Life after Breach: 5 steps to recover from a cyber attack

Christina Kubecka’s Black Hat briefing on recovering from the Aramco cyber attack lays out a playbook for post-attack recovery and adaptive security teams.

It seems only fitting to have a post-Black Hat reflection on post-attack recovery. In her presentation How to Implement Security after a Cyber Security Meltdown, Christina Kubecka outlined the recovery efforts she helped implement after the 2012 cyber attack on Saudi Aramco.

Chicken Little! Chicken Little! Your network just got pwned!

For those unfamiliar with the incident, a bit of background: on August 15, 2012 a hacker group claimed responsibility from an attack on the world’s largest oil producer — Aramco. The attack unfolded during the holy month of Ramadan when Aramco experienced low staffing, and did not receive a response for nearly two weeks. In that time, more than 50 percent of Aramco’s Windows systems were completely compromised and their data wiped.

When Aramco did realize the intrusion, they disconnected far-reaching systems as soon as possible to prevent further compromise; however, this isolationist response also cut off harmless and fully functional systems, greatly disrupting Aramco’s distribution. They were without phones and email, and lost capabilities of their IT payment systems. Overnight, the company responsible for one tenth of the world’s oil production became entirely dependent on fax machines.

Sounds terrible right? Well, it was; but it’s not the end of the story. Aramco is still the world’s largest oil producer, with hundreds of billions of dollars in revenue, employing tens of thousands around the globe.

When we see stories like the Aramco attack or OPM breach splash the headlines, it may seem that the sky is falling. But the moral here is that you can always recover; that is, if you are willing to adapt.

Climbing out of the wreckage

With many cyber attacks on big-name organizations, we see the post-breach scramble: mixed information in the attack assessment, banal statements given to the press, and the immediate impact on business. But what’s important — and generally less public — are the changes implemented and lessons learned in the long run.

Kubecka joined Aramco in the chaos following the breach. She was tasked with creating a SNOC team essentially from scratch and building them into a more continual security unit; here’s what she learned:

  • Treat your employees well: While it seems like IT security tasks can never move fast enough, it’s important to remember there are human beings executing these tasks with their own limitations ranging from exhaustion to feeling appreciated. If you want your go-team at their best, make sure they’re well rested, well paid, and recognized for their efforts.
  • Let them play: If security teams are so overworked and strung out on mundane tasks, you will never encourage the ingenuity and creativity you hired them for. Be sure to give them time to experiment and build, not just continuously react and comply.
  • Comprehensive incident response: The IR team should be made up by more than just the IT. Having a multi-faceted approach ready BEFORE A BREACH OCCURS ensures your response is cohesive and addresses the technical and business impact of the breach. Comprehensive incident response should involve representatives from legal, PR, communications, and HR departments.
  • Communication is key: Shortly after the cyber attack, Aramco employees were posting screenshots of the workstations on social media, thinking they had been attacked again. This could have been avoided with a clearly defined social media policy and effective communication. Staying in continuous contact with employees, customers, partners, and media during recovery should help drive down speculation and confusion.
  • Where did we go wrong? Beyond the technical assessment of the attack, you should consider other contributing factors and how to fix them. In Aramco’s case, they undoubtedly had to assess system monitoring during holidays and if the communication blackout was necessary. While the fax machine approach wasn’t ideal, it was a low-tech solution that worked under the circumstances. Whatever approach you decide, make sure you have your stamps, carrier pigeons, and smoke signal kindling ready.

While no company likes to air their dirty cyber laundry, the lessons shared by Kubecka are valuable to any organization (and, bonus, could be implemented today). The Black Hat briefings are a great opportunity to learn from leaders in the industry, but peer-to-peer communication may be just as helpful to close the gap between the attackers and their targets and implement effective change.


Originally published at blog.skyboxsecurity.com on August 18, 2015.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.