CYBERSECURITY
“
Don’t over-automate.
You want to push and do automation to maximize the way you use your analysts, but you don’t want to automate to where you don’t” involve your analysts at all.
KAREN EVANS, FORMER OMB OFFICIAL
USPS Vice President of Secure Digital Solutions Randy Miskanic told Congress at the time that “the guidance docu- ment instructed the \\\[chief information security officer\\\] to take no action — in- cluding further investigative activity, scanning, re-imaging, resetting account passwords, taking systems off-line or searching IP addresses.”
The concern was that the threat ac- tors would escalate their actions if they knew they had been discovered.
After nearly two months of scoping the problem, USPS investigators finally felt confident enough to initiate their remediation plan.
As Miskanic described it, the plan was an exercise in caution that began with a network brownout period — two days during which connections were limited between the USPS network and the in- ternet.
During the same period, virtual pri- vate network and remote connections were blocked, and email between USPS accounts and outsiders was curbed. Care was taken to ensure that internal email service was available, as were all mail collection, processing and delivery systems, and front-office operations.
USPS later faced criticism for not moving quickly enough to inform vic- tims that their data might have been compromised, but analysts still say it is generally better to be cautious than
hasty about responding to a cybersecu- rity incident.
“A common mistake is to jump right in to fixing without a plan,” said Jeff Schmidt, vice president and chief cy- bersecurity innovator at Columbus Collaboratory, an Ohio-based cyberse- curity consortium of seven major orga- nizations that include Nationwide, Car- dinal Health and Battelle.
That approach can cause more prob- lems, especially when it involves repair- ing servers and other complex environ- ments in which a cascade of system restarts, version mismatches and da- tabase restorations can create havoc, Schmidt said. “Reimaging simple desk- tops is one thing, but software requiring updates — or worse, recompilation — must be integration-tested in complex environments,” he added.
2
Keeping quiet about an ongoing net- work intrusion is paramount until an or- ganization is certain the threat has been contained. The last thing officials want to do is drive intruders deeper into the network by tipping them off.
Even weeks into the USPS breach, for instance, investigators kept a tight lid on their mitigation activities so the intruders wouldn’t know they had been spotted. The FBI’s cyber sleuths had
determined that the hackers were so- phisticated and that officials needed to proceed with extreme caution so short- term remediation efforts would not be compromised.
“As an incident responder, you al- ways have to assume that the adversary is watching you,” said Gregory Touhill, former U.S. CISO.
Until recently, a wipe and a reload was the standard prescription for recov- ering from an incident. These days, the only way to be 100 percent sure that an intruder has been eradicated is to re- structure the network and its devices, Touhill added.
That can be an expensive exercise, and it reinforces the need for organiza- tions to implement best practices such as network segmentation, multifac- tor authentication, Active Directory whitelisting, and minimal access for re- mote and privileged users.
“Really good adversaries know how to evade rudimentary network adminis- tration techniques,” Touhill said. “Great ones have the ability to burrow in right away, erase their tracks and remain ex- tremely persistent” at the first hint they have been spotted.
When that happens, officials must decide whether to build a new network with better defenses or try an expensive, often futile, attempt to detect and eject the adversary, he added.
34 GCN JUNE/JULY 2017 • GCN.COM
Failing to maintain
operational secrecy