This scenario has been designed to engage the entire cyber security incident response (IR) team and evolve the IR plan and capabilities as quickly as possible. It includes technical, managerial, financial, regulatory, legal, and public relation challenges.
Take a look at your current IR plan and see if it stands up to this test. An organisation that does not have a cyber security IR plan, or a program, must act as if it has already been breached. If you do not have an IR plan get one; NIST SP 800-61 r2 is a good start.
- We have already been compromised.
- A well organised, well funded, and technically proficient criminal group has established persistent access to our systems; at this point we do not know who, what, where, when, why, and how.
- They have already mapped our systems and corporate structure.
- They have access to our communications and are reading emails and chats, including emails of the senior management.
- They have access to shared documents including system documentation, and possibly the code repository.
- They have obtained the credentials of at least one system administrator, and of several employees.
- They may have a “mole”, a compromised employee who can report on ongoing incident response activities and investigations.
- There is a logic bomb that will execute if they lose the access, but we do not know where and how.
- They have obtained credentials for access to our payment processor, and are capable of running credit card transaction reports containing customers’ personally identifiable information (PII) including credit card numbers.
- They have already exfiltrated some data containing PII of our employees, business partners and customers.
- Once they achieve the the final goal — whatever it may be — they will post PII data on the Internet and contact media detailing their “achievement”.
- They will attempt some kind of extortion first, but will eventually release the data regardless of our actions.
- They will choose what data to release and when, aiming for the maximum reputational damage, and prolonging the media feeding frenzy.
- The final attack — and the logic bomb — will likely launch a destructive, possibly crypto-based attack on our systems.
- After the data release, privacy regulators from several countries are likely to start investigations into the data breach.
- Several class-action lawsuits are likely to ensue.
- Incident response will take months and is likely to overwhelm company’s financial resources; new sources of funding are needed.
- In order to divert cash flow to the incident response, the company will need to suspend some of usual business activities, and lay off non-essential staff. However, the business must continue in order to keep generating the much needed cash flow.
- As the media storm starts, the disclosed technical and other corporate details will be used by many other hacker groups — large and small — to prepare and launch targeted attacks. Corporate inboxes will be bombarded with spear-phishing emails, network resources will be under constant DDoS attacks; similar attacks will occur for web application, database, and mail servers.
- As time passes, long hours will take a toll on the IR team, and other employees. Morale will plummet: some essential employees will call their head hunter and leave, some will burn-out.
- There will be health-related incidents due to prolonged sleep deprivation, stress, frustration, and burnout in general.
- There is more and it gets worse.
Is this realistic, and is it even possible for an organisation to deal with this type of an attack? Absolutely, but having a written and rehearsed incident response plan is essential.
I have previously published this article on LinkedIn.