Part II: Detection and response for boards and CEOs
In today’s business climate, CEOs are often held responsible when a security incident gets out of control. CEOs of companies like Equifax, Yahoo, and FACC have all been put on trial in board rooms and courts of public opinion following breaches. They’re often expected to answer for their company’s ability to respond to cyber attacks. I would go as far to say that a CEO’s ability to answer for their company’s security strengths and shortcomings, and how effectively they’re able to limit damage to a brand’s reputation and credibility, should be treated as part of the incident response process.
F-Secure consultants often note that about 50% of cyber security investments are useless, but most organizations have no idea which 50% that is. In my last post, I offered some suggestions that would give boards and CEOs a sense which half of their budget they might be wasting. These steps begin with identifying critical assets. They include ordering a red team attack and then using the results of this exercise to reduce your attack surface, build awareness and create a culture of constant improvement.
As part of the CEO’s and/or the board’s journey to understand the company’s maturity level, you should also explore how well you might cope with a successful breach. The ability to detect threats and respond to them before they can inflict serious damage is key to improving cyber defenses.
Here is a list of simple technical questions that you can ask. The first three address detection capabilities. The last three relate to your ability to deal with a detected breach. The idea behind these questions is not that they would cover everything or even that they would focus on the most important. The list of things to do and capabilities to have is long and cannot be covered by just a few questions. However, all of the following six questions are meaningful and you can learn a lot from the answers. A straightforward yes to each question tells you a lot. On the other hand, a blank stare and “I have no idea” will tell you just as much. Have a short discussion on each topic to understand what else is being done or planned around each domain.
Questions for measuring detection capabilities:
1. Do you have decoy profiles (in Active Directory or similar) and do you get alerts if they are targeted?
Explanation: Attackers almost always use existing user accounts to gain a further foothold after the first penetration. That kind of activity would be highly visible in a fake account created by your IT organization as the account would normally have no activity at all. In order for this to be useful, your security team needs to get automatic alerts for any activity detected in these fake accounts.
2. Will you be alerted of failed exploitation attempts against your endpoint devices, such as laptops?
Explanation: Attackers often use known vulnerabilities in your systems to gain a foothold. Often your IT has updated your systems and the attack does not work. It is important to get notifications of these failed attempts as they may reveal that you are being targeted by a serious adversary.
3. Will your security team get notifications if workstations are talking to each other?
Explanation: There is typically no network traffic directly between workstations, only between workstations and servers. If an end device tries to connect directly to another end device, your security team needs to be notified.
Questions for measuring response capabilities:
1. Can you tell which users got an email with an attachment named “example.pptx”?
Explanation: Your security team will often need logs to let them see what’s actually been happening in your IT estate. Not being able to access these logs, or not being able to access them quickly, can hinder a security team’s ability to respond.
2. Can you remotely collect evidence from a workstation? (e.g. get an image of the memory)
Explanation: This is one key capability for forensic work during an incident, as it helps rapidly provide visibility into what’s actually happened.
3. Can you tell which user connected to address 126.96.36.199 e.g. 15 months ago?
Explanation: Similar to the first two, being able to answer this question quickly and efficiently indicates how fast you can get visibility into what actually happened during an incident.
Technical questions like these might seem too in-depth or detailed to warrant your attention. But everyone, including c-level executives and board members, should have some degree of knowledge about a company’s technical security capabilities. By understanding the technical capabilities and strengths of an organization, you can appreciate the context of the security incident and the subsequent response. You can ask the right questions instead of getting up to speed on the basics of a company’s IT estate and security posture. That knowledge will help you provide better guidance to ensure different stakeholders are working together instead of allowing chaos and panic to overwhelm them.
But while effective collaboration is a key ingredient in your organization’s response capabilities, there’s an aspect of individual accountability that makes the CEO’s role unique. CEOs are expected to maintain control over all aspects of their organization. In many ways, attacks are nothing more than an attempt by an adversary to seize control over a company, its assets, or its personnel. DDoS attacks, extortion, espionage, and theft can all be seen as an adversary’s attempt to seize control. In that sense, it’s fitting for stakeholders to expect you to answer for these attacks.
Finally, it’s important that everyone at a company get proactive about responding to threats. Your first experience with your company’s cyber security posture shouldn’t be a phone call from the CISO reporting a breach. Start asking questions (like those I’ve listed above) to signal to everyone that knowing how to detect, respond, and recover from an incident are important enough to be treated as a company-wide priority. Doing this right will help your organization develop a security culture ready to meet attacks with a fast, efficient response that can limit damages and help a company get back to business.
An organization’s security posture is a muscle. It needs a workout to stay in shape. That means exercising it regularly so that it can do its job when called to compete against attackers. External cyber security specialists can act like trainers here – they push an organization to do better. Their complete focus on security means they can provide you and your employees with the guidance, knowledge, and motivation to improve and stay a step ahead of attackers.
Being a CEO or a Chairman is not an easy job. You are always judged with hindsight. You are expected to know everything and always be on top of what is happening. Cyber security is one area where this gets difficult as the technical requirements are fairly high for truly understanding what the company’s actual prevention, detection and response capabilities are.
I have tried to put myself in the shoes of a typical CEO or Chairman, and provide some pointers to help start assessing where you are as a company. I would love to get feedback and start a dialogue on these topics. It is high time for us corporate leaders to stop pretending we know everything and start asking questions to learn more about cyber security.