James Holley is an Executive Director at Ernst & Young LLP. In this interview he discusses the complexity of modern cyber attacks, the challenges involved in maintaining a growing security architecture, cyber attack drills, and much more.
He’ll be speaking about targeted cyber attacks at ISACA’s North America CACS conference in April.
What are the main challenges in balancing a growing security architecture with emerging threats, while at the same time justifying ROI to the management?
There are at least two primary challenges to balancing a growing security architecture against emerging threats.
The first is that emerging threats are developed and deployed very rapidly, while almost any new element of the security architecture generally takes much longer to put in place, generating a window of risk where an emerging threat initially has no corresponding security component to address it.
The second is that new elements of the security architecture typically impact users and business processes in some manner. A practical example of this impact is a three-pronged security project that removes users from local administrative groups, requires password vaulting for all accounts with elevated privileges, and deploys application whitelisting in an effort to counteract the emerging threat of phishing attacks. Users, including server administrators accustomed to having local administrative privileges, must adapt to the new security environment. Likewise, some automated business processes that require accounts with elevated privileges must also be adapted to use the password vault. These changes have an impact on administrators and users that must be addressed in the planning phase of the architecture project.
Justifying ROI for information security can be a challenge. Information security is, in fact, a business problem, not an IT problem. The information security team should develop an information security strategy aligned with the company’s business imperatives and the various IT programs designed to support those business imperatives. A well-executed information security program should also deploy a security architecture that enables business focused outcomes (i.e. enabling the company to research and develop new products, to expand in existing markets or enter new ones, or to attract new customers) in secure ways.
But that is not enough. Because users are both the target of advanced attacks and the first line of defense, the information security strategy should include components designed to modify user’s behaviors, enable risk-aware behaviors and require risk-aware decision making, all while driving compliance with law and regulation. These are the components of the ROI calculus for information security.
The number and complexity of cyber attacks continues to rise and the information security industry is playing catch-up. Do you think we’ll ever be ahead of the bad guys?
Attackers have always had an advantage. They have to be right once—defenders have to be right all the time. And the window of risk defined above when an attacker can deploy some new attack technique or capability ensures attackers will continue to have an opportunity at a point in time when capable defenses have not yet been developed or deployed.
What’s the darkest scenario we can realistically expect to see unfold if a targeted cyber attack successfully impacts a country’s critical infrastructure?
Having served more than 20 years in the US Air Force, including 14 years in Information Warfare, I can imagine some very dark scenarios regarding attacks on critical infrastructures. In the US, we’ve defined 16 critical infrastructure sectors: Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Financial Services; Food and Agriculture; Government Facilities; Healthcare and Public Health; Information Technology; Nuclear Reactors, Materials and Waste; Transportation Systems; and Water and Wastewater Systems.
The potential impact of a targeted cyber attack certainly depends on which critical infrastructure sector is attacked or which combination of critical infrastructure sectors are attacked simultaneously.
If I were writing a novel, I could imagine a scenario where all of these interconnected sectors were attacked simultaneously in an effort to wreck a country. But I also recognize that everyone working in the US counter terrorism community in 2001 was staggered by the destruction of the attacks conducted on September 11th. No one believed such a thing was possible.
Those unthinkable black swan events catch everyone by surprise with devastating effect. So, while we can all conceive that a successful attack on a country’s “critical infrastructure” might wreak havoc for the population, I think the most impactful attack will be a black swan event—something that absolutely no one thinks is possible and, therefore, no one prepares for.
Organizations and governments are increasingly planning and executing cyber attack drills. What’s your take on these tests? Given the fact that they are generally meticulously planned in advance, can they provide a pragmatic picture of the overall security posture?
Most of these drills are not actually designed to provide a pragmatic picture of the overall security posture of the entities that participate in the drills. And that can be part of the problem—a false sense of security is created, if a participating entity does well in a drill. Some drills are only designed to test communication channels among the participants and do not test any attack scenario.
Other drills are designed to play out a single attack scenario and an entity might do well against that specific scenario. But they might not do as well against other scenarios. Another potential downside is the possibility that if a participant does well in a public drill, they may unintentionally throw down a gauntlet for an attacker looking for publicity or notoriety.
To get a clearer picture of the overall security posture of an organization, the organization must submit to multiple attack scenarios combined with an assessment of their program based on a carefully designed Capability Maturity Model (CMM). We’ve done assessments with as many as 10 different attack scenarios combined with a CMM assessment to give a client a clearer understanding of the overall posture of their information security program.
The attack scenarios vary from what an external entity could do with specific attack techniques to what a trusted insider might also be able to do. The CMM is designed to assess the information security program in 20 specific areas. Some of those areas include Security Architecture, Asset Management, Security Awareness & Training, Governance and Organization, Identity and Access Management, Security Incident Management, Metrics and Reporting, Information Security Strategy, Third Party Management and Threat & Vulnerability Management. None of the drills sponsored by governmental or regulatory bodies are designed to assess all the areas covered in the CMM or to assess a company’s vulnerability to an insider threat. Therefore, they cannot give a participating entity a pragmatic picture of the overall security posture.
What’s the most appropriate course of action for an organization experiencing a targeted cyber attack?
An organization experiencing a targeted cyber attack, typically launched by a state-sponsored attacker or by organized crime must develop and execute plans for three separate, but interdependent, work streams: investigation, remediation and eradication.
The primary goal of the investigation work stream is to develop sufficient evidence of the breadth, depth, scope and methods of the compromise to enable successful eradication of the attackers. To conduct this investigation, a company requires four critical capabilities:
- a. Network forensics and event visibility will include a centralized, searchable event log repository combined with deep-packet inspection capabilities to give the company continuous visibility into security events and insight into attacker techniques.
- b. Enterprise memory forensics will include the ability to inspect running processes in memory looking for suspicious behaviors—because some malicious software is configured never to be written to disk and signature based detection mechanisms cannot discover malware it has never seen.
- c. Enterprise host-based forensics will enable the investigation team to confirm malware infection on, access to, or data exfiltration from hosts identified by other work streams or through the forensic process, as well as accounts compromised to or created by the attackers that allow them persistent access to the environment.
- d. Enterprise sweep will enable the investigation to search hosts across the enterprise for the indicators of compromise developed during the investigation to identify computer assets that must be addressed during the eradication event.
The remediation work stream, which runs concurrently with the investigation, will serve multiple purposes:
- a. First, it will identify and address vulnerabilities in the environment that may have been exploited by the attackers to get in or might be exploited by them to re-enter after the eradication event.
- b. Second, it must seek to harden the environment, to complicate an attacker’s efforts to get back into the environment after eradication.
- c. Third, it must enhance the company’s ability to detect future attacks.
- d. Fourth, it must expand the company’s capability to respond to sophisticated attacks.
- e. And finally, the remediation plan must prepare the company for the eradication event.
The eradication event will be planned such that in a very short period of time (typically over a long weekend), the company will rapidly cut off the attacker’s access to the environment with the full understanding that the attackers will most likely seek to re-establish access. The eradication event cannot occur before the investigation has developed sufficient evidence of the breadth, depth, scope and methods of the attacker’s capability to maintain persistent access to the company’s environment and certain remediation activities have sufficiently hardened the environment against re-attack, have enabled visibility into the attacker’s attempts to get back in, and have enhanced the company’s ability to respond to attacks.