The growing wave of digitization, while providing excellent productivity gains to organizations and value to customers, has also increased the cyberattack surface by exposing non-public information hitherto contained in the data center. Such sensitive information is now exposed through web services and also accessible over mobile devices as part of the digital economy to meet expectations of customers and partners. At the same time, attacks have also grown in sophistication and have moved from a carpet bombing opportunistic mode to well-researched targeted ones - many a time backed by nation states. A lucrative and organized underground market for stolen information makes the attack effort worthwhile. In this highly dynamic environment, the first step in the security maturity curve for an organization is without doubt implement controls considered basic security hygiene like Firewalls, IPS, Web Proxy, AntiVirus, SIEM etc. The next step where organization tend to fail - to configure these security devices appropriately to ensure the organization gets best bang for the buck. This failure is due to both lack of skills as well as lack of attention to detail. The security devices are implemented as a check in the box to please a regulator or some senior management or “to keep up with industry Joneses”. There is very little active monitoring and fine tuning of these systems to derive optimum value. It is very important to get this right.
However, what I would like to cover here is something that goes even beyond this. Organizations in critical sectors like finance and telecom would have most likely/hopefully checked the above boxes. With sophistication in attacks increasing, it is important for critical sectors to look beyond prevention measures, and build capabilities around early detection and rapid response. This also holds true for other organizations where a leak of sensitive information would have significant operation and/or strategic impact, and where there is a low risk appetite. A breach readiness exercise is something I would strongly urge such organizations to plan for. It differs from the traditional penetration testing exercise in that a pentest is more to discover exploitable vulnerabilities whereas a breach detection exercise would gauge the on ground capabilities of your organization to detect and respond to an attack.
The key goal of a breach readiness exercise is to understand the current state on 2 key metrics - Mean Time to Detect and Mean Time to Contain, and develop plans to improve the same. A cyberattack typically goes through multiple stages like Reconnaissance, Exploitation, Privilege Escalation, Lateral Movement and finally Data Exfiltration. We should be able to get the two key metrics for each of the stages. This breach readiness exercise should go beyond a table top exercise for cyberattack readiness. It should include an actual simulation exercise via different attack vectors like email and web and also include people aspects like social engineering. It is important to do the test uninformed to the detection and response teams, and equally important that the exercise is non-invasive. If a consulting partner is used for such an exercise, the security team should be in close coordination to determine to what extent systems can be penetrated. The exercise can also be done in multiple phases - one for core systems in the data center and another for remote locations. Detailed technical reports should be made available of the exercise that includes specifics of each attack, blind spots in monitoring, and detection and containment time period. The exercise should also assess the incident escalation mechanism, and whether all stakeholders, internal and external, have been identified for communication. The exercise should just fall short of notification to any external stakeholders. The report should also include specific recommendations for fine tuning and improvement. Based on the above, organizations can invest further on improved detection capabilities. Sometimes, it may not even require an investment, just better focus on some areas. It is very important for organizations to have detailed breach response escalation and communication procedures - which includes involvement of internal stakeholders like senior management and the public relations office, as well as external stakeholders like the CERT and any other regulatory bodies. The readiness exercise should test for availability of contact details of all such stakeholders including message communication formats.
Organizations need to improve their overall information security maturity even if they are in industries/sectors not traditionally a lucrative target. This is because the cost to initiate attacks is coming down and the legal framework in many countries is still not robust enough to deter the perpetrator. So a hack by a script kiddie creating nuisance value may be just around the corner. One other benefit of a breach readiness exercise is providing much needed assurance to senior management. A breach readiness exercise,executed through a competent third party will give a realistic picture to management while at the same time identifying necessary improvements for the security program.