In talking to cyber security managers, I've recently learnt one of the CISO's biggest fears. It's waking up to find their organization in news headlines reporting a security failure - which they do not have under control.
When asking the question 'what's being done about it?' - one response really stood out. A manager explained that they draft fake news articles about their company, and run them by the security team to test how prepared they really are.
Inspired by this particular approach, I decided to share a version of this exercise that can be used to at least get a sense of where your security investigations weak-spots may be. Below are some fictional headlines based on the top four security nightmares facing CISOs today. Replace YOURCOMPANY with your organization’s name, and consider your answers to the questions that follow:
Headline: Business comes to a halt as all workstations at YOURCOMPANY are encrypted with the latest ransomware
Although an “old” one, this scenario still happens every day. All it requires is a new zero-day vulnerability, and some hapless users who click on an email attachment. Falling victim to this common breach, would you be able to:
- Refer to a crisis plan to restore your machines?
- Identify the patterns of the vulnerability/malware?
- Identify patient zero?
- Ensure re-infections aren’t spreading?
Headline: Leaked HR and Payroll information sparks equal pay outrage at YOURCOMPANY
Depending on your company’s culture - this would not “just” be a personal data breach, but a potential cause of internal tensions if payroll information of all employees became publicly available. Faced with this scenario, would you be able to:
- Identify how the attacker gained access?
- Understand which users or privileges were used?
- Stop the access for affected user accounts, in case exfiltration is still happening?
Headline: Undetected for two years, YOURCOMPANY hosts Command and Control Server for large scale botnet on careers webpage
You may think this one is unlikely as command and control servers are mostly hosted on unknown net-new servers, or websites that have vulnerabilities. However, every registration page your company owns where someone can sign up, upload and download data (such as a CV to your careers page), can be utilized as a command and control server. Bots have even used social media pages in the same way In this situation, would you be able to:
- Look for newly registered users?
- Monitor the standard deviations from the usual frequency or count of logins per user, or the volume of distinct source IP’s by individual users?
Headline: Energy and AWS costs explode due to unnoticed duo malware at YOURCOMPANY
Crypto-jacking for cyber criminals is an attractive way to monetize the infected hosts they have taken over, or cloud environments they have gained access to. Abusing the processing power for crypto mining, if done in a strategically, can stay unnoticed for some time, and often detected when it’s too late. Would you be able to run an investigation by putting a security lens on traditional IT-Operations metrics, such as CPU utilization?
Remember - it's not the headline that CISOs fear, it's not being prepared enough to respond with "we have this under control". So, whether or not it makes the news, would you be able answer these six questions in the face of a security breach?
Most of the answers will be hidden in your machine data, and harnessing all machine data (not just from your security devices) will allow your team to be prepared. Take the first steps in facing your CISO’s fears; start to centralize your machine data today, and learn more about the four easy ways central logging improves your security posture.
Thanks for reading,