Lessons from the trenches of a cybercrisis rapid response team
When it comes to cybersecurity, almost every company wants to avoid the spotlight.
That鈥檚 why, if criminal hackers take down a company鈥檚 website by overloading it with traffic or听encrypt a company鈥檚 files and hold them for ransom, many of them dial 鈥淐yber 911.鈥
That鈥檚 the nickname for the hotline to reach IBM鈥檚 global red team of emergency responders for cyberattacks. Across the world, IBM鈥檚 teams are ready to dispatch quickly, to almost any location, to investigate Internet-related malfunctions facing its customers or those who cold call in a panic.
The goal is to听鈥渞educe the amount of data leaving the organization, isolate the bad people, preserve the information you have," says听Phil Kibler,听director of IBM鈥檚 Cyber Security Intelligence and Response Team.
IBM is just one of a growing number of major companies offering security and incident response for cyberattacks 鈥 for a price. Across the private sector, companies in energy, finance and even retail are finding they need protection from digital attacks but don鈥檛 have the resources or in-house technical know-how to do it themselves. So they are turning to vendors, including IBM or Dell SecureWorks and Mandiant, to make sure they鈥檙e prepared in the event of a cyberattack and help them respond if they鈥檙e hit.
It isn鈥檛 cheap. Engaging IBM鈥檚 emergency response team starts at $30,000, and costs vary depending on the time IBM needs to address the issue and size of the breach. Yet as hacks proliferate, business booms.
鈥淥ur joke is, you could almost swap the logo out because many vendors have this offering,鈥 said Rick Holland, principal analyst at Forrester Research. 鈥淚f you have services in your portfolio and you鈥檙e in the cybersecurity space, you鈥檙e adding incident response, because there鈥檚 so much money to be made.鈥
In the wake of high-profile attacks on companies such as Target and Home Depot, the number of requests for IBM鈥檚 security services have tripled in the past year, Mr. Kibler says.
Top executives are starting to request assessments even before they鈥檝e been breached, adds Lance Mueller, senior incident response analyst at IBM Security Services. 鈥淐ompanies are saying, 鈥楥ome to our environment, take a look, see if we鈥檝e been breached but haven鈥檛 realized it 鈥 or what we can improve so we don鈥檛 end up on CNN.鈥欌
So how, exactly, can companies avoid that nightmare scenario? Even among those savvy enough to call a the hotline, there are still some mistakes companies can easily avoid. Passcode spoke with members of IBM鈥檚 team to go behind-the-scenes of one major cybercrisis response center to hear lessons, trends and case studies of data breaches 鈥 from those who tackle them every day.听
Have a plan 鈥 before you need one
Turns out, according to Kibler, that more than half those who call IBM's hotline line do not have a satisfactory plan. 鈥淚t鈥檚 not best of breed; it hasn鈥檛 been tested in a year; it hasn鈥檛 been updated in six months; or it鈥檚 never even been pulled out of the drawer.鈥 IBM and other vendors can help companies develop them even before hackers strike.
This is becoming an increasingly attractive option for companies growing more wary of the embarrassment that would come with a breach, according to Mr. Holland, the analyst, who says companies are less hesitant to pay retainer fees they found undesirable just a few years ago. He tells clients to identify their vendors well ahead of time, to avoid a company鈥檚 employees 鈥渞unning around like a chicken with its head cut off at the time of the actual breach. The flashing lights are going, stress is high, the scope of the breach is unknown, the board is asking questions you don鈥檛 know the answers to.鈥
At that point, Holland adds, 鈥渢rying to figure out who you鈥檙e going to use and the sourcing components is not something you want to do 鈥 you just want to be able to say, 鈥楬ere鈥檚 the plan鈥 and execute that plan. Not come up with your plan.鈥
If you're under attack, don't send e-mails about it
Often, employees鈥 first reaction when their networks are compromised is to send e-mails about the crisis.
That鈥檚 not smart, Kibler says. The first thing the attackers will do to find out how a company is reacting to the attack is compromise the e-mail system to stay one step ahead of them. 鈥淚 tell people, 鈥楶anic is your worst enemy,' " Kibler says. Response plans should address the method of communication when a breach happens. When in doubt: Pick up the phone.
Don't try to fix the problem alone if you're not a specialist
When a manufacturer in Mexico noticed one of its devices malfunctioning, they dialed Cyber 911. IBM鈥檚 team dispatched, quickly, to the site, to find the device in Mexico had hacker tools on it, including a password cracker.
But the Mexico manufacturer鈥檚 onsite employees accidentally destroyed a lot of potential evidence as they tried to fix the problem themselves, said John Brown, a senior incident response analyst at IBM鈥檚 Emergency Response Service. As a result, the incident response team was unable to reconstruct what happened and determine who was behind the attack once it arrived. 鈥淚t鈥檚 really unclear if this was a target of opportunity, or if this was a targeted attack,鈥 Brown said.
Test your systems to find out what鈥檚 vulnerable
The manufacturer in Mexico believed the data on its device was behind a firewall and untouchable to any outside hacker 鈥 and therefore that the system鈥檚 compromise was an inside job. That wasn鈥檛 the case. IBM found the critical data was actually not protected and the proprietary information was up for grabs.
鈥淭hrough regular testing and assurance,鈥 Brown said, 鈥渢hey should have known those files were exposed.鈥
Ransomware is almost always avoidable
Ransomware is malware that encrypts victims' data until they pay money to get the key. Victims are essentially faced with a choice: Pay the ransom to get the data back, or learn to live without it. A popular variety known as CryptoWall infected听an estimated one million victims and garnered some $1.8 million in ransom.
Those victims should take a close look at their behavior. 鈥淩ansomware almost exclusively starts with someone inside the company doing something stupid,鈥 Kibler says. 鈥淢eaning it was avoidable. If they had not visited a website they shouldn鈥檛 have, opened a file from somebody they shouldn鈥檛 have, if they did not suffer a spear phishing attack and were duped into clicking something they shouldn鈥檛 have.鈥
Back up your data
Sometimes the emergency responders can reverse engineer the malware to recover their files. But increasingly complex malware means there鈥檚 no guarantee that鈥檒l work.
The responders have some more basic recommendations to avoid having your company鈥檚 files seized: Change your password often. Put your cursor over a hyperlink to determine where it鈥檚 taking you before clicking it; don鈥檛 assume it鈥檚 safe. If asked to go to a website, determine whether the sender someone you trust, or really them. Consider putting extra tiers of security in place to allow access to certain high-value data only to privileged users.
The clearest way to defeat ransomware, however, the cyberemergency responders say, is to backup the data so you can afford to lose it if it鈥檚 locked up.
Attacks can begin with a phone call
The IBM team sees hackers trying to get the financial information about the parent company by social engineering their way in. They might call the smaller shop on the phone and say, according to IBM's Mr. Mueller, 鈥溾業 belong to XY help desk, and want to help with your computer鈥 鈥 but in reality that鈥檚 just an attacker trying to get in.鈥
The lessons: If you鈥檙e a franchise, do your diligence. Verify the caller鈥檚 identity on the phone. Report any suspicious behavior up the chain. If you鈥檙e a big company, make sure your leadership and your franchises understand the risks that aren鈥檛 always so obvious.
鈥淢ost security organizations are really sensitive and conscious about a forward facing threat, what鈥檚 coming through the front door, attacking our Web servers and main presence, not necessarily looking at backdoor and franchise,鈥 Mueller said. 鈥淭hat鈥檚 exactly what happened with Target.鈥 In that breach, attackers used credentials stolen from a refrigeration and HVAC contractor.
Designer malware on the rise
鈥淭his year, we saw malware that has become so specialized it only operates within that customers鈥 environment,鈥 Kibler says. This makes it much harder for the emergency responders to combat. 鈥淚f I take that malware from Korea and bring it to Singapore and have my team work on it, they can鈥檛 recreate it. Even if they take it to another environment in Korea they can鈥檛 recreate it.鈥
Since the only way to build malware like this is to have a lot of inside knowledge about a company鈥檚 network, Kibler recommends changing it frequently to make sure that can鈥檛 happen. 鈥淚t鈥檚 a cat and mouse game to stay ahead of them 鈥 and changing things will help avoid giving them an easy target.鈥
Build security infrastructure
Brown has been working with a retailer that 鈥済ot religion鈥 after a credit card breach. But they were so far from their goals of building adequate security infrastructure within the company that IBM put in place an interim Chief Information Security Officer to help the company hire people and choose the right security solutions. Lesson: Company structure matters.
鈥淕enerally, you can say that most companies need a CISO,鈥 Brown said. 鈥淲hat is really important is they have an incident response plan that reflects reality. And within that, you have someone who is going to manage the incident at a tactical level 鈥 regardless of title, someone who is responsible to respond to a computer security incident of one sort or another.鈥
听
