Lack of sharing breach Information
Every day the news is packed with headlines about how there’s a new treasure trove of sensitive data that is in the hands of the bad guys. What we never hear is how exactly was it done? The lack of this information is what is making it easy for the bad guys to keep doing what they do.
Why are we so reluctant to share our findings with the world? Wouldn’t learning from each other’s mistakes make it harder for the hackers to do this again?
The reason we are so reluctant to share boils down to reputation.
In the hacking community, if you discover a zero day, exploit, back-door, you name it, you are considered a God. You want to share this information with everyone possible to let them know you are ‘the man’. Getting hit by a breach that has been considered Zero Day is very rare. These copy cats are the ones you need to worry about. These copy cats are paying a premium for this info. Reason being is defense systems have not been updated to detect the issue.
The guys discovering and selling these Zero Days to the copy cats are making huge profits from this.
So let me ask you, if the hackers are sharing their information with each other, why don’t we?
The reason companies aren’t sharing information related to their cybersecurity mishaps is that their reputation takes a major blow. It makes you appear weak, lazy, lacking knowledge. For publicly traded companies, this means a dip in their stock price. For private companies this means their brand will take a major hit and customers may consider moving to the competitor.
For this reason, its understandable that no one wants to let the cat of out the bag that they have been compromised. For publicly traded companies, the Securities and Exchange Commission (SEC) requires that companies disclose their cybersecurity incidents to the public. This started in 2011 but due to loose wording, they are only required to simply disclose that it occurred. This is great start but does it help the rest of us? Does knowing 10, 20 30,000, 1 Million accounts were compromised help improve cybersecurity? Not Really.
The questions and answers these companies should be required to answer to should look like an Incident Reponses Report.
How did the breach occur? — Was it from a phishing email? A physical device in the network? An exploit used against a public facing server? Malware?
How was the incident detected? — Was it luck? Was its procedure? What is an alert?
How did they know what systems were accessed? — Were access logs retroactively analyzed? Was there a network device that was capable of handing a historical view of connections? Was there an identity access broker in the network?
How do you know what was compromised? — Was there a SQL command logged that recorded database command used to extract the data? Was there a Data loss prevention solution in place that recorded but did not stop the event?
What were the Indicators of Compromise (IOCs)?
If the attack was stopped mid-action, How was the incident contained? Was it done by revoking rights or orchestrating a network lock down?
As a CSO, these are a few of the questions I would expect my team to answer as part of their Incident Report. Incident reports not only provide a summary of what exactly happened but also allows your team to identity their gaps and seek areas for improvement. Providing this information to the public would allow others to learn from their mistakes.
We recently responded to a ransomware incident that occurred the same week that the city of Atlanta was also hit with ransomware. From what we heard on the news, both incidents seemed very similar to each other, just on different scales.
As a service provider, I get to learn from these kinds of situations. I not only used the information I learned and applied it to that client’s network, but I also shared this information with my other clients. Our clients know when we are in incident response mode for other clients. That’s when the questions start coming in. What did you learn? Are we protected? What can we be doing better? This is all information I am willing to share.
If we find a particular gap or think about a new defense strategy, first thing we do is say, “Hey, we should check this on all our client’s networks.” This is the benefit our clients get from us helping others. This is the attitude the IT community needs to take. The better we defend our networks, the harder we make it for the hackers, the less incentive they have because we’re making their job difficult.
Atlanta brought in the major players to help resolve their problem, particularly Microsoft and Cisco teams. For a $2.7 million dollars, I would expect a pretty comprehensive Incident Report packed full of valuable information like how did this occur, how can they prevent it in the future, what systems and strategies they need to put in place. You know, the kind of information that would be helpful to the rest of us.
Problem is, that document will never see the light of day outside of Atlanta’s IT Department and a few high level individuals who will be voting yes to their new IT budget for 2018.
This is the kind of intel we need to be sharing with each other. We don’t need sales guys selling us the latest and greats tool in cyber. We need to be learning from real world examples. We need to be learning from each other’s mistakes so we know not to make the same ones. It’s this simple practice that makes cybersecurity seem more real because it hits close to home.