Breaking down a hack

In October, we debuted the ‘Anatomy of a Hack’ session at Vantage Remixed 2021. Did you watch it? Did you note down the key session takeaways? If you missed it, click here to watch.

Alex Dolan, Kevin Gao (our producer) and I had a lot of fun developing this session. Alex developed the main storyline by drawing on an amalgamation of penetration testing and red team jobs that he had done over a long period of time, so we were able to anonymize any particular organisation in what we were doing and get across the message of how an attack actually works.

We spent a lot of time going through each of the stages of the Mitre ATT&CK framework and looking to see how we could best articulate that stage of the attack and make it clear for everyone. How that part of the attack happens and how it fits into a chain of events that becomes a complete compromise. In describing each part of the attack, we were conscious about trying to provide information that people could take away in terms of how they could respond to that specific part of an attack or provide some insights as to how they would go about defending against each tactic. In essence, a basic step-by-step guide as to how best to defend their environment against ransomware.

Now there are hundreds of different tactics that an attacker could use as part of their chain to gain access to an environment. With the Mitre ATT&CK framework, these tactics and techniques are grouped into 14 categories to help build a clearer picture. That's why we connected our presentation to this framework as we wanted to provide that clarity.

The techniques that we selected for the presentation may not be the actions taken by an attacker trying to breach someone else’s environment, but at least by discussing the groups of attack techniques and how techniques can tie together to create the full chain of an attack we can understand how an attack might look.

What appears to be a single anomalous event could in fact be part of a process that an attacker is using to gain access to your environment, and hopefully the presentation sharpens our senses a little to make sure that we're keeping an eye out for anything that might look out of the ordinary regardless of how benign it might appear.

Training and awareness.

One of the most successful and well-known security breaches wasn't perpetrated this century. It wasn't even perpetrated last century. I’m referring to the Trojan Horse of Troy.

The fact that the Greeks were able to use social engineering to get the soldiers of Troy to open the gates and bring into their city a wooden horse and a small contingent of highly trained soldiers who could then open the gates for the rest of the Greek army, shows that attacks against the human interface have been used for centuries. It also shows that in over 3000 years, we may not have learned a great deal about defending against social engineering.

It seems that most of us are inherently wired to be helpful. From a humanity perspective, this is great. From a security perspective, it can be a weakness. The fine line between helpful and weakness is one that can be moved with appropriate training, and with development of awareness.

Without becoming cynical, we should always assess what we see, what we read and what we hear. This means that if someone asks us for help, we should ask ourselves what risk is associated with the request and are we or our organisation prepared to accept that risk.

A great example of this, outside the cybersecurity domain, is in first aid training. Every three years I visit the wonderful people at Red Cross Education Services for two days to update my first aid credentials. On the first day, they always teach us the DRSABCD acronym. Danger, Response, Send for Help, Airway, Breathing, Compressions and Defibrillation. Always check for danger first. If we see someone lying unconscious on a road, check for traffic before you run to help so that you don’t become a victim too and the first victim loses any chance of help.

We need to encourage our people to think first, then act. Look for training modules and awareness programs that instill the concept of checking for higher than acceptable risk before taking action.

Playbooks for specific scenarios.

When you experience a cyber security breach there are going to be a lot of decisions to be made and a lot of questions to answer. Do we know who it was? What information have we lost? Who clicked the dodgy link? Can I keep using my laptop? When can our customer database be back on-line? Can we just fire up the sales application so that I can get some phone numbers? How long are we going to be down? What order do we start system up? Are our backups corrupt? And the list will go on.

Making decisions under duress creates more stress and this comes at a time when the security breach itself is causing stress. The best solution is to make all the decisions that you can think of when you don’t have the pressure and duress of an emergency hanging over your head.

This will involve taking the time to work through all the issues that you think will come up when you’re responding to a security breach. At the top level, make sure the business has a policy for dealing with a security incident. This should include the roles that must get involved when a security incident occurs and what responsibility sits with each role. This way everyone who needs to be involved will know what they need to contribute before the incident occurs. It means that the response can be underway sooner as well.

An incident response plan also needs to be developed prior to an incident occurring as this will lay the groundwork for all the activities that need to be addressed when responding to an incident. You will need to define things like who is handling the internal comms, who is handling the external comms, who must approve the comms before they are released, when do service providers and third parties get involved, who is the central point of contact, who is managing the incident, what are the processes for rebuilding systems, and the list goes on and on.

Finally, there should be playbooks for the most common or most expected scenarios so that when they occur, you have a checklist to follow as soon as you notice the breach. These are built from the incident response plan and have the specific tasks that are relevant to a specific type of security incident. A Ransomware playbook is one that is most commonly requested because most people believe that ransomware is the most likely incident to impact their business.

The outstanding question is, how do you know you have thought of everything? Test it by running an exercise. Have an independent party call the shots as to what impact the incident is having on your business and follow through your incident plan and playbook to see if it covers all the steps or all the decisions. Better to find out this way than during an actual incident.

Everyone knowing their roles.

We already touched on the issue of roles and responsibilities when we talked about incident response policy, plan, and playbooks but it’s important beyond responding to a security incident.

Having a table of roles and responsibilities for all cyber security functions means that you can be certain that all cyber security activities have been allocated. If an activity is not assigned, then this is a gap in your cyber security defences. This approach is particularly useful for all controls that have a ‘people’ component such as auditing, testing, reviewing, etc.

Assigning responsibilities also assists with the development of playbooks as some of the decision making with regards to which role needs to take responsibility for an activity has already been determined. The development of the playbook can then focus on the specific actions that are required during the security incident. A good example of this is the responsibility for a set of servers, let’s say the database servers. The management of these servers extends well beyond a ransomware incident. So, having specific roles pre-allocated and assigned means the responsibility of who is responsible for managing the database servers during business-as-usual operations and when any kind of incident occurs, becomes clear.

A playbook that is specific for ransomware does not have to define who is responsible for the database servers, it merely needs to refer to roles and responsibilities table.

While it is important for the organisation to know who is responsible for a particular function or asset, it is equally important for the people assigned this responsibility to know what is expected of them. When everyone knows their role and what they are responsible for they can execute their jobs knowing where they will interface with others and where they can hand-off of tasks. Knowing their roles and where they interface with others provides certainty for staff. Without this certainty there will be hesitation, double handling and gaps, and this will in turn reduce efficiency or effectiveness.

Security monitoring

Security Monitoring helps you identify security incidents that can impact your business from the data they send to Telstra. The Security Operations Centres (SOCs) that deliver the Security Monitoring service use the power and scale of big data to analyse the incoming data and look for threats. This technology is also complimented by a team of highly experienced security analysts. So if an incident is deemed suspicious, we contact the customer quickly and we’ll initiate pre-agreed continuity/recovery plan.

So what happens after?

Once the attack has been contained, there also needs to be a plan to recover. This could take weeks or months depending on the impact, but it will flow more smoothly if there is a plan in place for this recovery. And here at Telstra Purple, we do this day in day out… and we have the capability to help you with all of this.

Initially we’d recommend your organisation engages us for a Cyber Security Essentials Assessment where our experienced security consultants will assess the current security posture of your organisation. Responses will be analysed against standards and Frameworks from ACSC (Essential 8 and Top 37), APRA (CPS234), International Standards Organisation (ISO27001), the Cloud Security Alliance (CCM4) and the US National Institute for Science and Technology (NIST CSF). The outcome of this assessment will be a report and presentation describing your current security posture, including key recommendations and actions with our Telstra Purple security consultant.

To learn more or register for the Cyber Security Essentials Assessment, click here to register your details .