News feature: Simulated attack, lessons learned on all sides
News feature: Simulated attack, lessons learned on all sides

A quick word of caution – don't employ security journalists to secure your enterprise, they are no better at information security than those they criticise.

In a condensed but reasonably realistic simulation exercise at F-Secure, groups of international journalists took on various roles from Senior Management to Computer Security Incident Response Team, IT management team, Regulators, Outsourced provider (FSC – Full Spectrum Cyber) – and of course the press – at a fictional company (Comsec) which was subject to a major data breach in which the attacker was exposing IP and saying on public forums that Comsec was providing flawed software for its clients . 

Ironically, communication failure was one the main areas in which the journalists fell down, along with lack of defined understanding of responsibilities leading to duplication of effort, and of course, the failure to have a well practiced breach recovery plan.  Apparently all these flaws are quite typical of management at medium sized companies – though larger enterprises tend to have already taken seriously the likelihood of being breached – while for most companies,  being breached  comes as a shock, despite being in the press every day.

As well as looking for tools and people to come up with the answers demanded by management, the press and the public, as to how and why the breach happened and who did it, communication of the message quickly became an issue itself as adverse tweeting tended to distract from the prime issue of isolating the breach and maintaining services.   To be fair, the journalists did not fall into the trap of spending too much time chasing a culprit and seeking legal redress, and did indeed concentrate on those prime issues, not wasting too much time on a simultaneous spam outbreak and other lower priority diversions. Likewise, the regulator was kept informed, data dumps were carried out on infected workstations and servers prior to isolation.

Unfortunately fictional staff were not instructed not to tweet about the issue and started complaining about servers being down or responding to the attackers tweets – which is an actual source for journalists, so presumably one we should have prevented. In an amusing report back, when the CEO of the fictional company (the actual CEO of F-Secure, Samu Konttinen) asked the management team to be brought up to date as to what had happened, they reported that among other things, they'd sent out a press release – to which he responded, “Without running it by me first?” In addition, the management team and the IT team each sent independent reports to the regulator, with the senior management reporting how the attack had been isolated, and IT management explaining why it hadn't.

It did give the journalists a new perspective on the rationale behind company news management, and the errors that can be made even when the ‘management' know full well only to put out information they know to be true and accurate.

Talking to SC Media UK after the exercise, Jyrki Tulokas, executive vice president at F-Secure described the benefits of these simulation exercises, to both his own company's activities and those of its customers, as well as describing how F-Secure found itself involved in this aspect of the industry.

Jyrki Tulokas

Tulokas explained, “For customers  the exercise shows how different security is today. Customers often come away understanding how poorly prepared they are for cyber-security, but also any crisis management.  For publicly listed companies there is more understanding. But  for mid-sized customers its often more of a challenge and can be eye-opening.”

Mikko Rontynen, director of corporate product management and marketing at F-Secure adds, “We do the exercise at all levels, C- level,  tactical, and also technical level.  This was an example of the higher end. “

Tulokas was asked about follow up after such an exercise and told SC: “We do give general recommendations for a playbook, but often they need defences for the  particular threat to that customer, and we can help in certain areas, which means it also drives our product sales. But the next course of action usually takes a while.

"F-Secure  also learns from the exercises. The whole logic of us selling technical security assessments began two to three years ago. We started to get a boom in customers saying,  ‘We think we have been breached, can you help?'  and at that time we didn't have any customer facing teams. But  NSENSE was a team of Nordic investigative consultants we had worked with,  and when they went to customers, they needed to get different logs and there was no one place to investigate, so we thought there must be better way to immediately see where you have been breached, and have the evidence. So we learn t a lot from those customer cases, how the attackers got in, what happened.  And the more difficult it was, where we had never seen this way of doing it, and not seen this attacker – the more useful if was for us, and it's very interesting for customers to see who it was.”

The importance of attribution varied, depending on the company, with financial institutions particularly keen to understand where the attack is coming from, who is it and is it potentially someone you can go after with law enforcement? And if its industrial espionage, is it a competitor, and the data gives an idea of what country, or understand if IP is sought or where going.  As ever, its hard to prove who is behind what.  But there is always some evidence of what the attack code looks like, same code, same methods, tools and tactics which can provide a probability of who is attacking rather than absolute certainty.

So where are the attacks coming from?  “There are a range of attacks – usually  from the East, how far East varies - most industrial espionage appears to come from China rather than Russia, where a lot of criminal gangs are based - in Eastern Europe and Russia.”

There were no great surprises in the main concerns, with the large volumes relating to email phishing of staff, CEO phishing, and financial fraud.  Malware and fileless attacks are important, with  ransomware the biggest overall while there are fewer but more sophisticated fileless attacks, they are mostly cyber-espionage or nation state attacks. 

Rontynen noted that the importance does change, saying that according to its segmentation surveys, "the top three concerns at the start of the year were, number one, stop databreaches, number two, block Ransomware,  (the same as the previous year) while new from 11 to three, detecting things that have been able to get into our network – even from mid range organisations.”

Tulokas suggest that GDPR will make the volume of espionage and nation state attacks more visible because people will have to say they are breached, whereas now they often keep it quiet.

A problem with GDPR for smaller companies is that they can't afford the tools for efficient threat detection on their networks, Tulokas says F-Secure is looking at even more automation to bring prices down.  GDPR is also expected to create more demand in enterprises for cyber-intelligence, wanting to find out who is potentially attacking them in the future, and financial institutions tying to predict,  what is the next thing that will hit them?

SC asked about the issue of conflicting regulations in different jurisdictions, and Tulokas described the acquisition of a UK consulting company as ‘ interesting'   due to the quite advanced accrediting schemes in the UK “That doesn't exist in many countries, with no stamp to show you have you been doing assessments but we think we will see more accreditation of customers as a result of GDPR and insurance companies  will also want to see accreditation.   The downside of accreditation is that  customers can become complacent, asking who will badge them the cheapest.  Not looking for good security – a stamp of approval.   But accreditation is a healthy direction and  we can expect to see the consumer better  protected."

Financial  restrictions are also recognised as  a challenge for local government and Tulokas recommends that they, “will have to think carefully about not building their own systems but taking things that are already available [thus easier to secure], with more cloud usage and so on as cloud is [usually]  more secure.   That's where it's going now, if you understand  that cloud offers a better way to do it than your own security or own data centre. They offer security way beyond what a normal company can do.”

Rontynen pointed out that even smaller companies now need to take cyber-security more seriously whereas  five years ago, they may have just  had AV and firewall, but they can't think of it like that anymore.  Part of the reason for that is that larger companies need to secure their supply chain. “Larger companies always demanded certain measures by suppliers –but thats increasing now down to smaller players – and if the supplier doesn't have security built into their infrastructure they will be struggling as they now have to take security more seriously,” and will likely have to seek outside help.

Mikko Rontynen

Another concern for the future is the use of AI and machine learning by criminals. Tulokas says, “Technically  attackers will benefit  more from AI, creating self -learning systems to create an attack better than before, find a new way into a company,” however he adds, “Eventually AI will be so good that it will fully be the basis of detection and response.    Gathering data is the only way to understand what is happening in the organisation and [cope with the] need for different data from different sources."  Tulokas also agrees that AI is currently quite hyped as “it is results that are needed whereas the technique used  is not that important.”