ra2 studio - stock.adobe.com
Balancing defence in depth with cyber resiliency emerged as the top theme in a panel discussion on the top lessons from past cyber attacks at the National Cyber Security Agency’s (NCSC) CyberUK conference in Glasgow.
Business recovery is important, said Lewis Woodcock, head of cyber security compliance at Maersk, the Danish shipping giant that was one of the companies hardest hit by the 2017 NotPetya attack, with about 50,000 endpoints and thousands of applications and servers affected.
“Organisations need to ensure that they understand their core businesses processes, systems and applications,” he said. “From there, you can get the criticality of them and how to protect and secure them.”
This requires a balance between preventative and recovery measures, said Woodcock. “Companies need to work with the assumption that they will not be able to stop every future attack with preventative measures, so there needs to be a balance with recovery.
“With appropriate investment in both protection and recovery, companies will put themselves in a much better position.”
Another big lesson for Maersk, said Woodcock, was that the consequences of an indirect cyber attack can be just as damaging as a targeted attack.
“Maersk and the maritime industry were not the targets of NotPetya, and yet, along with many other international companies, we were part of the collateral damage, and that serves as a wake-up call for many, especially those who assume that attacks of a certain size and scale are always going to be targeted,” he said.
Cyber security risk is a risk-management issue, not merely a technical one, said Gwenda Fong, director, strategy at the Cyber Security Agency of Singapore, which was involved in managing the response to the 2018 breach at SingHealth that exposed the non-medical personal data of 1.5 million people – about 25% of Singapore’s population.
“As with all kinds of business risk, cyber security risk needs to be managed at the appropriate level,” she said. “Cyber security is about achieving a balance between security, the usability of systems and cost. This is a matter of judgement and trade-off that needs to be made, depending on the nature of the threat and the criticality of services being run.”
For this reason, said Fong, it is critical for organisations to have a reporting structure that supports the key business leaders in making cyber security decisions, such as the allocation of resources.
Defence in depth
When it comes to cyber defence strategy, organisations need to adopt a defence-in-depth approach, said Fong. “This means implementing stronger and multi-layered security mechanisms to protect the organisation’s ‘crown jewels’, which could be customer data or, in the case of SingHealth, patient data.”
The need to exercise incident response plans was another common theme in the panel discussion. “The SingHealth data breach showed that there is typically a need to close the gap between polices and practices,” said Fong.
“Organisations need to ensure that practices on the ground match the intent of cyber security policies. Operational staff who run security operations need to be familiar not only with the policies and processes, but they also need to internalise the intent and logic so they are able to act in line with the intent of the policies as situations arise.”
This means that organisations need to invest in development of security policies as well as regular refresher training for operational staff and regular exercises, she said. “These are akin to a fire drill in the sense that they test that operational staff are familiar with incident response processes.”
In terms of cyber attack exercise planning, Woodcock said his advice to organisations is to “think big”. “Don’t prepare for small incidents,” he said. “Prepare for huge incidents that are not necessarily a technology incident and that will not be resolved within your core team, but involves working across the organisations as well as with suppliers.”
Giving the UK cyber security agency’s perspective, Nicky Hudson, NCSC director of communications, said years of dealing with cyber attacks have shown that preparing and exercising incident response plans is essential.
“This is about knowing who is doing what and the role they play,” she said. “This is incredibly important. Organisations need to think about all stakeholders and how you are going to look after your staff, because cyber attacks seldom happen at a convenient time and they are not usually over quickly. They can sometimes take days and weeks to resolve, and incident response plans need to take into account that people get tired and hungry.”
Speedy, accurate communication
Communication during and about cyber attacks emerged as another key theme in the panel discussion. The SingHealth data breach underlined the need for early and accurate communication with key stakeholders, said Fong.
“The public was informed of the SingHealth data breach a mere 10 days after the incident was reported [to Singapore’s Cyber Security Agency],” she said. “Within that time, we had a team on site helping SingHealth contain the incident and reconstruct the attack and figure out exactly what data was exfiltrated so that we could confirm that no medical records were modified or deleted.
“We had to balance the need for speedy communications with the need to manage the crisis at hand and get the facts right.”
Another important thing to remember, said Hudson, is that communication is not just about the media when an attack or breach goes public.
“It has to be in the very widest sense of comms, so it is also about internal comms to keep staff informed and potentially comms with regulators, people affected by the breach and suppliers,” she said. “You need to know up-front how you are going to communicate with them.”
Hudson said comms within organisations also have an important role in bridging the various communities of stakeholders. “They need to be continually asking questions to ensure that there is a common understanding of what is going on and who is affected, that everything that goes out is consistent and makes sense, and that everyone involved is on the same page.”
In terms of communicating with the media about a cyber incident, Hudson encouraged organisations to contact the NCSC for support. “The NCSC can be a bridge between an organisation dealing with an incident and the media,” she said, adding that if it is a cyber attack, by involving the NCSC, the agency can work with organisations not only to get messages out to the media, but also to mitigate the effect of attacks and translate incidents into what needs to be done and who needs to know.
“We will work with you as a trusted adviser,” she said.
In the wake of the SingHealth breach, said Fong, investigators were able to reconstruct the attack and see what had happened fairly quickly thanks to good, comprehensive data logs. “We were really fortunate because we had good logs for the SingHealth database,” she said.
“It may seem a very straightforward point, but it is non-trivial. I cannot over-emphasise that the database logs helped the investigation team a great deal. Good housekeeping augments incident response.”
The availability of good data is one of the main challenges faced by cyber security incident responders, said Ollie Whitehouse, chief technical officer at NCC Group.
“The availability of good logs in a timely fashion is critical,” he said. “But there are many organisations that cannot give you visibility into their estate and what has happened – and that really frustrates the investigation.”
The second common challenge, said Whitehouse, is the inability of organisations to respond to an incident, such as being able to lock things down quickly.
“And the third challenge is the supply chain,” he said, “especially where there are contractual limitations where you need help from a supplier, either in giving clients logs in a timely fashion or in allowing third parties such as incident response firms access to their systems in order to protect the larger entity.
“Addressing just these three problems will enable organisations to have a far more effective response. This is particularly when things come to light weeks, months and even years later because the inability to go back in time due to the lack of data leaves many questions unanswered, and this can be very frustrating when you have got to report to regulators or shareholders.”
For this reason, said Whitehouse, it is important to have the right contract in place that will allow speedy access with service-level agreements (SLAs) to the data the organisation will need in the event of a cyber attack.
“If a supplier becomes obstructive, it is vital that you have a contractual means to fall back on in order to force their hand and prevent them from making it difficult to get to the data you need,” he said. “If you can establish up-front in the contract what your expectations will be and in what timeframe and who to contact, this can be very slick.”
From a law enforcement perspective, one of the most important things when it comes to cyber attacks is to report the incident to the police, said Jim Stokley, deputy director of the National Crime Agency’s National Cyber Crime Unit (NCCU).
“Organisations can rest assured that by reporting incidents to the police, no information will be shared with regulators,” he said. “You are a victim of a crime, and the information we have will be treated as confidential.
“But reporting the incident is important because it enables us to adapt and respond to the threat as well as being able to investigate it, and any resultant prosecution can act as a deterrent for cyber criminals in future. So I encourage all organisations that are hit by cyber attacks to report those incidents to the police.”