When Cyberattacks Act Like Digital Hurricanes
As the United States’ East Coast prepares for the impact of hurricane season, we are reminded of the level of preparation that cyber security teams need to go through to protect their networks in the face of a potential disaster.
The sciences of predicting weather and threat intelligence draw many similarities. Just as meteorologists can see a storm brewing and track its initial movements, cyber threat intelligence professionals can often see a threat campaign emerging. Further, the actual path of a storm and its damage is impossible to predict, much like the difficulty in predicting who will be the target of threat campaigns, what tools will be used, or what the impact will be. Like it is for most uncertainties, weather-related or cyber, preparation is key.
Earlier this year, BluVector’s CTO, Travis Rosiek, wrote a piece for Cyber Security: A Peer-Reviewed Journal called “Chief Information Security Officer Best Practices for 2018: Proactive Cyber Security” where he detailed a better approach to cyber security preparedness in the wake of cyber security attacks. The piece, which you can read the PDF version here, helped us reexamine how security teams build better responses to cyber security disasters. Interestingly, these tactics parallel the preparation we’re seeing in anticipation of this season’s hurricanes.
Data: Predicting a hurricane’s path is no easy task, so meteorologists leverage a variety of weather models that rely on a massive amount of data to make predictions about how a hurricane will move and grow. These models often use machine learning to adapt models to previously seen hurricanes, improving prediction capabilities over time.
Similarly, with a cyberattack, having as much data as possible about an impending threat early on enables security teams to better understand and prepare for the threat. Solutions that leverage machine learning to learn from the behaviors of past attacks can also help organizations predict and defend against incoming threats, even if they do not exactly match previously seen events.
Target: As we’re seeing in areas most likely to be affected by hurricanes this season, a critical first step is physical preparedness. Officials are removing people from high-risk areas and preparing for power outages and food shortages, so as to minimize the impact the storm has on the regions’ most valuable assets: their people.
In the cyber realm, there are numerous ways organizations can prepare for potentially damaging threats. One of the most basic and essential tactics for reducing threat risk, however, is regularly backing up critical data stores. While organizations must also worry about data leaks and not just destruction, this backup process ensures companies can survive most business continuity disruptions caused by cyber threats.
Protection: In a hurricane, sea walls and other tools might reduce the initial surge of a storm, but there’s often just no way to stop all the damage. Therefore, areas likely to be impacted must develop a responsive infrastructure in order to stop or reduce the damage, using secondary protection techniques such as effective storm drainage.
In protecting against a cyber-attack, a firewall might hold back the attack’s surge, but like a sea wall, it often isn’t sufficient. However, having a secondary level of protection behind that wall can greatly reduce the damage. When organizations take a proactive approach toward addressing these risks, such as by investing in tools specifically designed to pick up on threats that bypass the first layer of defense, they are often able to prevent the damage entirely.
Duration: The winds generated by hurricanes can cause a massive amount of damage during the first few hours or days of the storm. However, it is often the longer-lasting flooding and standing water that cause the greatest amount of long-term damage. Roads, homes, and other infrastructure are no match for this length of abuse.
When it comes to cyber, an initial attack can be devastating, but more often than not, it is threats that have achieved significant dwell time that cause the most damage. Dwell time is calculated as the amount of time a threat remains active within a network or computing device before it is detected. The longer the attack is live within a network, the greater the potential impact due to data exfiltration, lateral movement, or other malicious actions.
Response: Whether in the case of a hurricane or a cyber incident, the response can spell the difference between an inconvenience and a catastrophe. In both scenarios, responders must make split-second decisions with less than perfect information. When it comes to hurricanes, this may entail sending emergency medical resources to one area versus another, without having boots on the ground to provide recon on affected regions.
For cyber incident responders, relevant context and prioritization is absolutely critical to effective response. To gain this context and prioritization, organizations must invest in solutions that correlate detection data with supporting information throughout their environment. With this accurate information, a security organization can rapidly respond to the highest priority threats before damage is done.
Cleanup: After the event has occurred, the critical activity of cleanup begins. This is a time to assess what caused the damage, where the damage happened and where to put any available resources. For those who have experienced hurricanes before, they know this is where leadership matters most. Having the right direction and course of action is crucial to the speed of cleanup and the ability to better prepare for these types of events in the future.
So too is it the case with cyber security, where the head of a security organization must determine how to remediate any damage sustained in a security incident, and what preparations are necessary to protect against the next attack.
Hurricanes have the tendency to be much more dangerous than a cyber event. They put lives at risk, destroy homes and damage physical property. Our thoughts go out to those who have prepared their areas to face these storms, as well as disaster management leaders, first responders and anyone else affected by hurricanes.