On July 14, 2021 Noord hosted a virtual boardroom event in association with Blackberry. The event consisted of a discussion among senior IT professionals on the realities of getting hit by a cyber attack. This was chaired by Roger Sels, Vice President – Solutions at Blackberry, who was on hand to pose questions, steer the discussion and present his company’s expertise on the topic.

Introductions and reasons for attending

Participants were asked to briefly introduce themselves and state their reason for attending or a key challenge their organisation was facing. One attendee was concerned about managing human risk within their organisation, particularly during cyber incidents, when staff are more likely to panic and make mistakes.

Another participant, whose expertise lies in enterprise security architecture, noted that their organisation’s security maturity was improving. They were keen to learn about how other organisations handle cyber incidents with a view to playing this information back to the company’s executives. The impact of cyber attacks on policy was also mentioned by one attendee, who was keen to learn about policy-level changes that could be made within their company to prevent future attacks.

Taking on risk

Attendees were asked about their organisation’s approach to risk, and how this is viewed by senior executives as well as other employees. A representative from the banking sector noted that at the beginning of the pandemic, their organisation had been lucky in that 90% of employees already had laptops and there had been enough VPNs for everyone to work from home – measures which had been put in place following a severe weather incident a few years previously. There had been instances where the company had been forced to relax its rules around the use of certain systems to enable people to work from home, which did entail risk. As the organisation moved to a more hybrid approach, it would therefore be a case of reviewing this risk retrospectively and deciding which roles are too risky to perform remotely.

The point was made that while organisations had successfully adapted to agile working, malicious cyber actors had also adapted their means of attack to exploit new or elevated vulnerabilities. For example, hackers are increasingly using credential stuffing as a means of attack. Roger added that an increasing number of incidents were starting with out-of-date security equipment. Whereas a year ago, attacks tended to focus on phishing, there are now large-scale infrastructure attacks and instances of credential stuffing, which has increased the attack surface.

Invisible threats

Roger noted that while there was previously a castle and moat scenario – in that organisations had visibility of attacks and could plan for them – devices may already have been compromised in the hybrid landscape of today. He was therefore keen to learn what measures attendees had taken to optimise their security levels.

One organisation said they had ‘split tunnels at best and no VPN at worst’, but spent a lot of time investing in cyber intelligence to ensure proactive monitoring in addition to incident response. One attendee said they were moving away from the use of VPNs as they go through software like CASB instead, but others strongly relied on VPNs, perhaps because their threat models differed. One advantage of moving away from VPNs was thought to be microsegmentation, which offers an additional layer of control.

Incident playbooks and simulations

Attendees were asked whether they have playbooks for the purposes of responding to cyber incidents, and whether they ran simulations. One organisation had been forced to apply their playbook to real-life incidents, which was the best test for these kinds of scenarios. Another had a generic cyber incident plan and was working on defining specific reaction plans alongside it. A couple of organisations assessed themselves against the CBEST criteria, while the point was made that event simulations can create complacency, and that testing staff can actually make them disengage from the topic.

Roger said that organisations naturally want to raise awareness but don’t want to make their employees feel that the security team is out to get them. An approach which tended to work well was gamification, where staff are given the means to recognise risky situations and are rewarded for good behaviour. This behaviour awareness work could be enhanced by risk-reducing technologies, such as software that can scan smartphones for fake URLs to prevent homograph attacks via smishing. Another solution for homograph attacks was felt to be password managers. For example, if an employee follows a link which looks to be from an authoritative site, the fields on the real site will be auto-filled with the individual’s information whereas the fake one will not, enabling the employee to discern between genuine and fake sites.

Internal threat intelligence teams: a thing of the past?

Roger noted that in the next 5 years, it is likely that organisations will move away from having their own threat intelligence teams. While organisations seemingly have different systems, the security problems they encounter are fundamentally similar. One attendee agreed with this view, noting that cyber security has become an us versus them issue, in that all organisations are trying to fight malicious actors.

Moreover, Roger made the point that adversaries have caught onto the specific systems that organisations use and know how to take advantage of this. The only solution is to ensure companies collaborate and consult with one another in this space. Not all attendees were in agreement, however. One noted that while organisations could go some way towards standardisation, there will always be customisations which are unique to one organisation or another, and the technologies employed can vary wildly.

Honing incident management processes

Attendees then discussed how they detect and respond to cyber incidents. One organisation said that they focused on incident analysis 20% of the time, and threat hunting 80% of the time. However, this model had evolved slightly in the shift to home working during the pandemic, so would need to be addressed retrospectively. The point was made that relying on external feeds merely allows organisations to catch what they already know. In contrast, the MITRE ATT&CK™ framework involved looking at the tactics and techniques being used in cyber attacks and honing in on one’s ability to prevent, detect and respond to these events as early as possible in the kill chain. One attendee agreed that it is a case of finding out the unknowables, but another felt that the framework was not a perfect system, given that it focuses on past events.

Closing of the session

Summing up, Roger shared a report which related to a negotiation between a company hit by a ransomware attack and the ransomware group. The report, which Roger hoped would be a good complement to the session, provided a number of valuable insights into things that companies may not consider when they are under attack.