Cyber resiliency – a key to corporate survival (and sleep)

For those of us in the healthcare industry, and I suspect many others, the  WannaCry ransomware attack is now referred to as the weekend without sleep. In my organization, a cross-section of folks from all areas spent most of their weekend on long conference calls ensuring that we had the maximum possible protection. Many repeated the same exercise, to some degree, during the more recent NotPetya outbreak. 

As we now know, the spread of the WannaCry worm was halted abruptly by a security researcher registering a domain which turned out to be the kill switch. Still, the virus did reach the United States, infecting some organizations. 

Now, imagine that your organization was one of the victims, with a few of your PCs infected. How fast would it spread before you could intervene?  If a bad actor unrelated to the outbreak were to try to penetrate your network during the outbreak, would you have the bandwidth to respond to that at the same time?  If not, you lack cyber resiliency. 

If this scenario sounds far fetched, think again. An organization I am familiar with experienced a similar situation recently. On a seemingly quiet Friday afternoon, they began receiving reports of Internet access latency, followed quickly by complaints about the public applications being unavailable. A quick query of the security information and event management system (SIEM) identified the problem – a Distributed Denial of Service (DDoS) attack was under way. The traffic was coming from a number of addresses in China. The information security team quickly swung into action, working to control the attack and restore service. A few minutes after the attach began, a different system alerted the team to a seemingly unrelated issue – key users were reporting an apparent phishing attack. Some members of the team immediately jumped off of working the DDoS attack, and quickly mitigated the phishing attempt. The actions of this team demonstrated a key aspect of cyber resiliency — the ability to effectively respond to multiple cyber attacks at the same time. 

Another aspect of cyber resiliency involves how an organization recovers from a successful attach. Since many in the industry now acknowledge that completely preventing attacks is nearly impossible, an organization must be able to recover their operations quickly following such an event. The key to recovery is good planning in advance, and repeated testing of the plan. 

One does not have to look further than the recent outbreak of the NotPetya ransomware worm to appreciate the cost of the failure to quickly recover from an attack. According to Forbes, the NotPetya infection at shipper Maersk cost them as much as $300 million dollars, in part due to extended downtime, causing them to face a quarterly loss, despite increasing revenue. What may be worse, however, is the customer bad will generated by such a service disruption. 

Achieving cyber resiliency is not an easy goal, but it is possible, and in fact, critical to sound sleep, an organization’s success, and in some cases, survival. Here are some key elements of a strong cyber resiliency effort:

Have a plan

In my experience, many organizations have significant delays in responding to a cyber crisis because they don’t begin planning for the event until after it happens. The term “fog of war”, coined many years ago to describe the confusion in the midst of a battle, applies to a cyber war. There is far too much confusion in the middle of a crisis to devise a good plan. So, don’t wait. Have your plan in place before the crisis strikes. 

Test the plan

Once you have a plan, test it, frequently. The most practical approach to testing is a table top exercise, during which representatives from all involved areas in an organization work through a representative crisis scenario. You will never be sure it will work until you test it. You will likely find that it changes after each test. 

Communicate

It is important to keep your employees and customers informed about any crisis that impacts them. If they don’t hear from you, they are likely to make up their own explanation, which may be worse than the truth. Keep them informed from the beginning of noticeable impact. Many organizations that survived WannaCry and NotPetya did so because they successfully communicated information and appropriate precautions to their users during the crisis. 

Have a strong operational security team

In my DDoS example above, the organization succeeded because their team was able to focus on two cyber incidents at once. To accomplish this, you need a security operations team that is large and well trained enough to split their focus. If you cannot practically have such a team, this is a good area to outsource to a Security Operations service provider. 

Maintain good backups, and test them frequency

One of the topics often discussed related to ransomware is whether it is appropriate to pay a ransom to recover files. This discussion was rendered moot during NetPetya, when it was determined that there was no way to actually pay the ransom and get your files back. Thus, have good backups, and test them – frequently. 

Stay plugged into threat intelligence sources

There are numerous sources for good threat intelligence information, and reliable information from them is often of great value, not only in anticipating a crisis, but having the data necessary to prevent it, or if the worst happens, recover from it. There are Information Sharing and Analysis Center (ISAC) organizations for many industries that are particularly helpful in this area. 

Bottom line – you can survive a cyber crisis, but doing this will require a good, well tested plan, properly executed, with appropriate communication to affected parties.