In this interview with Help Net Security, Ben Smith, Field CTO at NetWitness, talks about how the wave of lay-offs has impacted the cyber resilience of many businesses, but also what are the threats organizations should be aware of in these times of crises.
Lay-offs have started to make headlines lately. How does this relate to cybersecurity?
Perhaps the most obvious cybersecurity impact in the context of lay-offs is the insider threat. CERT/CC’s two-plus decades of research work in this space has demonstrated again and again that the most dangerous 60 days regarding insider threats are the 30 days prior to resignation (or termination) plus the 30 days post-termination. Many organizations don’t pay appropriate attention to that second 30-day window, believing that a terminated user will always be deprovisioned from absolutely every system where they had privileges. Sometimes that doesn’t happen on a timely basis, or at all.
Less obvious but still essential to keep on the radar is the potential impact to systems and processes on which the cybersecurity team is reliant. When people leave organizations, tacit knowledge walks out the door at the same time. Despite best efforts, it is the rare organization which fully documents each and every application owner and associated business processes. And a poorly documented process is an open door for an adversary, whether internal or external, be it today or tomorrow.
How prepared are these companies if an attack were to occur?
Even today’s most mature cybersecurity teams learn hard lessons in the aftermath of an attack, whether data was exfiltrated. Being resilient is all about being stretched during an incident and then returning to a normal state afterwards. Sadly, in many cases it’s only in the days and weeks after an organization is attacked when the long-requested budget suddenly and urgently arrives. Just because you think you are ready doesn’t mean you are in fact best positioned to respond.
Of course, the best way to gauge readiness is not just to have a response plan, but a response plan that is regularly reviewed and exercised. In the cybersecurity space, formal tabletop exercises can throw a light onto faulty assumptions or reliance on personnel or processes which no longer exist. Like a doctor who doesn’t self-diagnose an illness, but instead relies on a review by another medical professional, smart organizations will look for outside help here. These tabletop exercises are best facilitated by an external resource or team which is informed by their real-world incident response work.
What are the current global threat activities that could disrupt businesses?
One of the most direct paths for an adversary to follow into the mind of a target is to piggyback on current events. We’re talking about lay-offs today, something happening throughout many industries and obviously something that is in the news. If you are working in an industry where you think your own company may be considering staff cuts, how would you react to an unexpected email arriving in your inbox with a spreadsheet attachment, purportedly containing details about that next round of cuts? Wouldn’t you be just a little curious – maybe curious enough that in your haste to double-click that file attachment, you fail to see other clues suggesting the email is a fake?
Traveling alongside major news stories is a tried-and-true method for phishing campaigns. Throw in a sense of urgency (“My job might be at risk, I need to look at that RIGHT NOW!”) and remember that most adversaries aren’t looking for 100% clicks, they just need a small handful to achieve their goals.
What mitigation tactics do you recommend?
Whether it’s the insider threat problem we talked about earlier or the external phishing adversary, there are technical and non-technical controls you can deploy. Comprehensive visibility into your broader environment isn’t a secondary goal, it really should be your first step. Logs are good for after-the-fact diagnosis of what went wrong but collecting network traffic and watching what’s happening on your endpoints are real-time approaches which give you a chance not just to recognize but step in to stop an attack in progress.
Organizations with strong and dependable connections between departments always stand a better chance of success when trying to mitigate an attack. In the lay-off scenario we’re talking about, how connected are your security operations and human resources functions? HR probably knows about those employees who are about to leave the organization – information that could be very useful and important should an insider threat situation materialize. If you have the right tools but they are not tuned to account for your current scenario, whether it’s lay-offs or some other unusual business situation, those tools can’t help you as you might hope or expect.
How do you see cybersecurity preparedness evolving in the future? Have companies learned anything from these times of crises?
Preparedness is the outcome of executing for resilience. We’ve talked about controls and visibility, and people and processes. The goal of organizations should be an evolution to a state of real-time situational awareness across the entire environment. Even then, attacks will still occur. The pay-off to attaining situational awareness is being able to shrink the amount of time it takes to find and remediate incidents within your environment.