When the sun bursts: responding to global cyber events

The US government was recently hit by a severe cyberattack, SUNBURST, allegedly masterminded by Russian nation-state hackers directly affiliated to the GRU (UNC2452 or Cozy Bear). One of the frightening things about this hack wasn’t its scale or high-profile targets, but that it was not reasonably preventable. Most cyberattacks are triggered by a human error…

The US government was recently hit by a severe cyberattack, SUNBURST, allegedly masterminded by Russian nation-state hackers directly affiliated to the GRU (UNC2452 or Cozy Bear). One of the frightening things about this hack wasn’t its scale or high-profile targets, but that it was not reasonably preventable.

Most cyberattacks are triggered by a human error that enables a threat actor to get a foothold. Take the Capital One breach, for example, where hackers stole the personal information of over 100 million customers. This wasn’t down to a fault with the targeted technology (AWS S3 buckets), but rather the human operators who misconfigured it. In fact, a whopping 90% of last year’s breaches were down to human error.

People make mistakes, and understanding the context and potential reasons for those errors is critical to an organization's ability to learn and improve. But what happens when nobody’s at fault? You can’t implement mitigatory processes, regulations or software if there was no clear error, and you definitely can’t point the finger. You can’t even hold the Board, whose job it is to ensure staff are cyber aware, accountable – and that’s partly what makes SUNBURST unnerving. (That and the potential wider fallout and impacts, of which we are unlikely to know the full extent for some time.)

In 2017 it was easy to look at WannaCry, one of history’s biggest cyberattacks, and say ‘people must do better’. That’s because the perpetrators leveraged a vulnerability using the publicly disclosed EternalBlue hack, which Microsoft had patched in good time. If cybersecurity, incident and crisis response teams in organizations such as the NHS, which lost millions to WannaCry, had had better situational awareness, they would have applied the relevant patch sooner and thwarted the attack.

But there wasn’t a simple way of preventing SUNBURST. There was little, if anything, that could have been done before the supply chain compromise – an unpredictable event – meaning, defensively, everything is now happening post-compromise (or ‘right of boom’). And in the reality of the modern world, where attackers are so innovative, events like this will only increase. Crisis response and recovering stronger are therefore just as important as prevention – and they must be trained accordingly.

OWASP’s Cyber Defense Matrix

As a cybersecurity event moves from the detect to the response phase, people – and more specifically their skills and psyche – become your greatest asset, or in some instances, your greatest weakness. This is summarized neatly in OWASP’s Cyber Defense Matrix, shown above. At a strategic and tactical level following a cyberattack, almost everything is handled by your people, so if their soft skills and leadership qualities are not continuously evidenced, you cannot gauge their preparedness. And this ultimately creates risk. In the case of SUNBURST, we will likely see impacts in the coming weeks spanning some of the below areas:

  • Political
  • Economic
  • Social
  • Legal
  • Ethical
  • Public health/security

With half of all CEOs unsure that their organization could respond to a hacking incident or data breach, organizations must invest in human readiness to respond. And if you’ve got to be better at responding, you have to train and exercise more. Immersive Labs’ Cyber Crisis Simulator drops participants into the middle of crises where incidents begin – right of boom. A browser-based solution, it allows strategic and tactical crisis management teams to train frequently from anywhere, improving soft crisis response skills when dealing with incidents such as ransomware outbreaks, insider threats and data breaches. 

As our Crisis Management and Response Expert, Ben Hockman, says: “Events like SUNBURST should emphasize the fact that technical detection and preventative protection will never be 100% effective. 

“While prevention and avoidance will always be critical considerations for any crisis management framework, particularly in the cyber world where attack surfaces and vectors advance and adapt so rapidly, preparing to respond is equally important as preparing to defend. Part of that is plan and playbook-based, of course, but in this unpredictable operating environment, the ability for executive crisis response teams to intuitively adapt those plans, particularly when an unforeseen event hits, is critical. 

"Practice, repetition and testing of skills such as decision making and situational awareness may not make for a perfect response, but they will certainly help your senior leadership teams navigate crises like SUNBURST and mitigate the impacts of a major cybersecurity event."

It's with this in mind that we launched our SUNBURST-based crisis scenario, Supply Chain Compromise: Too Close to the Sun, which gives your team the opportunity to test these skills in a gamified simulation, thus enhancing your organization’s response to such events.

The scenario is aimed at executive leadership teams and follows the release of our new SUNBURST technical lab series. It focuses on the potential financial, reputational and security impacts on an organization, forcing the player to navigate the risks involved
with turning off vital network systems before all the information is available. Non-technical skills tested in this simulation include communication, effective leadership and stress management.

If you're not already a Crisis Sim customer and would like to see this scenario in action, book a demo with our experts today.

TOPICS
Cyber Crisis Sim
PUBLISHED

22 December 2020

We help businesses to increase and evidence human capability in every part of cybersecurity.