It often seems as if organizations are helpless against cyber attacks — after all, even veteran experts admit that a determined intruder can’t be prevented from breaching the network.
But a security consultant maintains that the spread of many notorious breaches could have been stopped if security teams had paid attention to clear warnings of an intrusion.
“That is a recurring theme of almost every large breach I’ve worked,” Timothy Ryan, a former FBI cyber investigator and current managing director of security at Kroll Inc. told the Capacity North America telecom conference Thursday in Toronto. “It’s not that it was malware that couldn’t be detected. It’s that somebody inside the organization knew what was going on and it never escalated.”
He gave as an example an unnamed multinational company in the Middle East that “virtually printed money for a living” and spent a lot on IT security. One of its subsidiaries detected and stopped an intruder, then warned the parent company — which apparently did nothing to prepare for the possibility of another attack there.
When Ryan did the subsequent investigation, the CSO told him he only realized there was a problem “when all the screens in our network operations centre started to flicker and go offline.” The attacker had found a way in wiped almost all the company’s data.
Sounds like last year’s attack on Sony, but Ryan said, this was years before. However, he said it was also is similar to the attack on Target stores, where the FireEye detection system warned of malware on the company network, and one on the U.S.-based Wyndam Worldwide hotel chain in 2008-2009.
Ryan predicts that data and network destruction will increasingly be the strategies of attackers. some of whom will demand a ransom before data is wiped while others will merely flip the switch. “We will all be reminiscing about the sweet old days when people were just stealing credit cards,” he told the audience of carriers from Canada and the U.S. “Your networks provide a war-fighting capability, and when those networks go down it degrades the capabilities of the country that you operate in.”
That’s why he said carriers and Internet operators face unique threats. As infrastructure providers they not only have to watch for attackers wanting sensitive data, they also have to have to detect attackers who want to crash their networks.
The problem, he said, is IT teams face too many alerts from systems and don’t know how to prioritize them. What CISOs have to do, Ryan said, is have a “succinct” incident response plan that defines a security incident and how it gets escalated.
An incident, he added, isn’t ”any time there’s a technical problem that cannot be readily explained.” In fact, he added, your organization is most likely to be warned of an intrusion in one of three ways: From an outsider (law enforcement, the media or a partner); your security infrastructure alarms, or a user that has been locked out or had email bounced back. CISOs need a response plan for each. “Any emergency response plan that categorizes every bad incident that could happen at your company is a waste of time.”
He also touted the merits of new end point threat monitoring/detection tools — such as CrowdStrike or Carbon Black — which capture process and network connection information for every host. That can alleviate the need to do a lot of forensics on an attack, he said.