IBM X-Force simulates worst-day scenario

IBM X-Force simulates worst-day scenario

Scott Neil  – The Royal Gazette, December 12, 2019

A worst-day scenario played out for delegates at a cyber-risk event who took part in a simulation of what to expect when a cyber incident hits, and how to protect and defend themselves.

They learnt skills and approaches that work best in protecting against and dealing with cyber incidents.

Chris Crummey, a cybersecurity expert, and an executive director of X-Force Command IBM Security, was in Bermuda to help present the one-of-a-kind immersive cybersimulation at the ICRMC conference.

He helps customers prepare for their worst day and did so at the conference by letting attendees feel what it was like to be in the middle of an evolving crisis.

Those in the gamified simulation played roles that would be found in a real cyber fusion centre — an advanced version of a security operations centre.

Mr Crummey said a cyber fusion has a business response, not just a cyber response.

During the simulation there was someone playing the role of legal counsel, someone as HR, some as business executives, someone as cybersecurity team, and someone as comms and PR.

There are two distinct sides to a cyberincident, one is the technical side of the equation, where most customers spend their time. However, much of the eventual damage occurs on the other side of the equation, which is the business response.

Kurt Rohrbacher is the North American lead for the IBM X-Force Iris team, which provides incident response and intelligence services.

“When our clients have a breach, whether ransomware or targeted attack, we come in and respond and be the forensic team on the ground,” he said.

He ran through the best practices to mitigate risk from the technical side of the equation. They are:

1, Security hygiene. Blocking and tackling that most organisations should be doing. He said: “Things like vulnerability and patch management. Are you patching within a reasonable time frame? The WannaCry patch is two years old, but I’m still going in to clients and finding they have not patched that.”

2, Asset inventories. “Do you know where your assets are, where your endpoints are? How many highly privileged accounts you have,” he said.

“You’ll be surprised how often we find a system that’s compromised and we ask a client what is this, and they say they don’t even know. They don’t know who owns the system, what its function is.”

3, Network segregation. This is fundamental security control that almost no organisation does well, Mr Rohrbacher said.

He added that WannaCry was a worm that propagated itself automatically. If an organisation had proper segmentation in place to prevent Windows protocols it would not have been infected by WannaCry.

4, Multifactorial authentication. Many businesses use Microsoft Office 360, but only have username and password for access, with no second factor authentication. Mr Rohrbacher said a bad guy could get into one account, find out who else is in the organisation and target the “accounts payable” people, sending phishing e-mails from a real account to the people in accounts payable, saying, “Hey, can you process this wire transfer, by the way I have a new account number, here it is.”

5, Tiered access mode. This locks things down in a Windows environment so an intruder can’t pivot to every other system in the network.

6, End-point visibility and threat hunting. Mr Rohrbacher said this is probably the biggest security gap he sees. End-points give visibility into what is going on in an organisation’s network, and are a place where it is easier for security teams to spot unusual things.

7, Detection and response. “If you can identify the threats and respond quickly, you mitigate the risk of that breach,” he said.

8, Plan and playbooks. It is recommended that businesses have a step-by-step plan for dealing with a cyberincident and practise extensively.

When it comes to the business response side of the equation, many of the recommendations are for things you should stop doing in a crisis.

Mr Crummey gave the example of Equifax, the consumer credit reporting agency that suffered a high-profile cybersecurity breach in 2017.

He said the company’s Twitter account was operating seemingly unaware of what was unfolding elsewhere as the breach took its toll. He said the marketing team was not even aware they were in a crisis.

It got worse when a website regarding the security breach was created by Equifax, only for a similarly named malicious site to go live too.

“The internal marketing got confused and they copied and pasted the malicious site into Twitter, who sent it out over and over again,” said Mr Crummey.

“That means they are on their heels. That’s why we want you to train like you fight, and fight like you train.”

He contrasted this with mechanisms at IBM where, when a crisis occurs, marketing stops, sales stop, and executives cannot buy and sell stock.

Mr Crummey ran through the top things learnt from the popular simulation exercises conducted by the IBM X-Force team to teach businesses and organisations where they are at risk, and how they can improve security and crisis response.

Among his advice was a focus on culture and shared fate. “Culture needs to come from the executives down. Culture is how your employers feel,” he said, while shared fate was about recognising that it’s everyone’s job, not only the cyber team’s job, to be part of the cyber defence. He said one of his favourite moments was seeing a cybersecurity customer wearing a T-shirt bearing the words “You are the shield.”

Mr Crummey said IBM lowers its risk with safeguards, such as not allowing employees to use USB sticks, but instead to use the cloud platform Box to share among colleagues.

“All e-mails have the word ‘external’ on it if they are coming from outside, [in order] to lower the phishing attempts,” he said.

“I use face ID to authenticate in to the cloud, which is unbelievably quick.

“What they are doing is dramatically increasing security, but making it easy for me to doing my job.”

He said the company had moved to 15-charactor passwords, and everyone is given a password manager that they can use for their personal accounts and their IBM account.

“Why 15 characters? Because it takes 300,000 years to brute force break a 15-character password,” he said.

In conclusion, he said: “Make sure that everyone in your company is the [cybersecurity] shield.”

Link to original article: