Responding to Cyber Incidents - The Good, The Bad and The Ugly

Written by: Simon Whittaker on Feb 15, 2023

Security breaches happen - we’ve seen an incredible amount of them over the last years, some are publicised, some aren’t but it seems that every time we open a new browser tab, there is news of another breach.

Some of the information provided by the incredibly useful darkfeed.io site shows the prevalence of attacks over the last 12 months and some of the players involved.

Ransomware

Many of the ransomware gang sites are on our list of most regularly visited pages to help understand what challenges we are all facing.

Leaked data

It’s important to remember that the bad actors have done this many times before and are incredibly well prepared, there are some really useful examples of this at the TrendMicro blog.

The ransom note can discuss the importance of data protection legislation and the potential issues that you can face now that you have been breached.

Ransom note 1 v2

It will provide you with reasons not to go to recovery companies.

Ransom note 2 v2

And it will even advise you on the topic of Cyber Insurance!

Ransom note 3 v3

The Responses

Our experiences are that there tend to be a number of different approaches to breaches when they happen, we’ve categorised these as The Good, The Bad and The Ugly. Obviously this is our opinion but might be useful to help start planning your response to an incident.

Gbu v2

The Good

Microsoft suffered a breach from the Lap$us gang, this took place in early 2022 and was categorised by Microsoft as DEV-0537.

What They Did Well

Openness - they reported what they knew quickly and in depth - the article linked above provides detail about the methods employed by the gang in simple terms.

“Using the compromised credentials and/or session tokens, DEV-0537 accesses internet-facing systems and applications. These systems most commonly include virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI) including Citrix, or identity providers (including Azure Active Directory, Okta). For organizations using MFA security, DEV-0537 used two main techniques to satisfy MFA requirements–session token replay and using stolen passwords to trigger simple-approval MFA prompts hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval.”

Evidence - they provided evidence to back up their claims and also to support the fact that these attacks are highly targeted and specific:

Evidence

Real life examples - they provide real life examples of what happened and the lengths that these ransomware organisations are going to:

“In some cases, DEV-0537 even called the organization’s help desk and attempted to convince the support personnel to reset a privileged account’s credentials. The group used the previously gathered information (for example, profile pictures) and had a native-English-sounding caller speak with the help desk personnel to enhance their social engineering lure. Observed actions have included DEV-0537 answering common recovery prompts such as “first street you lived on” or “mother’s maiden name” to convince help desk personnel of authenticity. Since many organizations outsource their help desk support, this tactic attempts to exploit those supply chain relationships, especially where organizations give their help desk personnel the ability to elevate privileges.”

Admitting that mistakes were made - evidence of the attackers joining the crisis communication calls was provided and providing learning about what they might do next time to prevent this happening.

“The actor has been observed then joining the organization’s crisis communication calls and internal discussion boards (Slack, Teams, conference calls, and others) to understand the incident response workflow and their corresponding response. It is assessed this provides DEV-0537 insight into the victim’s state of mind, their knowledge of the intrusion, and a venue to initiate extortion demands. Notably, DEV-0537 has been observed joining incident response bridges within targeted organizations responding to destructive actions. In some cases, DEV-0537 has extorted victims to prevent the release of stolen data, and in others, no extortion attempt was made and DEV-0537 publicly leaked the data they stole.”

Providing recommendations - they provide an extensive amount of actions that every company can do to improve their security and prevent it from happening to others:

  • Strengthen MFA implementation
  • Do NOT use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses.
  • Include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.
  • Allow credential or MFA factor sharing between users.
  • Leverage modern authentication options for VPNs
  • Strengthen and monitor your cloud security posture
  • Improve awareness of social engineering attacks

The Bad

Lastpass logo

What Didn’t They Do Well?

A confused and lengthy timeline - Two weeks is a long time on the internet and this is how long it took for the notification of a potential breach to be reported to the users. It’s understandable that the company wanted to get all their information together before reporting but when the potential impact is password manager compromise, it needs to be addressed quickly.

Lastpass v2

Long and flowing blogposts - the blogposts themselves are free flowing text which makes it hard to distinguish which are the most current and therefore relevant posts. Yes, it’s important to have a history but this doesn’t help.

Lastpass 2 v2

The updates directly contradict the previous message - New information is useful and it shows that they are providing details as it becomes available, however, all previous information lists that no password vaults were accessed. This is now shown to be not the case and is the worst case scenario for a password manager.

Lastpass 3 v2

More confusing messages - they clearly state the below:

Lastpass 4 v2

However, it should be remembered that some of the key functionality for the LastPass product is to store our own credit card details, while it may be true that their billing platform wasn’t compromised, the credit cards stored in the vaults may have been.

Caveats, caveats everywhere - the reassurance provided in the document makes it appear that actually everything is fine, there then starts a couple of very large “howevers” which negate the previous reassurances.

Lastpass 5 v2

All in all, not a great response. It should also be noted that this isn’t Lastpass’ first rodeo, there have been a number of these incidents and the response doesn’t seem to be improving.

The Ugly

Assigning blame - The CEO assigned blame to an intern for a bad password that had been set. While it may well be true that the intern set the password, it is a failing of the organisation if this was allowed to happen and not picked up.

Cnn v2

Training for the intern, support from their mentor, technical measures and security & penetration testing should have assisted with picking up and preventing this from happening.

Blaming again - there seems to be a pattern here of CEOs creating a culture of blame within their organisations.

Equifax v2

“While Smith said he was personally "ultimately responsible for what happened" he also blamed a single unnamed person in the IT department for not updating, or "patching" one Equifax's "portals" after the credit reporting giant was alerted to the security gap in March."An individual did not ensure communication got to the right person to manually patch the application,”

These kind of issues are rarely one person’s fault and is normally a team effort.

Secrecy - hiding a problem does not make it go away

Uber
Uber 2 V2

A culture of openness, honesty and owning up to mistakes is something that true leaders need to foster with their teams.

What can leaders do?

Be prepared - responding early to an incident, having a plan and being able to follow it is key to minimising disruption and getting your organisation back on track.

Communicate - this means both internally and externally. Keep your team, your suppliers and your customers on side by providing detail whenever possible and don’t fan the flames of rumour.

Understand your data - Know the information you’re protecting and processing, make sure you’re limiting the data you store to that which you absolutely require, if you don’t hold it, it can’t be stolen.

Understand your IT systems - you must understand your IT systems and where the risk is - without this you will not be able to maintain an accurate incident response plan.

Cyber is a board level issue - Cyber Security and Risk is a board level issue - treat it as such. There’s a great article at foreign affairs about this very topic

Pass buck v2

”…shareholders must make CEOs and board members personally accountable for managing cyber risk..”

This is largely a cultural change: where cybersecurity is considered a niche IT issue, it is intuitive for accountability to fall on the chief information security officer; when cybersecurity is considered a core business risk, it will be owned by the CEO and the board."


"where cybersecurity is considered a niche IT issue, it is intuitive for accountability to fall on the chief information security officer; when cybersecurity is considered a core business risk, it will be owned by the CEO and the board.”


Decisions to prioritize profits over security must be made transparently, with clear ownership by CEOs and boards. The practice of blaming the chief information security officer or the IT department for organizational failings must end.”


Be less confusing - There’s a great article from the World Economic Forum- which lists some brilliant guidance for boards and cyber security leaders:
“While boards are more aware of cybersecurity than before, many board-level executives struggle to determine which questions are best suited to assessing information provided by their cybersecurity teams. This is an obstacle to making informed and risk-based decisions. Cybersecurity and business leaders must learn to effectively translate their cyber risks into enterprise risk, and into the right operational and tactical measures to mitigate those risks.Cybersecurity leaders should use less technical jargon when speaking with business leaders. Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection. Boards should then make themselves accountable for these priorities once they are set because cybersecurity resources are rarely sufficient to effectively defend all parts of an organization all of the time.”

Conclusion

Obviously, the best thing that any organisation can do is to try and prevent a breach from happening in the first place, this can be through Threat Modeling your systems, Training your teams and Understanding your flaws with Penetration Testing. However, if a breach were to be discovered, you need a plan to deal with it.

Need help?

Email Us
email hidden; JavaScript is required

Or send us a quick message

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.