Battle Plans - 5 Missions to Prepare for a Cyber-Attack

Written By Will Lambert

Credit - https://en.wikipedia.org/wiki/Battle_of_Britain_Bunker

In my previous blog post, (The Human Element) it was discussed that Security Awareness Training was widely accepted as the best answer to the question of social engineers. Yes, social engineering is now, and will be for some time, the weapon of choice within a cyber criminal’s arsenal, but it must not be forgotten that the cyberspace domain has a wide variety of weaponry and tactics available to adversaries.

As an organisation, you will need to prepare for all cyber artillery at an adversaries’ disposal. I will illustrate the Top Five Missions, which form the Operation - Cyber Security Training. This Operation is essential to an organisation in fortifying defences in advance of a cyber-attack.

1.      Senior Executive / Board Level Security Training

Mission Objective: Top Brass to Champion Cyber Defence.

Similar to any military organisation, the direction of defence will be set by the senior leadership team. Administrating effective training to your top brass, your Generals, Admirals, Air Chief Marshals, will be invaluable in strengthening a businesses’ resilience to cyber-attacks. Board Level Security Training should explain effectively to a senior management team why they need to take the threats presented from the cyber domain seriously. Showing where appropriate, real life examples of how cyber attacks disrupt business, how common tactics, techniques and procedures (TTPs) in use by cyber attackers have had both short and long term disastrous effects. Stumped business growth due to obliterated customer trust after businesses have lost vast amounts of consumer data, just one of the many reasons the top brass should champion cyber defence in your organisation

Mission Reward: By getting the correct message at the top, senior management will allow reasonable, proportionate and effective preparatory works to bolster your cyber stance. A leader leads by example, not by force.

2.      Security Awareness Training

Mission Objective: Ready the Front-line Troops for Battle

Your users, regardless of rank or position, will need to be aware of the risks associated with IT systems. You may well have various walls, fences, and access controls (firewalls, email protection, ACLs) at your disposal to aid in the defence of the realm, but battles are rarely won with perimeter defences. The boots on the ground, those on the front-line who make decisions at the time of attack are key in preventing the battle in the first place - effective Security Awareness Training will aid in this critical decision-making process of your front-line troops. Ready the troops through equipping them with the knowledge of dangerous attack vectors and how to protect themselves, and subsequently the business from social engineers, vishing, phishing, malware, etc. Through this knowledge transfer, your troops will be able to prevent an attack from realisation in the first instance. According to Verizon's 2018 Data Breach Investigations Report, 90% of cyber-attacks begin with phishing, but not all troops are aware of this common attack. It will take only one soldier to fall for a phishing email to undo all of the in situ perimeter defences.

Mission Reward: Lowered risk of successful attack through imparting knowledge to boots on the ground of common attack vectors and how to shield against them. Know your enemy, know his sword.

3.      Secure Code Training

Mission Objective: Instil Pride and Confidence in Your Insignia

Think about any digital product you build, own, or at least place your mark upon. Whether they be applications, websites or any other software, they will carry your brand. Regardless of coding  language, if the code which has written the digital asset is not secure, it could be vulnerable to attack. Similar to aircraft or warship construction, you will need to train the engineers who subsequently build, secure, and then lastly review the final product for vulnerabilities. Secure Code Training will heighten the skills of developers in recognising vulnerabilities in code, ensuring that your digital assets are resistant to attack. The number of software vulnerabilities in code can be reduced, but never eliminated. This is due in large to the play off within the CIA Triad - the Confidentiality, Integrity and Availability of your product will come down to what you want your aircraft to do. Your aircraft can be tremendously stealthy, heavily armoured, extremely fast but not all three at the same time. Don’t forget, as with any good adaption of any software development methodology, Secure Code Review by external validators must be included to provide an extra layer of assurance. It is your insignia on these assets, if it gets shot down, your brand will be damaged. Depending on the magnitude of the attack, perhaps irreparably.

Mission Reward: Secured products are less vulnerable to attack, thus protecting your brand. Prevention is better than the cure.

4.      Incident Response Plan Training

Mission Objective: Develop Your Immediate Action Drills

Unfortunately, no matter what you do, some attacks will still penetrate your defences. Immediate Action drills are used to define what your troops, including your top brass, should do when under attack. Cyber attackers have a wide variety of weaponry they can leverage against you. The use of different weapons will require different responses or Immediate Actions (IA) on your part. IAs to a Malware attack will differ from IAs in response to a Distributed Denial of Service (DDoS) attack. Incident Responses should be carefully considered, with a full appreciation of handling an attack from its conception (preparation, detection and analysis), through the handling stages (containment, eradication and recovery), to the conclusion (post incident review, lessons learned). Your senior leadership will need to know what role they play in handling a cyber-attack, especially with regard to crisis communications, both internal and external to the business. When under attack, the chain of command can be disrupted with miscommunication across the net running rampant. We have seen examples of this in recent months, due to the of lack of preparedness for a cyber-attack, or even underappreciation of the level of damage a cyber-attack can inflict on a business. Collectively, these IA drills are referred to as the Business Continuity Plan (BCP).

Mission Reward: Developed IA drills prepare a business in advance of a cyber-attack. In times of peace, victory is paid for in sweat, courage and preparation.

5.      Incident Response Testing

Mission Objective: Field Training to Test Your IA Drills

There are 6 methods you can use to field test your BCP:

1.         BCP Walkthrough

The most basic form of Incident Response plan testing. This focuses on simply reading the BCP in its entirety to ensure it is complete. A simple sanity check  to ensure there are no fundamental shortcomings.

2.         Read-Through Checklist

This tests for successful recovery. Usually performed in conjunction with a walk-through, its aim is focused on ensuring an organisation can acquire relevant resource upon which successful recovery is dependant.

3.         Structured Walk-through

The structured walk-through test is usually performed with a single team; it allows for individuals who are more knowledgeable about systems and services targeted for recovery, to be tested for deeper understanding. Any noticeable omissions, gaps, assumptions, technical missteps, etc. that would hinder the recovery of business systems will be unearthed.

4.         Simulation Test / Walk-through Drill

A simulated disaster is posed to the team with which they must respond and go through the motions of recovering the business. By far the most popular version of field training for most organisations – this type of testing requires representatives from most, if not all areas of the business, not just team leaders. This field exercise is designed to stress test your BCP, linking in other elements like the Business Recovery Plan, Disaster Recovery Plan and Crisis Communications Plan.

5.         Parallel Processing

Used in environments where transactional data is key. Typically, this test will involve the recovery of systems at an alternative site, by use of backups. In this type of testing, the primary site is not affected, and end clients should not notice any difference during the switch over which occurs as part of the BCP test.  

6.         Partial / Complete Business Interruption

Highest dependability test of all. This type of test involves initiating your BCP if your primary facility was unable to function. All business functions will cease at the primary site, provoking the business to regroup to an alternative site (if available), or recover systems at the primary site to BAU standard.

Mission Reward: Fortify your BCP through exposure and remediation of weakness in your IA drills. Most battles are won before they are fought.

Operation – Cyber Security Training - Summary

This Operation is essential for any organisation to defend, detect, deter, and recover quickly from cyber-attacks. The training should take the best format possible – face-to-face. This format permits students to question and become immersed in the training, allowing maximum understanding of the weaponry, TTPs and IAs pertinent in domain of cybersecurity.

"It is an unfortunate fact that we can secure peace only by preparing for war."

John F Kennedy