Infosec leaders in private sector critical infrastructure firms need to have reaction playbooks ready to face cyber attacks if they want to stay ahead of new threats and threat actors, two Canadian bank security experts told the annual SecTor conference.
Louise Dadnonneau, director of cybersecurity services at Scotiabank and Jennifer Fernick, the bank’s senior cryptographic security architect, made that argument this week, suggesting that to some we are living in an era of cyber warfare.
“There is no real 100 per cent solid mitigation strategy,” said Dadnonneau, “but there is the playbook.”
“It forces you to look at things from different angles.”
There are many definitions of a playbook (some call it a use case), but the presenters define one as a set of actions based on emerging threats, focused on protecting the organization’s crown jewels and has models and metrics to support it. Organizations will need as many playbooks as necessary.
For the purpose of their presentation, the pair defined private sector critical infrastructure broadly: Not only could it include the 10 sectors already identified by Ottawa – including financial institutions – they said some other firms may benefit from considering themselves to be critical infrastructure for the purpose of cyber preparedness.
The first step is identifying the so-called crown jewels (data, specific applications, the IT infrastructure, what is the biggest source of revenue, what would impact the firm’s reputation etc). They didn’t offer specific advice on how to pick which are critical, other than to note that it will depend on who is asked in the organization. Also to be considered is what would be the hardest to recover if lost.
Next, create threat models. They suggest three types of attackers:
–Opportunists (individuals and small groups, who usually have limited resources;
–Professionals (financially or politically motivated, including hactivists;
–Nation-state or equivalent (seek specific data or assets. Well funded. As a group they have different goals)
And three types of impacts
–Monitoring (watch traffic, passively extract limited information);
–Interference (modify network traffic, compromise data integrity);
–Catastrophic (take down significant services through ransomware, DDoS etc.)
Beyond the traditional attacks that can be launched and CISOs have been preparing for, Fernick said leaders have to be prepared for new threats targeting your industry or data types.
These include attacks on large stores like data lakes which, even though data is encrypted, may need additional security controls; on machine learning analytic systems, particularly those defending the network (what happens if the baseline measuring user behavior is tampered with?); on corporate cloud services; and through third parties (particularly less secure startups.) They also mentioned the coming threat quantum computers may pose to existing encrypted data.
Once the infosec team has identified the playbook type, add the likelihood of the relationship of the adversary to the emerging threat (for example, the asset is a Web server, the attacker is likely Opportunistic, and the impact is on availability) and what the incident response team will do about the various ways the asset can be attacked.
The playbook should also include a list of who to call (lawyers, forensic consultants, public relations ) and disaster recovery plans.
It’s also vital to collect metrics, ranging from relative malware rates in Canada to average time it takes to restore systems, to compare against your performance.
Then practice your plan to make sure it works. And update it regularly.
Threat modeling helps in risk management, the presenters said. True resilience, they added, comes from being unafraid to think differently about what attackers may want or be able to do.
“Your playbook is whatever makes sense for you,” Dadnonneau emphasized. “Don’t let anybody tell you your playbook isn’t good. The fact that you have one is good. Knowing what you’re going to do on a really bad day is a good start.”