by Peter B. Nichol

CIOs step inside the mind of a security hacker

Jun 20, 2016
CIOEnterprise ApplicationsInternet of Things

Security is not a one-time event. Ensuring threat resilience is your duty as a CIO. Reevaluate your company’s security situation often – everyone’s future depends on it.

Does your board question the company’s approach to security? It should. Understanding your opponents can help break the cyber kill chain. Think like your opponent in this multi-player game. Begin with a framework that covers policies, standards, guidelines, and procedures to ensure consistency – earn trust.

Medical and healthcare breaches

The cost of a data breach is increasing The Ponemon Institute partners with IBM to produce the 2016 Cost of Data Breach Study: The Impact of Business Continuity Management (BCM) report. The report analyzed 383 companies, in 12 different countries, across 16 industries including healthcare.  The average cost of unauthorized data access is between USD $149 to USD $167 per record, with the total cost of a data breach ranging from USD $3.7 million to USD $4.29 million. In the medical and healthcare category since January 2016, there have been 158 reported data breaches, according to the June ITRC Breach Report. The Identity Theft Resource Center publishes the ITRC Breach database that is updated on a daily basis and posted to the ITRC website every Tuesday.

Healthcare accounted for 33.4 percent of total breaches in 2016 (as of June 14, 2016), with a reported total of 4.3 million records breached. Healthcare organizations from California to Florida reported data breaches due to unauthorized access including Florida Hospital Medical Group, OptumRx, CVS Alabama Pharmacy, Kaiser Permanente – Inland Empire, MedStar Health, CareCentrix, Blue Shield of California, and Integrated Health Solutions / Bizmatics. If these well-known organizations can be breached, who’s safe? How do organizations protect themselves? 

It’s worth noting that 36 of the medical and healthcare companies that experienced a data breach have not reported the exact count of records breached. CIOs must understand their opponents, break the cyber kill chain, and leverage frameworks that are proven to proactively address the threat of data breaches.

Understand your opponents

Understanding who your organization is playing against is everything. Sun Tzu a military strategist lived in ancient China. He was an active as a general and strategist, serving King Helü of Wu in the late sixth century BC, beginning around 512 BC. Clear definition of your opponents is essential. Sun Tzu in The Art of War stated, “if you know the enemy and know yourself; you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Security is not a single person game. It’s an aggressive team sport, with only one universal rule – don’t lose. Your team is playing a multi-player game that is designed to test your strategy, tactics, and resilience. This game isn’t local. The playing field is global, and the players plug in and out of active status seamlessly. Oh, and cheating is allowed.

Break the kill chain

Lockheed Martin adapted the concept of a kill chain to information security, conventionally a military concept related to the structure of an attack.

The military kill chain model has four core phases, 1.  Target identification, 2. Force dispatch to target, 3. Decision and order to attack the target, and 4. Destruction of the target.

The adapted Lockheed Marting Cyber Kill Chain has seven core phases.

1. Reconnaissance

2. Weaponization

3. Delivery

4. Exploitation

5. Installation

6. Command and Control

7. Actions on Objective

Understanding how a cyber attacker penetrates your corporate security, will help you defend against threats. Remember that during each step in the Cyber Kill Chain you have five courses of action:

1. Detect

2. Deny

3. Disrupt

4. Degrade

5. Deceive

6. Contain

The paper titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains was published by Lockheed Martin effectively outlining the Lockheed Martin Cyber Kill Chain. The paper states, “that a kill chain is a systematic process to target and engage an adversary to create desired effects.” Your optimal course of action will depend on the phase of the kill chain in play.

Think like your opponents

The first step in the Cyber Kill Chain is reconnaissance, where an attacker is studying your company’s behavior (harvesting email addresses, social networking, passive search, IPs, and port scanners). The attacker is selecting their targets. The second phase is weaponization. At this phase, the objective is to create an exploit (develop exploit with payload creation, malware, delivery system, or decoys). Nothing has been deployed into the environment at this point, but the exploit is typically employing an automated tool (weaponier). The third phase is delivery (spear phishing, infected websites, service provider, USB). During this phase, the weaponized system is delivered to the targeted environment. The fourth phase is exploitation (exposing a vulnerability to execute code on the target system e.g. malware or ransomware). The fifth phase is installation (installing the malware on the asset and typically this allows the adversary to maintain persistence inside the environment). The sixth phase is command and control (establishing a channel to enable “hands on the keyboard” access inside the target environment). The target system at this point can be remotely manipulated within the target environment. The last and seventh phase of the Cyber Kill Chain is the actions and objectives phase (take action to achieve desired objective e.g. data exfiltration involving collecting, encrypting, and extracting information from the target environment).

The ability to categorize the threat into a phase of the Cyber Kill Chain is vital to ensure the correct course of action. All too often policies and standards are established that sit on a shelf and are not updated (we’ve all seen this).  A perfect example is asking for a security policy, and when you finally do receive it, the last update was stamped two years ago.

Begin with a framework

You’ve been inside the mind of an attacker. You’re armed with the knowledge of the Cyber Kill Chain and the courses of action you can leverage to protect your organization. It’s now time to start your security assessment. Where do you start?

Whether you’ve experienced a threat, breach, or are proactively anticipating disruptions, every approach begins by selecting a security framework. There are many security frameworks to choose from including ISO/IEC 27000-series, COBIT 5 for Information Security, and NIST SP 800 Series. The benefit of using a security framework is that it offers a common language to standardize the approach for addressing threat concerns.

Policies, standards, guidelines, and procedures

Now that we understand how an attacker thinks, we’ll explore the categories of threats and the broad approaches to address security in your organization.

According to the April 2016 Internet Security Threat Report by Symantec, there are six board categories of threats and your security approach should address them all: 1. Mobile devices and Internet of things, 2. Web threat, 3. Social media, scans, and email threats, 4. Targeted attacks, 5. Data breaches and privacy, and 6. Cloud and infrastructure.

Armed with the categories of threats, we can focus on the four steps that provide the foundation for your security program:

1. Policies – high-level standards

2. Standards – low-level mandatory controls

3. Guidelines – recommended, non-mandatory controls

4. Procedures – step-by-step instructions to assist actors in implementing the various policies, standards, and guidelines

Every good security program has these four primary components. The policy is the broad organizational governing document that addresses a facet of your security program. A simple example could be a password protection policy. This password protection policy would include an overview, purpose, scope, policy, policy compliance, related standards or policies or processes, and definitions and terms. The password standard would set board rules for password complexity. Guidelines are a collection of recommendations, non-mandatory controls that help support standards or provide a reference when no applicable standard exists. The standard would reference procedures, for example, the password protection policy. These procedures would include a password creation section on user-level and system-level passwords conformance and reference the password construction guidelines.

Be consistent

When communicating to the board be consistent and use three sound approaches for your security foundation, when dealing with these challenging discussions: prevention, protection, and resilience. 

You’ll be able to handle every discussion on security and guide that discussion into one of the three areas: where your organization is already focusing. One effective “security approach is to prevent a threat from arising in the first place, especially by addressing its underlying causes. When the threat cannot be prevented, security as protection aims to defend against, if not eliminate, the threat. But if we cannot fully protect ourselves from the threat, security as resilience considers our ability to “bounce back” and alter the ways in which it affects our social systems — our ability to adapt to threats that strike us.” The Centre for Security Governance article, Three Approaches to Security helps to remind us, that a layer security approach is a time-proven method for protection.

A layered security approach will help maintain the trust of your leadership teams. Don’t build new processes, leverage existing processes proven to work.

As Sun Tzu had said, “the greatest victory is that which requires no battle.”