Summary
In this talk, Matt Lovell, CEO and Co-founder at CloudGuard, breaks down the modern dynamics of cyber breaches and incident response. He outlines the evolution of attack techniques over the past six months, focusing on multi-channel threats, privilege escalation and data exfiltration. The discussion highlights three critical questions businesses must be able to answer during an incident: how the breach occurred, whether attackers are still present, and what data has been taken. Matt also emphasises the importance of managing communications with regulators, insurers and customers in the wake of a breach.
Transcript
00:01:54:12 – 00:02:30:02
Matt Lovell
The first aspect of incident response is understanding the nature of attacks. So, lessons from the field here. Attacks over the last six months have evolved at the fastest rate we’ve ever seen them. What do we mean by that evolution? Lots of businesses have incident response plans that cover the core scenarios a malware infestation, some element of insider threat, a ransomware attack, a sophisticated phishing email, maybe some social engineering in some of the environments we see.
00:02:30:04 – 00:02:53:15
Matt Lovell
One of the big problems the incident response planning, actually struggles to deal with, and we need to rethink that mindset, is that most attackers think about this as an omni or a multi-channel event now. It’s typical distraction technique first and foremost here. So “I’m over here, but actually I’m over here.” The distraction technique is taking place.
00:02:53:15 – 00:03:14:13
Matt Lovell
I need to be worried about what’s over here. And I am trying to absorb the resources, whether it’s automation, whether it’s technology, or particularly if it’s human focus within the business in terms of diverting attention to where I don’t want you to be looking. The other scenario here, within the first lens, is actually how attackers try to evade.
00:03:14:15 – 00:03:44:08
Matt Lovell
Some of the most recent sophisticated attacks that we have seen have been omni channel. They’ve involved some element of vulnerability exploitation. They’ve taken into account some aspect of social engineering, and how those are combining together to get to people with elevated rights or rights that can be elevated through privileged access management and privileged identity management. And again, how you take that attack through the organisation without being detected that you’re there.
00:03:44:09 – 00:04:14:07
Matt Lovell
So, living off the land type of attackers, we refer to them. Or indeed how data can be exfiltrated without a level of detection taking place or evading that detection. And both of those scenarios are one of the same. What we’re talking about here is looking into your existing instance response planning and looking at those scenarios. So, I gave you the headline sort of areas that most incident response plans look at.
00:04:14:09 – 00:04:40:03
Matt Lovell
Very few look at data exfiltration. Very few look at the fundamental questions that get asked when a cyber incident is detected within a business. So very simply, there are three questions as a board, as you know, management and operational control in a business that they’re thinking about when a cyber incident is reported. How’s it occurred? Where did they get in?
00:04:40:05 – 00:05:11:22
Matt Lovell
Are they still here? You know, and that’s a very, very common question that many incident response plans, have to be thinking about. And what have they taken? Okay. So, how did they get in? Are they still present? What’s gone? You know, what’s the exposure of the business? The first thing we need to be thinking about is what most incident response plans do. Give you a structure to control the emotion that’s taking place and ensure that you’re methodical in terms of how you breaking down, answering those three questions.
00:05:11:22 – 00:05:47:19
Matt Lovell
And let’s not evade the topic here. There is an immense amount of pressure on security teams at this point in time to try to understand what has actually happened or what is happening. To answer the questions from the various organisations that will need to be informed if data has been proven to be taken within the organiation, and even if it hasn’t, it’s still a reportable incident, particularly to the Information Commissioner’s Office and to your cyber insurer, but also to the stakeholders within the business and the customers of your business or your business businesses.
00:05:47:21 – 00:06:15:21
Matt Lovell
Those are the key areas we need to be focused on. And most people are saying, what is the level of exposure? And we need to work through that as quickly as possible. But these are really difficult questions to actually answer in most businesses, and particularly most incident response plans that we see day in, day out. The key focus here is let’s anticipate the questions and make sure that the incident response plan really focuses on how we’re going to answer that.
00:06:15:21 – 00:06:35:12
Matt Lovell
Okay. So, we’ve got our framework. What are we going to do to answer those questions? How are we going to validate that? And particularly moving into the next question, which is are they still present? And if they’re evading attack, you know, and continuing to evade attack or communicate with us on the internal or external systems, how are we going to manage that?
00:06:35:12 – 00:07:05:11
Matt Lovell
Another adjunct to the incident response plan that needs to be thinking about those elements. Now, we’ve seen organisations large, medium and small, encounter the same issues. The problem is that in smaller organisations, they may not have some of the licenses and some of the technical capabilities available to them to do some of the things that larger organisations do have at their disposal in terms of functionality and in terms of expertise.
00:07:05:11 – 00:07:25:23
Matt Lovell
So, we’ve got to bring in some additional tools. And that’s problematic installing in an environment that may or may not be compromised. We need to think through those parts to the incident response plan. You bring somebody in? Are you going to default to the partners or the incumbent providers incident response plan? And again, who’s going to run that?
00:07:25:23 – 00:07:47:05
Matt Lovell
Who’s going to control it? Those are the things that are really, really key. What we see is, most organisations will obviously adopt the expertise that’s been brought in, whether it’s through your cyber insurer or through a recommendation. But again, these are really important things for businesses to be thinking about. The third aspect of this is what have they taken?
00:07:47:07 – 00:08:13:15
Matt Lovell
What we need to be thinking about here is, “where are the likely channels of exfiltration?” So, file copying services, any kind of physical if you’ve still got on premise service. Email, tt’s obviously a very common environment. As is sort of shadow IT systems that have obviously other file services connected to it or platforms that that transfer data as well.
00:08:13:15 – 00:08:54:10
Matt Lovell
And we’ve seen that with the MOVEit issues a few years ago. More and more organisations, particularly in financial services, particularly in legal services, business services, need to be thinking about the ability to have secure independent file transfer capability outside of email within this scenario. Most incident response plans don’t necessarily focus on what if we can’t confirm that there isn’t presence still from the attacker within the business, particularly if you’ve got tens of thousands of employees here or people have multifunctional roles, as lots of people do in businesses today.
00:08:54:12 – 00:09:36:21
Matt Lovell
And again, what is normal behaviour? And you trying to break this down to understand what is normal business behaviour or not suspicious? What is suspicious? So, you can go and investigate that. There are a lot of data points to be thinking about here. And again, most incident response plans don’t actually take that into consideration. They’ve got the headlines towards it all, we’ve got some simple tests that we can run, but they’re not looking at how is the business going to minimise the impact and look at safe operations whilst we are in this interim period of risk. Then we have to validate what data has been taken.
00:09:37:01 – 00:09:59:14
Matt Lovell
We’ve got to have some form of audit trail. Some businesses have logs available to them, some don’t. We’ve got to look at that and we’ve got to find some way of validating it. There are many bad actors out there who will allude to having data. And, it’s actually really quite challenging to prove whether they do have the data they say that they have.
00:09:59:16 – 00:10:29:06
Matt Lovell
And indeed, when it was taken. Okay. And what route has been exfiltrated through. It could be insider risk and that includes, you know, everything from physical transmission of data to obviously a snapshot or photograph, some form of digital imaging that takes place on the third party device, which is outside of your control. What we do have to be thinking about there, from a security point of view, what data does that involve?
00:10:29:06 – 00:11:00:01
Matt Lovell
What’s the sensitivity of that data? What’s the impact to customers? What’s the impact to the individuals involved within that, and how are we going to help and how are we going to manage that situation? There’s an awful lot of questions around data exfiltration management that need to be included inside your incident response plan. If you don’t already do that, then please feel free to reach out to us or any other cyber services provider that has expertise in this area that can help you move that forward.
00:11:00:03 – 00:11:22:00
Matt Lovell
The key part to this is making sure that firstly, the people involved in doing that analysis within your business really understand that data and understand the user behaviours, because that really helps in ascertaining whether or not something is suspicious and where data may have left the business, whether it was, you know, done maliciously or not within the business.
00:11:22:00 – 00:11:46:12
Matt Lovell
And there’s obviously accidental human error that does take place within businesses from time to time. And again, where that data has been copied to and who, you know, may or may not have that data. There are many areas of the dark web that we can’t monitor . And they may be, you know, marketplaces that most of the search engines don’t necessarily have access to or they’re new and they’re very restricted.
00:11:46:12 – 00:12:14:04
Matt Lovell
It isn’t always immediately clear whether or not data has been exfiltrated. And you know that there is a reference point on the dark web, or anywhere else for that matter, as to the fact data has left your organisation. That isn’t a reliable mechanism to base any judgment on, and I have to say that. I think most importantly, the business will be trying to understand this as early as possible so it can manage customer communications
00:12:14:04 – 00:12:35:00
Matt Lovell
Customers are very, very eager to understand, you know, what is taken place and what data has potentially been exposed, you know, to other people and what the impact to customers is. And we’ve seen that with a range of attacks that have taken place over the last six months. For us, it’s about very clear risk communication to customers.
00:12:35:01 – 00:13:02:05
Matt Lovell
Being very specific about the type of information we think that has been exfiltrated and the impact to the customers, and making very clear recommendations. The majority will say password resets, monitor for suspicious behaviour yourselves. There’s always an elevation to some other form of attacks. Largely phishing to those customers. But there can also be attacks in terms of how system data gets aggregated on the dark web.
00:13:02:05 – 00:13:28:20
Matt Lovell
The more information is exfiltrated from different attacks, the more information gets concatenated in much larger databases where they will correlate, say, a primary field like an email address, personal or business-related, and then you may collect a number of passwords. And what they’re trying to do is use AI, automation, generative techniques, in order to build up a deeper history of password complexity and different passwords and systems.
00:13:28:20 – 00:13:55:14
Matt Lovell
They might do a spray and prey type attack with that information. They might do a brute force attack to organisations. And we commonly see that. A secondary activity that takes place through supply chains, for example. They’re all very key points to be looking at in terms of incident response. As I say, if you would like more information or like to talk your incident response plans through and perhaps gaps and have an assessment of that, please feel free to reach out to us at CloudGuard.