Recently as part of my day job, I was afforded the opportunity, no pun intended, to speak on one of the panels at the Risk and Opportunity Forum presented by Drake University.
I first off have to say that it was a wonderful experience. Prior to the actual event, myself and the other panelist would talk to think through the questions we wanted to have asked that would bring the most benefit to the panel itself. During this we had ran through multiple different questions and then settled on the ones provided. What didn't occur to me during that time, was just how much I should have asked for the random things that popped in my head. I wish I had.
I wanted to give some additional flavor to the questions that were asked and provide a written word/answer what the questions from my point of view that I could expand upon. So below is a list of the questions and my answers to them, both paraphrased from the video and additional flavor. I have also linked the video so you can see the entire panel and get a non-technical answer to the same questions.
Questions from the Moderator
Question 1: What is the size and frequency of cyber attacks and what it means for an organization?
Paraphrase: If is when and not if a company will be attacked and there is no industry that hasn't been affected. While we have a lot of numbers about the size of cyber attacks, that relies on the requirement for notification to the public/clients about the attack for those numbers to be available. As time goes on, it is getting easier for both attackers and defenders to make there actions (AI helps with this) so it will just speed things up.
Additional Flavor: Something else I should add, recently the SEC requires that any cyber attack must be reported within 4 days and that will really change things. With that though, there was a company recently that was attacked by AlphaV/BlackCat recently targeted a company who did not respond to them and so after the 4 days were up, they submitted the report to the SEC that they had been compromised and these back and forth actions will be something that continues to happen. The SEC requirement was about protecting use and data, not to be exploited by Threat Actors, but the actions will require companies and defenders to make changes to policies and operating procedures to focus on a time requirement.
No matter the size of the company, the frequency is only going to increase as Ransomware-as-a-service becomes more prevalent, and honestly more professional as some of these threat actor groups have marketing and PR teams. These cyber attacks are a companies worse day. There is no other way about it since you might be losing all of your data and then the idea of losing trust of your clients.
Question 2: What are some of the benefits and pitfalls of Cyber Insurance? How can it help mitigate lose and serve as a preventive aspect?
Paraphrase: A lot of my answer was covered by my other panelists. When a client is reaching out to adopt Unit 42 by Palo Alto Networks, my current day job, there is a series of questions that I have to ask them about the incident such as number of host, security applications and hardware, additional security measures like MFA, and when you adopt a cyber insurance carrier, they are going to require you to fill out this information so they can see what their coverage is going to be. Getting your cyber insurance, the biggest benefit other than that security in mind is going to be rate caps. In 2020, I supported a client that was breach twice in the same year by the same people. During the first incident, we spent thousands of hours conducting the investigating all covered by the carrier. Six months later, when we started the second one, the carrier had dropped them and the investigation was limited substantially.
Additional Flavor: I also spoke about a one man show tax preparation office client that I had and being able to support his investigation as well as conduct a table top exercise (An exercise where you walk through an incident and pointing out the good, bad, and ugly that a client is doing during an incident and what might need to change in their Incident Response Plan) that will help him in the future. That though was REQUIRED by his insurance carrier to maintain his policy. I think the panel itself spoke very well about the benefits, but I think that could be the biggest issue that could come op for smaller companies is the additional requirements that are above and beyond the companies ability to handle because priority of effort is needed elsewhere. Also, some of the technical requirements might be beyond the technical capability of the team.
Question 3: What does a breach look like if you don't have cyber insurance coverage?
Paraphrase: Biggest issue during breach is contacting legal who then has to help you shop for a investigation team to help you get through your worst day. Recently there were two Las Vegas Casinos that were compromised and the one that cause they most headache for themselves and their customers was MGM as social media was where the wildfire started with people posting about not getting into their rooms/food because all the systems where tied together and down faster than the PR team could put out a team. The domino affect of a cyber breach last longer than the near future. Conducting table tops that are tailored to the client provides more insight than just a run-of-the-mill event. There is a pretty typical model for companies to acquire other companies and in some cases they don't think through the security posture of the new company. Universities are also a prime target to this as they have connections to government agencies and most likely their security posture isn't the same as say the DoD. For instance the Morris Worm.
Additional Flavor: I really feel like this question was answered well in the panel. Supply chain attacks are getting more common, searching for an incident response team during a breach is a terrible time to do it. So for the love off that your company or team holds dear, please have an incident response plan built before you have a breach and have it include and incident response team that you are comfortable with (This is where a retainer or cyber insurance comes into play).
Question 3: What do you do when you have a breach?
Paraphrase: Do not turn off your machines. When turn off your machines, we as investigators, lose access to volatile data that can have smoking guns or important artifacts of the attack. You can just disconnect it from the network and then follow your incident response plan and contact legal, C-Suite, insurance, PR, and incident response team to start the investigation.
Additional Flavor: I know the next moderated question is going to cover this a bit more, but in general, listen to your incident commander and the IR team before taking additional actions. We know that reporting requirements are becoming a real thing so if you start taking actions without their direction, you can cause yourself to lose access to information needed by the SEC, Insurance carrier, or your clients.
Question 3.5: With the FBI saying you should never negotiate with threat actors, how does a cyber insurance carrier handle that action? (Random question from me to a panelist)
Paraphrase: A company might not have an option to not pay because they don't have the backups to restore the data they are missing. Without paying, they are out of business.
Additional Flavor: I mention sanctioned threat actors in my question and what I am referring to are threat actors that have been sanctioned by the US Government as they belong to nation states that we have already sanctioned. For instance, DPRK is sanctioned and so any threat actor group known to come from DPRK you CANNOT pay a ransom to as it is seen by the US Government as aiding the enemy or something to that affect. Typically during negotiations, you are working to help the client survive if they can. So please test your backups so you are not reliant on making that negotiation.
Question 4: What kind of evidence might you find during or after a breach and how might that inform what we do forward?
Paraphrase: As we prep to do our yearly statistics for cyber attacks in the 2023 year, we noticed some changes. Since 2021, typical dwell time in your environment for a threat actor who isn't extorting you is roughly 21 days and on who is extorting you is 8 days. Exfiltration of data is now a couple hours. Everything you do on your computer is logged and collecting that information provides someone the ability to review it looking for malicious activity. Without that collection of rocks, no one will find the exfiltration. That also means don't turn anything off. This removes our ability to identify Patient zero and the initial access. Knowing your baseline allows for you to identify the those anomalies. Speaking from experience, firewalls don't maintain a lot of log data so you need to send the logs to another device to give investigators the ability to find "bad." We can give you a best guess, but that isn't going to be good enough for the SEC and your clients. The risk continues to mount without that forensic evidence. Share your data with your ISAC group, Federal and Local law enforcement. Without that sharing investigations take longer without it and if the industry could have higher rates or won't be able to be covered. The ISAC groups are amazing groups that you should share your information with.
Additional Flavor: No one can provide a true "Lessons learned" report to you without the answers. In 1942, the Japanese attacked Pearl Harbor. If we didn't know how we missed learning about that activity, we would have been attacked again by another foreign nation. You need evidence to sooth the minds of your clients and governance entities. You can sooth them with the maintaining of good logging sources for a good amount of time. What is a good amount of time? Depends on the shop. I personally think that it will be more time retained data is needed the larger you are, which is hard to do since you have to hold more data. For example using made up numbers for easy understanding, a company of 50 people could make up to 500 MB of logs a week, but a company of 5000 could make up to 100 GB of logs a week. Holding 3 weeks of data for the small company is still less than a day of the large company. It gets harder to do, but the importance doesn't change. The larger company just needs to be more selective of what is maintained. As for sharing data, please share it. Someone, like Unit 42, will write a report about it and that helps other companies in and out of your industry.
Question 5: What do you see as an emerging risk for cyber exposure in your individual pillar?
Paraphrase: Human error and supply chains are the biggest issues. You can mitigate a lot of low hanging fruit with things like MFA. Work on phishing training emails that are well targeted as compared to others and help them decipher the ODD things in an email so everyone questions emails that are not expected or changes to known information. For supply chain attacks, pay attention to your vendors.
Additional Flavor: I don't have much to add to this. MFA isn't perfect be any means, but any additional security that is easy to engineer is worth having. For vendors you do work with, please vet their access and apply the rules of least privilege. If you have to give them administrative access for any reason, have all of their actions recorded when that access is utilized.
Question 6 from the Audience: What is a good pass rate for phishing emails?
Paraphrase: Depends on the enterprise. Your internal teams should cheat so that the number of clicks on links in phishing emails looks high, but then a review of actual phishing emails show that the number of clicks is low.
Additional Flavor: My answer is the same. It really depends, but what should be done with any click is retraining and for repeat offenders, a conversation about why they are clicking. My other panelist mentioned loss of access for repeat offenders and I in general like that idea, but if they are unable to work, then they are not going to support the company which means they are going to get fired. We can always train someone better. Continue to train your employees. As a note about internal teams should cheat, I click a phishing link from our internal testing because I wasn't paying attention to an email on my phone. So I missed the obvious give ways. It happens to everyone.
I really enjoyed this panel and enjoyed talking to the people in the audience afterward. I look forward to doing this. If this is a post you enjoyed, please let us know and as we do more, we will do more after actions.
The Official Mimir Cyber Discord Channel. It is the duty of those with knowledge to spread to those who ask for it. This is a place for individuals new or old to the cyber industry to get or provide support for other learning their way forward. No question is too small