Defensive Cyber Operations: Ground Zeroes

In an era plagued by thieves, criminals, and script kiddies, the need for securing information has increased exponentially. The market is teeming with products that are advertised to adequately secure your systems, data stores, sensitive information, etc. independently or in tandem with a bevy of other products. In the modern business world, global, interconnected networks pose a need for secure operations platforms and vehicles (confidentiality, integrity, availability).  Absence of these crucial platforms and vehicles could have a significantly adverse impact on an organization, especially as the world becomes more reliant on these networks to perform their intended functions. Systems administrators, programmers, security analysts, computer scientists, etc. are integral to preserving the functionality, efficiency, and security of these networks, as is constant maintenance and monitoring.

A common misconception is that an attacker of a computer or network, or ‘hacker’, is a special kind of computer wizard – this is not always true. Some scripts and viruses can be used maliciously by almost anyone that has a basic working knowledge of computers, provided they know whom they are targeting. In fact, 99.9% of exploited vulnerabilities were compromised more than a year after the CVE was published, meaning that known vulnerabilities still exist long after they are discovered allowing attackers to easily breach your network. The root of the problem stems from inefficient or inadequate patching to prevent attackers from exploiting obvious holes in your networks.

A breach of a network can lead to high-profile losses, rampant media exposure, and damage to client, customer, or investor confidence. For instance, a large healthcare provider experienced an attack in which 80 million clients had their personal information exfiltrated. The compromised information was substantial enough that the organization had major concerns about identity theft for its employees and clients. Social Security Numbers, dates of birth, employment history, and email addresses, and other personally identifying information (PII) was compromised. The breach cost the organization more than $100 million. On average, the cost of a data breach for an organization is $6.5 millions with an average cost per record of $154. However, when dealing with healthcare the cost per record goes up to $363 per record.With this constant, very real threat in mind, how can one defend their network and sensitive information against external threats?

Defending your Business against Cybercrime

Most businesses have an Incident Response Plan (IRP), which dictates the actions that network administrators should take in order to secure their system in the event of an attacker. However, even the most concrete plan may fail under duress. Panic might hinder the defense, or the attacker may exploit a previously unknown vulnerability to which the plan has no response. An organization’s Disaster Recovery Plan (DRP) may not account for a particularly disastrous, unforeseen attack and prove insufficient in the face of a real threat. Finally, their Business Continuity Plan (BCP) may rely on assumptions of some semblance of functionality when none may exist after an especially adept and clever attack. While these plans are a good foundation for securing a network and ensuring that financial losses are minimized, the only way to truly gauge your business’ defense and recovery protocol’s effectiveness is to actively test the defense of your network.

Even competent programmers, network administrators and security analysts are not guarantees of security: just because someone understands the functionality or is monitoring network activity does not mean they have the tools, tactics and procedures in place to effectively detect a security compromise or defend against a real-time attack. Without adequate training or procedures in place for analysts, a network attack could go undetected. A lack of experience and exposure to real world attacks in real time could result in hesitance or even self inflicted damage to a network. Currently, the average time to detection for an advanced attack is 229 days. This epitomizes that even in the presence of a planned routine and method of defense, the outcome is unpredictable unless the plan has been tested thoroughly multiple times.

One avenue of network testing could be to hire a penetration testing team. A penetration test is a security-oriented probing of a network, computer or application performed to test for vulnerabilities, which could be potentially exploited by an attacker. Many potential attacks can be discovered in this way before they are used for malignant purposes. However, even a penetration test is not solely sufficient to ensure the security of a system. A penetration tester will test for vulnerabilities, but may be using a test network to ensure no downtime or only testing specific applications. It may not take into account a network defense team, or attacks from many sources at a time. A network that performs well in a penetration test might not maintain that level of security in a real-world environment, where situations will be more complex and unpredictable.

An actual cyber-attack will not just involve network security administrators defending against malicious attackers. Not only does the attack vector have to be identified and sealed off, but the damage needs to be contained through a company-wide effort. Business executives would have a responsibility to ensure that all necessary steps are in place to avoid a future attack, and to reassure shareholders and potential customers who may have had their confidence in the business diminished. The marketing team may have to alter their approach towards consumers because of this reduced trust, and public relations must work to regain that trust despite an attack, such as a leak of personal information, that may have directly affected clients themselves. They have a duty to minimize damage to the business’ reputation and often times with no previous exposure to cyber verbiage or operations.

With this in mind, a more accurate evaluation of a network is a simulation that involves multiple attackers and a network defense team. In these simulations, Cyber War Games, a defender would have certain information that they would like to keep secret and functionally running. Whereas, an attacker would seek to break into the network and gain access to a defender’s information, or to simply halt production services. Cyber War Games differ vastly from penetration testing because they create a more sophisticated, realistic environment that provides a larger scope of security testing and professional training. So with the company-wide dangers and effects of attacks in mind, how do cyber war games address current attacks and translate those into a scenario?

Learning from Real World Attacks

Attacks can be as complex as an embedded script hidden in a file (a payload) or something as simple as sending improperly formatted data to a web server with a username/password field. A web server could be flooded with bogus requests to deny service to its users (DoS Attack) or a malicious email could be sent for the purpose of stealing user credentials (phishing). Ther is a very wide range of potential attack vectors and security flaws that can be exploited. Computers and networks are highly complex entities whose architecture is constantly evolving. As such, vulnerabilities are constantly being discovered, as are new attack vectors both on hardware and software. There is no such thing as a completely secure computer or network, only degrees of vulnerability and/or exposure. Even if a computer network could be considered perfectly secure, the human element will always present heightened risk. According to the IBM Security Services Cyber Security Intelligence Index 2013, approximately 42% of breaches occur due to misconfigured systems or applications. By, allowing the entire organization to experience the effects of a cyber incident we can give an organization the cutting edge over attackers. From realistic simulations for a set of defenders to identify to tabletop sessions with executives, marketing and public relations teams, we can simulate the experience of a real attack while preserving the integrity of the organization.

A security-minded business can protect their network by employing the services of a skilled cyber security professional or penetration testing service to test their network for flaws and vulnerabilities to discover them before an attacker exploits them. By doing so, and subsequently patching and mitigating any vulnerabilities that are found, they stand a chance of minimizing risk to data integrity, data confidentiality, functionality of the system, and financial loss. However, a penetration test is not sufficient to address all the needs of an organization. In addition, the organization would need to send individuals to training to keep up with the current threat landscape and monitoring techniques. Neither penetration testing nor training provide an actual hands-on experience with an active intrusion. As the saying goes, “hindsight is always 20/20” but what if you could get hindsight without costing your organization millions of dollars and loss of consumer confidence? Like attacks in the real world, cyber war-games involve threats from multiple sources and attack vectors at different times of the day and under unexpected conditions. They also crucially involve other parts of the business such as PR who would have a role to play in the event of a breach but are not considered in a penetration test and likely have limited knowledge of information security.  A business with a network that has proved itself to be secure inspires confidence in potential clients who may especially value the protection of their data, such as financial data stored at a bank.  A computer network can take great effort and finances to secure, but the returns on the investment are invaluable from both a financial and confidentiality standpoint.

With a global population that is becoming more and more electronically oriented, the need to stay up to date with the latest in computer security is mandatory. Not only is the population becoming more tech-savvy, but new hardware and software with vulnerabilities are being released every day and the complexity of tech is growing exponentially. A system that was deemed secure five years ago is not a guarantee of a secure system today, even if the hardware and network configuration has stayed the same. New vulnerabilities are being discovered at a lightning-fast pace, and we need to be prepared for the future of cyber warfare. War has changed and he who controls the battlefield controls history.