is big business
Small and midsize business security is big business
 
大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業大きなビジネスを生み出す中小中堅企業
大きなビジネスを生み出す中小中堅企業
 
Why should you care about government surveillance?
Why should you care about government surveillance?Why should you care about government surveillance?
Why should you care about government surveillance?
 
Arbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitetArbeta var du vill- eBook om modern mobilitet
Arbeta var du vill- eBook om modern mobilitet
 
Psb mobile security
Psb mobile securityPsb mobile security
Psb mobile security
 
Internet gatekeeper
Internet gatekeeperInternet gatekeeper
Internet gatekeeper
 
Powerful email protection
Powerful email protectionPowerful email protection
Powerful email protection
 
Best corporate end-point protection 2013
Best corporate end-point protection 2013Best corporate end-point protection 2013
Best corporate end-point protection 2013
 
Virtual Security
Virtual SecurityVirtual Security
Virtual Security
 
Surfing Safe on the Road
Surfing Safe on the RoadSurfing Safe on the Road
Surfing Safe on the Road
 
Business Suite - Gain control of your IT security
Business Suite - Gain control of your IT securityBusiness Suite - Gain control of your IT security
Business Suite - Gain control of your IT security
 
Client Security - Best security for business workstations
Client Security - Best security for business workstationsClient Security - Best security for business workstations
Client Security - Best security for business workstations
 

Recently uploaded

WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2
 
tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...chiefasafspells
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024VictoriaMetrics
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...masabamasaba
 

Recently uploaded (20)

WSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - KeynoteWSO2Con204 - Hard Rock Presentation - Keynote
WSO2Con204 - Hard Rock Presentation - Keynote
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 

The chaos of a corporate attack

  • 1. CYBER SECURITY INSIDER – EBOOK 1/3 How one company’s sensitive data was breached and what they did next Thechaosof acorporate attack
  • 2. 2CYBER SECURITY INSIDER – EBOOK 1/3 Cyber security inreallife
  • 4. 4CYBER SECURITY INSIDER – EBOOK 1/3 Cybersecurity inreallife You already know how frequent and public cyber security incidents are becoming. You already know how far-reaching and long lasting their impact can be on a company’s reputation and customers. And you already know that the bulk of the blame ultimately falls on a company’s management. What you (hopefully) don’t know is what a cyber security incident looks like from the inside – how it happens, how much it distracts C-level leaders and how companies get affected internally. More important, if you’re like most C-level leaders, you don’t know how best to respond to a major cyber security incident – how to deal with a distracted business, how to deal with the reputation damage or how to deploy a coherent crisis management plan. Over the course of this Cyber Security Insider series, we’ll show you how CISOs are protecting their organizations, as well as the best practices you can and should be applying. The purpose of this eBook is to tell you about a specific case where an attacker breached a company’s infrastructure and extracted sensitive data, despite their existing security measures. In it you’ll learn how the breach happened, and how the company reacted to resolve the incident. You’ll see how these sorts of incidents play out and how companies should – and shouldn’t – react to them. Let’sdivein.
  • 6. 6CYBER SECURITY INSIDER – EBOOK 1/3 The commoditization ofadvanced threats Advanced persistent threats (APTs) are usually associated with well-resourced, highly organized attackers like nation states. The trouble is, once these tactics are used in state-sponsored attacks, the techniques and procedures employed quickly become publicly known. Which means cyber criminals with fewer resources can start to use them too. For instance, we’ve seen cyber criminals utilize APT-style attacks that deploy sophisticated crypto-ransomware inside businesses without traditional mass-infection vectors like phishing and exploit kits. Put simply: cyber criminals are constantly evolving to become more organized. And the ecosystems they rely on to buy tools and tactics are only becoming more commoditized. So corporate defensive perimeters are increasingly susceptible to even the most common tactics. We only bring this up to remind you that while the methods attackers use to breach companies may be highly sophisticated, they’re also unfortunately common. A fact that was all too clear in the case of Corp X (not their real name).
  • 7. 7CYBER SECURITY INSIDER – EBOOK 1/3 The breach
  • 8. 8CYBER SECURITY INSIDER – EBOOK 1/3 The BREACH In the autumn of 2015, Corp X, a large service provider listed on several international stock exchanges, with major financial institutions as customers, discovered a breach in their company network. Having initially discovering the data leak, Corp X’s IT department began investigating what sort of data was being leaked, who was leaking it and how they were doing it. But since they’d never performed a forensic investigation of this magnitude before, the team had access to a very limited skill-set, few investigative tools and practically no threat intelligence information. So after a few weeks of probing and getting nowhere, they reached out to us and our team of white-hat security experts. (We only mention this to explain when we got involved.) By this point, Corp X had collected evidence that data had been extracted from their network and sent to an unknown Chinese IP address. Given this evidence, the first big question was about where the leak came from: Was it an internal actor (an employee, contractor, affiliate or member of the supply chain)? Or had an external party gained access to the company’s internal network?
  • 9. 9CYBER SECURITY INSIDER – EBOOK 1/3 OPEN SOURCE INTELLIGENCE Even without publicly available sources, attackers use ‘social engineering‘ (such as calling individuals in the target company to gather information) to get the information they need. After careful forensic analysis, it became clear this was the work of an outsider. Next, a closer examination of the time-line of events indicated that the attacker selected Corp X as a target some time prior to the attack. In fact, they had planned their attack strategy based on information gathered during an early research and reconnaissance phase. With a wealth of public information available, including the company’s own web pages, social media, partner and affiliate sites, and contractor sites, the attacker developed a detailed picture of Corp X. Once the attacker had the right information, he designed an attack that hit a specific set of employees and targeted a weak spot in the organization’s infrastructure. Specifically, he crafted a social engineering campaign that targeted Corp X’s CFO and direct reports with an elegantly worded email directing the recipients to a compromised website. Someone in the group took the bait. And that’s when the initial breach occurred. The BREACH
  • 10. 10CYBER SECURITY INSIDER – EBOOK 1/3 The email We took a look at the email ourselves, and nothing about it looked suspicious. Like the site it linked to, the content of the mail related directly to the group’s responsibilities. This was no ordinary phishing campaign. It wasn’t a badly written email sent en-masse hoping for gullible victims. This type of attack, commonly known as spear-phishing, relies on a carefully handcrafted, well-researched, plausible message directed at a small group of people with a common, focused set of interests. They’re incredibly easy to miss. In fact, one of the targeted employees became suspicious and sent their own copy of the mail to Corp X’s IT department. Unfortunately, with little threat intelligence to guide them, they performed their own investigation and concluded that nothing untoward was going on. The email was designed to direct the victim to a legitimate, non-malicious site. However, the attacker had compromised the site at an earlier time and inserted a specially crafted ad-banner into it. This ad-banner functioned non-maliciously for every visitor except for the group of victims in question. Then, it delivered a malicious payload – specifically designed to evade that system’s anti-virus system – onto the targeted victim’s computer. The BREACH
  • 11. 11CYBER SECURITY INSIDER – EBOOK 1/3 ‘Living off the land’ Once the payload was successfully executed on the victim’s computer, the attacker gained access to Corp X’s internal network. From this point on, he moved laterally onto the CFO’s system, and from there, further into the organization’s network with stolen credentials from their active directory. Once a foothold had been secured, he covered his tracks by deleting all evidence of the initial breach. By impersonating employees, the infiltrator was able to operate undetected inside Corp X’s internal network, a state commonly known as ‘living off the land’. During this period, he was able to spy on employees and accumulate critical data that he would then upload to his own systems. It was during one of these uploads that the IT department at Corp X first flagged the activity. Further forensic analysis revealed the full extent of the attacker’s theft – 7GB of data had been stolen. And the intruder had complete access to Corp X’s network and data for close to nine months before he was finally caught. The importance of proactive cyber security Corp X caught a lucky break in noticing the data leak when they did. The upload was being executed during office hours, late in the afternoon, and on a busy workday. Had it’s IT staff been putting out fires or performing other critical tasks at the time – as was the case with all the other uploads the intruder got away with – they probably wouldn’t even have noticed it happening. The BREACH
  • 12. 12CYBER SECURITY INSIDER – EBOOK 1/3 The aftermath
  • 13. 13CYBER SECURITY INSIDER – EBOOK 1/3 The aftermath At this point, Corp X knew how the intruder gained access, how long he’d remained undetected, how much sensitive data he’d collected and how he was ex-filtrating that data. Now it was time to respond. And it wasn’t going to be easy. Once they’d determined the scope of the crisis, Corp X began setting up an incident response process. This involved: - Taking potentially breached systems offline - Freezing compromised accounts - Setting up network access restrictions As the forensic investigations progressed, it became clear just how much data had been ex-filtrated from Corp X. So a major incident management process was initiated. It was at this point that Corp X’s leadership team was first informed about what had happened – how a major data breach had occurred and that private customer data had been stolen by a then unknown third party. The next decision made was to inform stakeholders and – due to the nature of the data leak and Corp X’s client base – financial supervisory authorities. So during the weeks that followed, Corp X’s leadership team would have to give the incident their full attention. Next, contingency and recovery plans were drawn up, the legal department was brought in and briefed, and stakeholder communications and official company statements were drafted. Soon after, the first customer communications were sent out.
  • 14. 14CYBER SECURITY INSIDER – EBOOK 1/3 The floodgates open As you’d imagine, Corp X received a deluge of client demands. Key account managers and service representatives were hammered with questions from unnerved customers. After breaches like this one, everyone’s focus shifts. The single most important thing at this point is to make sure you communicate the right things and understand the best way to communicate them. ‘Whathappened?’ ‘Howdidithappen?’ ‘Whendidithappen?’ ‘Whydidithappen?’ ‘Howdoesitaffectme?’ ‘Howareyougoing tofixthesituation?’ ‘Whenareyougoing tofixthesituation?’ ‘Arethereanylegal implications?’
  • 15. 15CYBER SECURITY INSIDER – EBOOK 1/3 Everyone’s overworked The legal department, communications department, incident response team and leadership team all worked themselves into the ground trying to feed the appropriate answers to all these questions. In fact, it was only months later, that the panic slowly began to subside at Corp X. Clear communications were sent to customers, legal processes were understood and initiated, forensics were completed, and systems were slowly recovered to normal. Employees that had been fully focused on reacting to the incident were able to get back to their normal jobs. Those affected by the incident response measures could, once again, get back to work. The importance of a clear plan for crisis management During a major incident like this one, the more facts about the severity of the situation come to light, the more panic starts to set in. Multiple departments get tied up, employees and leaders have to stop thinking about their day-to-day business and customers get increasingly irate. Often, critical systems and services need to be shut down, leaving some staff without the tools they need to work. Everyone involved is usually fatigued and stressed. It’s during these moments that you realize how important it is to have a clear plan for crisis management. Think about it: every company conducts infrequent fire drills. They’re important because they make sure everyone knows how to react in the event of an actual fire – before the fire happens. But when it comes to cyber security, most companies have no clue what they should do when something goes wrong. By defining a clear plan for crisis management and then rehearsing that plan, you ensure everyone – from the top down – knows what they need to do to ensure safety and get back to work as soon as possible. That might sound paranoid, but what’s more likely to happen, a fire or a breach? The aftermath
  • 16. 16CYBER SECURITY INSIDER – EBOOK 1/3 The fallout It took over six months to get from the moment the breach was first noticed to the moment its impact was fully understood. Unfortunately, the story didn’t end there. Corp X suffered substantial losses from this incident. Some of them are easily quantifiable: business and productivity losses during the escalation period, closed customer accounts, incident response costs and up-front legal fees were all fairly easy to calculate. But the long-term reputational repercussions are a whole lot harder to measure. In fact, Corp X is still involved with ongoing legal proceedings. The data that was stolen is still in the hands of the thieves, and it remains to be seen whether any of it will be leaked to the public, or used against the company in some other way (it’s not uncommon for companies to be held to ransom). Even a full six months after the intrusion was discovered, Corp X still has a massive mess to clean up. Moving forward During the weeks and months that followed, Corp X performed a full risk assessment analysis and put major plans in place to improve their security. These plans included implementing additional hardening of infrastructure, deployment of new security awareness measures, executing security culture improvements in the company, and drafting up recovery plans for future incidents. The aftermath
  • 17. 17CYBER SECURITY INSIDER – EBOOK 1/3 Y axis: Stakeholder focus/Demand on resources X axis: Time Thetimeline ofCorp X’s attack Y X IT discovers the anomaly The threat is escalated to Security Monitoring and Incident Management (MIM) Internal stakeholders are notified Clients begin demanding an explanation 1 2 3 4 5 7 8 9 10 11 12 13 6 The CMT briefs affected business units The Incident Response Team (IRT) gets involved The Financial Services Authority (FSA) demands information The National Data Privacy Ombudsman demands information The comms teams start preparing statements An external PR company is brought in The 1st forensics report reveals the breach is larger than expected The issue is escalated to the management team The CEO starts preparing a statement Corp X freezes certain processes The CMT isolates a suspected system Corp X reports to the FSA Closed accounts start to hinder internal operations A major security improvement program is initiated Two risk assessments are conducted Corp X starts scoping its new security program The IRT, MIM and CMT are organized 14 15 16 17 18 19 20 21
  • 18. 18CYBER SECURITY INSIDER – EBOOK 1/3 Fivebig lessons from CorpX’s experience
  • 20. 20CYBER SECURITY INSIDER – EBOOK 1/3 Fivebiglessons fromCorpX’s experience Here are five big ones: 1. Static defenses aren’t enough. No matter how many static defenses you put in place, a persistent attacker can always breach your perimeter. This isn’t to say your investments in things like endpoint protection, anti-virus and anti-malware software aren’t necessary. They absolutely are. They just can’t be the only protection you count on. A bulletproof vest is necessary – it just doesn’t make you invincible. 2. When it comes to breaches, speed is of the essence. Since you can’t stop every perimeter breach, your focus needs to be improving the speed with which you react to issues. If Corp X had caught their breach within minutes or hours (rather than months) the intruder wouldn’t have had nearly enough time to acquire the data he needed. Speed’s also about making sure you plug similar holes before an intruder tries again. 3. Define a contingency plan for cyber attacks. Nobody ever has a clear contingency plan for cyber attacks. As we mentioned earlier, without a plan, you wouldn’t know what the consequences of shutting down network connections, freezing user accounts, and taking critical resources offline are. A coherent plan accounts for worst-case scenarios before they happen so you’re ready to act in case they ever do.
  • 21. 21CYBER SECURITY INSIDER – EBOOK 1/3 Fivebiglessons fromCorpX’s experience 4. Investigations start with great forensics. Intruders will always try to cover their tracks and hide where they’ve been, what they’ve had access to, and what they’ve done. Being able to trace an incident back to its starting point is the only way to fully understand what happened, what needs doing and which next steps to take. As Corp X’s IT team found out, without the right forensic methods and tools, their hands were tied. 5. Cyber security is all about threat intelligence. Unless you have access to threat intelligence data – samples, indicators of compromise, and an extensive knowledge of the tactics, techniques and procedures (TTP) used by attackers – you can’t know how to react. But it isn’t just about the data – it’s about having the human expertise to use that data.
  • 22. 22CYBER SECURITY INSIDER – EBOOK 1/3 Getting cyber security Right
  • 23. 23CYBER SECURITY INSIDER – EBOOK 1/3 getting cybersecurity right Needless to say, this isn’t the kind of learning experience anyone at Corp X wants to repeat. But here’s the thing: nothing that happened to Corp X can be considered out of the ordinary. Attacks like this happen all the time. And they don’t use any particularly advanced techniques or technologies. The attacker just needs to be patient and persistent. If the first group of victims hadn’t taken the bait, another group would’ve. What’s far less common is for these kinds of breaches to even get noticed. As we mentioned, Corp X was lucky to spot what they did. And if they were like most other companies, they’d have had to wait for an external party like law enforcement to alert them to any suspicious activity. It’s also worth noting that Corp X wasn’t a particularly exciting target from an attacker’s perspective. A lot of companies think they aren’t interesting enough to be targeted. But the reality is that even the most ‘ordinary’ businesses are viable targets. (Again, we don’t bring any of this up to scare you.) But the more we talk to companies about their breaches, the more we notice the same patterns. The C-level invariably admits they treated cyber security like little more than an insurance policy. They’re always surprised the attack happened. They’re always the first to concede their risk management strategy wasn’t good enough. And they always wonder what could have been. We hope learning about what Corp X got right (and wrong) helps you figure out what your company needs to get cyber security right. This is too important to ignore. And too many corporate leaders are flying blind.
  • 24. 24CYBER SECURITY INSIDER – EBOOK 1/3 We’re f-secure And we’ve been a part of the security industry for over 25 years. It’s why we’ve become a trusted advisor to both industries and EU law enforcement agencies across Europe. In fact, we’ve been involved in more European crime scene investigations than any other company on the market. Our Cyber Security Services help companies react faster, learn more and respond more intelligently to threats and breaches of all sizes. So if you’re one of the smart ones and you’re getting serious about cyber security, we should talk. Next in the cyber security insider series In the second part of the Cyber Security Insider series, we’ll take a look at what CISOs in Europe are doing in order to prepare their companies to handle the type of advanced threats we’ve talked about.