Bringing Royal Naval Discipline to Cybersecurity Chaos
Within cybersecurity, we have a mantra; Defend, Detect, Deter, Defeat.
Now defence and detection, these are normally quite well established (but of course, it always needs testing and needs improvement). VPN’s, Intruder Detection and Prevention Systems, Managed Desktop Solutions, Firewalls, Single Sign-On systems… the list is endless.
However, deterrence postures and defeating cyber-attacks are normally the two aspects we don’t implement well. We don’t practice enough, and we don’t even really like looking at it. This post describes the problem with of these two subjects, and why they are so, so important.
And what we can learn from the Royal Naval attitude towards crisis management and C3 (Command, Control and Communications).
So, what do we mean by Deterrence? Let’s be honest, your strategic objective is to make sure your staff, third parties, infrastructure and customer data is harder to exploit, or systems are harder to attack, than the company or organisation next to you. We are trying to stop ‘drive-by’ attacks.
It’s not a nice way to think, but it is a fact. You wouldn’t leave your wallet on display, half coming out of your pocket, whilst walking through a crowded Oxford Street. The same applies to our digital footprints. Finding leaked third party credentials linked to your organisation email addresses and accounts, and personal accounts connected to your staff members, need to be identified, isolated and changed because it gives hackers the first breadcrumb to look further into your network or ecosystem.
We have to reduce these breadcrumbs from the start, so they will go somewhere else. Deterrence, however, does not work against someone determined to get into your system by any means. It’s the same with your infrastructure. You have to match sure the back gate is at least locked.
The difference between a drive-by hack and a targetted attack is ‘motivation’. They will get over that back gate, no matter what, if they are motivated.
Give me a technically qualified hacker anytime over a motivated person that hates you. Insider former employee, disgruntled customer, protester groups, ex-partners, state hackers working for a cause… they will get in. Either through human aspects, through technical vulnerabilities, through process hacking (looking at the way you function as an organisation, and find a way to exploit your processes, to find an entry point), the odds are in their favour.
You have 10,000 employees to protect, they each have three work accounts, and if they get spotted, they don’t care. They will keep trying. This mindset and threat aggressor is one we only have one way to deal with: and this is where your team is vital. Not only the security team, everyone.
Does your organisation know who to report security issues to? Who would lead your response to a cyber incident? Has your organisation gained the the trust of the security team in order for people to provactively submit anything out of the ordinary for further investigation? Do you have a good cop in your Good cop/bad cop security routine, or is everyone just a ‘bad cop?’ Is the routine to report incidents as simple as calling 112/999? Are physical security problems copied and reported the same way? Do you talk and liaise with other Computer Emergency Response Teams and other SOC’s, including competitors, and share threat information with them?
If the answer is no to any of the above, then you need to practice your incident handling. Don’t just train people to spot detections, train them to deal with what happens when it all goes wrong. From the operational level to activating the strategic crisis management team. Make sure your policies and processes work.
Can you effectively communicate your organisation aim, top priorities, and task individuals, to manage the incident back into business as usual?
Again, if the answer is no, you are going to have a bad day. The quicker you identify, mitigate and communicate an event, the better chance it will remain an event - and not become an incident on the front page of the Daily Mail. During my time in the Navy, we had an incident response golden rule. If the ship’s firefighter turns up to the scene of a fire within 30 seconds with an extinguisher, then the fire is out. If it is over 30 seconds, the ship is lost.
The same applies to cybersecurity. Lead by example, otherwise, you will become the example not to follow in one of my presentations.
Train as you fight, fight as you train.