Monthly Archives: December 2018

Managing the risk of post-breach or “resident” attacks

Larry Ponemon

Sponsored by Illusive Networks, Ponemon Institute surveyed 627 IT and IT security practitioners in the United States to understand how well organizations are addressing the cyber risks associated with attackers who may already be residing within the perimeter, including insiders that might act maliciously.

Click here to read the full study on Illusive Networks website.


All participants in this research are involved in the evaluation, selection and/or implementation of IT security solutions and governance practices within their organizations.

This study starts with the premise that mitigating business impact once attackers are within the environment requires the ability to:

  1. Understand which cyberthreats pose the greatest risk and align the cybersecurity program accordingly;
  2. Proactively shape security controls and improve cyber hygiene based on an understanding of how attackers operate;
  3. Quickly detect attackers who are operating internally;
  4. Efficiently prioritize and act on incidents based on real-time awareness of how the organization could be impacted.

The data indicates that organizations have low confidence in their ability to prevent serious damage from post-breach attacks. When presented with a set of statements, only 36 percent of respondents express agreement or strong agreement that their security team is effective in detecting and investigating cybersecurity incidents before serious damage occurs.

It is welcome news, then, that security budgets are shifting in favor of allocating greater resources to threat detection and response.

For organizations to get to where they need to be is an uphill challenge. While more than half (56 percent) of respondents to this survey believe they have reduced attacker dwell time over the past year, over 44 percent say they have not (32 percent) or don’t know (12 percent). And not all attacks and incidents are equal. The survey also shows that only 28 percent of respondents agree or strongly agree that their security technologies are optimized to reduce top business risks. A recurring theme in this study is that the inability to see and act on what matters most to the organization hampers the effectiveness of multiple functions.

Part 2. Key Findings

In this section of the report we analyze the key findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the report according to the following topics:

  1. The risk alignment problem between IT security and the business
  2. Current capabilities to preempt, detect, and respond to post-breach attackers
  3. Takeaways: Toward better risk mitigation for post-breach or resident attacks

A.    The risk alignment problem between IT security and the business

 Comparing a few key data points makes it clear that the day-to-day functioning of IT security is not well-aligned to business needs.

Although 56 percent of respondents say business leaders consider cybersecurity a top business risk, only 29 percent of respondents say business leaders communicate their business risk management priorities to IT security leaders, and only 29 percent of respondents say their security leaders effectively align security with top business risks.

Over 70 percent of respondents say senior leaders do not clearly communicate business risk. Some, 71 percent of respondents say they are not informed about what senior managers consider their organizations’ business risk management priorities—important guidance if IT security is to prioritize what’s most important to the business.

Respondents also are not positive that their leadership understands how persistent and advanced threats can affect the enterprise and that IT security controls are not 100 percent effective (68 percent and 65 percent, respectively).

It makes sense, then, that 60 percent also indicate that leaders don’t understand that the risk of a successful cyberattack should be an ongoing concern.

Business leaders appear to be conflicted about the importance of a strong cybersecurity posture—or perhaps leaders don’t understand the importance of a business-aligned, proactive approach or their role in it. When respondents were asked to describe their executives’ views of the importance of the cybersecurity program, the top two responses seem contradictory.

On the one hand, respondents indicate that executives think a cyberattack could pose a strategic or existential threat to their organization (40 percent of respondents), yet given how important cyber risk seems to be, a reactive approach seems fairly prevalent; almost half (49 percent of respondents) say their organizations’ executives think cybersecurity should be addressed on an as-needed basis when problems arise.

The business/security collaboration gap is reflected in many ways. Whether fault for the disconnect lies on the side of IT security leaders, senior executives, or both, Only 35 percent of respondents say their IT security leaders are proactively included in planning and decision-making for new technology and business initiatives, and only 29 percent of respondents say IT security leaders effectively align security investments, processes, and controls with top business risks. Other steps not taken are having well-defined criteria for determining when to involve business leaders in responding to a cybersecurity incident or issue (only 30 percent of respondents agree), as well as educating business leaders on cyber risks that may impact their organization (only 38 percent of respondents agree).

Only about half (51 percent of respondents) say their organizations’ executives and senior management respect IT security leaders. As a possible consequence, only 37 percent of respondents say the security team has the support it needs from business teams to design and execute business-oriented threat detection and incident response capabilities.

Respondents say that protecting high-volume private data is not the top concern. Respondents were asked to identify the cyberattacks that pose the greatest risk to their business. Given the lack of communication about business risk, these views may not reflect the views of business leaders, but it is notable that although large breaches of PII, EHI, payment and employee data tend to hog the headlines, these are not respondents’ top concerns. The data indicate that the threat of intellectual property or other strategic information theft—theirs or their clients—and various forms of disruption are significantly higher on the risk scale.

Also, 60 percent of respondents say the worst consequence of a cyberattack would be the tampering with or compromise to the integrity of their products or services followed by the disruption of their core business network (58 percent of respondents). Threats to executive safety and privacy are also high on the list.

Business leaders lack understanding of the threats. Leaders cannot communicate effectively with IT security leaders or set cyber risk management priorities without a foundational understanding of the threat actors an organization needs to contend with, yet 68 percent of respondents say their executives and senior management do not have a good understanding of how threat actors work and the harm they can cause. Among technical functions, where granular threat understanding is necessary for strong detection and response, organizations fare better, but could be stronger.

Basic asset and access governance are only half-way there. A risk-focused approach also requires a strong picture of where the important IT assets are and who has access to them. Some 54 percent of respondents agree or strongly agree that their security team has up-to-date knowledge of which data, systems and infrastructure components support critical business processes, yet when asked a series of more detailed questions pertaining to asset awareness and change management, respondents rate themselves considerably lower.  The ability to keep pace with rapidly changing users, user functions, and IT infrastructure continues to be a challenge.

To keep reading this report, click here. 

Someone (China?) is building an enormous dossier database from all these massive hacks

Bob Sullivan

Perhaps you missed the tantalizing detail I reported earlier  that Congressional investigators believe the initial Equifax hackers entered that company’s systems with computers using IP addresses in China.  Or The New York Times reporting that U.S. authorities now blame China for the hack on Starwood / Marriott.  You probably forgot that the devastating hack of the Office of Personel Management systems has also been blamed on China. And you probably forgot that the hack of Anthem, the health care firm, was also blamed on China.

Combine all that information, and one thing seems disturbingly likely: There’s a big dossier database in the sky, controlled by some foreign entity, and your most personal information is in it.

Maybe you are worried about your credit report. But this surveillance database contains far, far more precious and revealing information. Where you traveled. How long you stayed. Your driver’s license. Your passport.  If you are a government worker, who your closest friends are, and even your fingerprint.

All in the hands of a foreign, potentially hostile, nation-state.

Attribution is a very tricky game — freelance actors? the Chinese government? Another nation state hiring mercenaries in China? — and anyone who asserts with surety they know who did it might be overstating their case. When we spent months looking into the Yahoo hack, it became clear that both nation-states and freelancers can be involved in the same hack, making breach analysis even harder. With Equifax, there’s a theory that rogue hackers gained entry at first, then handed off the access to a more sophisticated entity. This kind of hack-sharing means that whoever stole all that data from Yahoo — remember, for years, Russian agents could read millions of victims’ emails — is available to whoever is building this big dossier database in the sky. Passport numbers and 15-year-old emails linked? That’s quite an incredible amount of information.

It’s fashionable to blame things on China right now, but the particular nation-state that’s the culprit at Starwood doesn’t matter as much as the potential existence of this database.

I haven’t seen it, but plenty of folks I speak to very much believe it exists. The best evidence for it: Where are all the stories of Equifax-related identity thefts, or widespread Starwood points hacks, or….? Whoever is stealing this information isn’t doing it for money, and isn’t doing it for lulz. No one hangs out in a network for four years for lulz.  Or, for that matter, for money.

Instead, think about how useful a list of hotel stays would be as an intelligence-gathering tool? As my colleague at NBC News Ben Popken points out, Starwood is a favorite chain for U.S. Government employees. Executives, too. So perhaps most of the data is useless to the hackers; they just want to good stuff. That was initially the goal in the Yahoo hack: Read the email of very specific people. A needle-in-a-haystack search, with the hay uninteresting.  Later on, however, the Yahoo hackers shared the stolen data with others who indeed picked through the hay — you and me, in this metaphor — and found all sorts of other uses for it.

Perhaps the criminals are even more interested in tracking corporate executives.  Understanding their movements can provide a lot of intelligence — “Why is he visiting South Korea? Is he interested in a new supplier?”  Think deeper, and you can imagine the data being used for leverage or extortion. What if a foreign power had information on a clandestine relationship a U.S. executive was having? That would be very useful in negotiations.

In some ways, all these hacks are starting to sound redundant, as if someone keeps stealing the same kinds of data over and over. But as Avivah Litan of Gartner recently told me, there is the matter of upkeep. Whoever has this database has to keep it current, and accurate.  Each new heists helps the “owner” clean the data. (Read more from her here, and here .)

Bill Malik at Trend Micro offers another clever use for this executive-tracking database: something I call executive identity theft. Business email compromise is among the fastest-growing cybercrimes. A criminal poses as a CEO and demands her secretary wire money overseas immediately as part of secret merger talks. It works because underlings are less likely to question bosses. If a criminal had a tool that predicted executive movements, imagine how much easier, and more targeted, these attacks could be.

At this point, you are probably wondering what all this has to do with you.  If merely monitoring high-value targets is the goal of these hackers, that should be a relief to most of us, right? Perhaps. You must understand that whoever is stealing these massive datasets is in it for the long game, however.  Again, the Starwood hack lasted four years.  Can you really be sure that you’ll be uninteresting to a foreign power in a decade or two?  Are you sure there isn’t an email you wrote in 2003 that wouldn’t embarrass you somehow in 2023?

This is the point at which an editor would yell at me to give readers some hope, to dole out advice on what to do about all this.  So sure, change your passwords and limit the personal information you give large companies. Always act like anything you type into a keyboard might eventually end up on a billboard in Times Square. But realistically, you are collateral damage in a cyberwar being fought by nation-states on one side and fairly helpless U.S. corporations on the other.  The big dossier database in the sky is only going to get bigger, and more accurate, with each big hack.  That’s our 21st Century reality now.