Why staging a fake attack is only real thing to keep you secure

Being a Northern Californian, you can imagine that the Napa County wildfires in October and November impacted me. Granted that, while I did not suffer the monetary or psychological loss those directly affected by this disaster endured, being just 50 miles of the southern tip of the wildfire for weeks does teach you a thing or two.

For instance, gathering our most “important” stuff, keeping it in an accessible location for a quick exit, sleeping lightly at night, getting N95 masks, keeping our dog inside all day…these were some of precautionary measures I took. And I guarantee you, no mock drill or random alert would have caused me to act the way I did once our family was under direct threat from a powerful and unpredictable predator.

The digital enterprises of today (read: all enterprises), could be threatened any time by similar wildfires…aka cyberattacks. The usual growing number of culprits – insider threats, phishing, denial of service, ransomware… There are precautionary measures that most enterprises take to protect against this – SIEM tools, firewalls, anti-malware, backup, encryption, etc. But when a real-world attack happens and these porous defenses are exposed, heads roll. And the same pattern repeats. A new regime, more tools…

Extending my Napa County wildfire analogy a bit more, what if you were really being threatened – and you had some advance warning. What would you do? Imagine you’re a healthcare facility, and had 24 hours before a ransomware attack was set to encrypt all your patient records, thereby halting all patient care. What would you do? Or what if you were an energy company that was going to be hit with a DDoS attack that would last a week, crippling all your smart energy collection and billing systems? Where would you run?

The big issue with security prevention these days (and in the past, too) is that we keep spending more and more to protect against the attack that we hope never happens.

What if you turn that question on its head? Stage an attack here and now (and keep it staged with a very small team)? You could start with the “you have 24 hours before this attack happens” scenario, and see how the teams react. That day will bring forth all the training (or lack thereof) to prepare for the attack – asset identification, remediation measures, notification planning, compliance and legal ramifications, etc.

Or, panic sets in – people running around crazily not knowing what to do.

Either way, you’ll know where you stand.

For the more adventurous, you can make it even more real: stage an attack without any advance warning. Drives are encrypted and held to ransom, websites (internal ones, preferably) are defaced, customer records are stolen, network connectivity is impacted. See how the systems – both human and digital – respond. And once a semblance of normalcy returns, attack again.

If you think this is too Draconian, the only other alternative to this is speculating what you might do when the attack happens. Confirmation bias would propel us to believe that we are safe (and that our competitors are not). And like the Napa fires, where I thought I knew where all our critical assets were – #wrong – laboriously had to start inventorying the same.

What are our critical assets, how do I bring them together, how long would it take to grab the bags and run? These are existential questions that I never asked until – pardon my French – the shit started hitting the fan.

And this is exactly where most enterprises find themselves today…or worse. Because the fires seem so far away. Acknowledge that you will be hit, sooner than you imagine. Create a fake event – that looks and feels real to most of the enterprise – and see how you respond. It will open your eyes.

Then go back and identify the missteps. Did you not know where your critical assets were? Did you not know whose credentials were going to be compromised, aka your biggest liabilities? Did you not have a policy to disclose when and how customer data – if impacted – needs to be disclosed? Did you know the clauses of a cyber-insurance policy if you had one?

The Napa County fires certainly induced a sense of urgency and alacrity into our household. Keeping that hygiene and discipline in place is a challenge, as the threat of the fires recede. Ditto for the enterprise. Awakening and consistent enforcement is critical. Otherwise we will all get wiped out.