Jim Aldridge is a Director at Mandiant, a FireEye company, and focuses on incident response. Aldridge spoke with the Cipher Brief about the evolving cyber-threat, and what to do if you get hacked.
The Cipher Brief: Are cyber attacks becoming more common, and what explains the rise in these incidents?
Jim Aldridge: There are two major attacks that you hear about. One has become more common, and the other is something that we are becoming more aware of. The first category is the financially motivated attacks like we see with retailers; where there is a criminal actor looking to cash in on a particular type of data, whether that’s personally identifiable information for spam campaigns or other purposes, or to commit fraud with credit card numbers. Based on the way that businesses evolve, those are becoming more common. The other category of targeted attacks – what I refer to as espionage motivated targeted attacks – those have probably been going on since the dawn of espionage, even before computers, and have now just extended into the cyber world. We are becoming more aware of those as an industry. I don’t know that they are becoming more common—they probably have always been going on.
TCB: Who is conducting these attacks? It’s widely acknowledged, for example, that the Chinese government was responsible for OPM, but it was a teenager who allegedly hacked into the CIA director’s account. Is there a certain type of profile these perpetrators share?
JA: It depends on the type of attack. Broadly speaking, there are financially motivated attacks, where a group of perpetrators go after a specific company to gain access to data that they are going to sell. And there’s a more commodity type of attack, where someone writes a piece of malware that he will try and install on as many people’s systems as he can, and he’ll wait until you type in a password for a specific bank and then gets that information. The second type of attack is not really a targeted attack. Targeted attackers, from a financial perspective, are characterized as criminals, potentially linked in at least some instances to criminal organizations. On the espionage-motivated side, many of those attacks are attributed to state sponsored actors.
TCB: How do you see the broader cyber threat evolving? What advice would you give to companies trying to stay ahead of the curve? How much cyber security is enough?
JA: In terms of the threat evolving, the threat will evolve in whatever way necessary to gain access to the targeted information. So when we come up with a new technology five years from now, there will be someone who figures out a weakness in it and exploits that for monetary gain or espionage value. To try to stay ahead of that threat, the defender is always behind the curve. We use the terminology “ahead of the threat,” but you are never really going to be ahead of the threats. What you can do is insert roadblocks. If you think about the life-cycle common to targeted intrusions, there are steps along the way where you can make the attackers life more difficult. You are not going to prevent them in all cases; in some cases, you will. But you want to throw hurdles up that will slow the attacker down and give you more chances to detect that activity. That rolls into the second key point of what should you do. The companies that I work with that have better “detective capability,” they are minimizing the impact of a breach. They may still “get breached,” since everybody is going to have a piece of software that is not patched, a piece of software that has a vulnerability that is not publicly known. Even if you patch perfectly, you will still have those zero days. In those situations, when the attacker does get that initial toe hold, it is critical to detect that activity and contain it very quickly. In terms of how much cyber security is enough – it’s a tough business question. There is a lot of fear, uncertainty, and doubt in the cyber security industry. From the business perspective, it has to be enough that the residual risk is in line with the business’s overall risk tolerance. You might mitigate your specific risk up to a point and then ensure against the possibility that you will have a breach.
TCB: Most experts that we’ve talked to seem to to agree that it’s not a question of whether a company will be breached or attacked, but it’s a question of when. What are the most critical aspects of an effective response to cyber incident?
JA: I tend to agree with that in general, it’s not if but when. With that said, we also see companies that are really concerned about it and may not experience that targeted breach over a period of years. As a general rule, I think it is something you should consider is going to happen. From a response perspective, the first important action that an organization can take is to prepare for that day. So having a response plan—understand who your stake-holders are within the business, and your risk management community and legal folks have worked with them to define this plan—so that you know what you need to do when the balloon goes up. Second, from a mitigations perspective, learn lessons from all of these other incidents that are not in your organization, but that are public in news reports or that you hear about from your peers. Think critically about how you would fare if your organization was faced with that scenario, and then drill that down from a process perspective. What would your response be—kind of a process type tabletop exercise—and then drill it down to the technical and consider whether you can answer key investigative questions quickly. Do you have the right tools, do your people have the right training, and do you have a process?
For example, one of the easy sounding things that can really hamstring you in an incident is how quickly can you get an answer to the question: From what system did particular action originate? I finished up an assessment for an organization and going through some of their systems, we needed to know what systems went to this particular website. We saw there was network traffic, and we needed to follow up on it. It took them two days to answer that question, and this wasn’t in a breach scenario. One of the things I’m recommending to the organization is that it needs to draw the time down so they can get that answer in a couple of hours, because if you are up against the gun, that would be difficult.
My second point is understanding the processes that you would need to execute in an incident to investigate and to contain, and making sure you have the right tools and processes. Finally, from more of a management and leadership perspective, making sure that someone within the organization – most organizations will have some in-house capability that may be augmented by third parties – who is tasked with building these capabilities, gets the right level of focus. This is a form of insurance that is hard to quantify. If they ask for a million dollars, how do you quantify that return? I think it is important that executives and business stakeholders support development and maintain the capabilities.
TCB: What are some of the common things that companies tend to overlook during the response period?
JA: The first thing is making sure that you get the right business stakeholders involved very early on. From a legal perspective, if you find you’re dealing with an incident that may involve some sort of regulated data, for example credit card data, making sure that somebody from your legal team, and probably an outside counsel who specializes in breach law, is involved, because it’s a complex landscape. There are various state laws, perhaps international laws, that come into play. That’s one mistake that I see made.
The second is not being methodical in how you go about the response. It’s a stressful time, but make sure you are keeping track of decisions that you have made when you take certain actions so that you can build a picture for your stake holders. Instilling the confidence of your business stake holders within the organization is important, and eventually, if you have to go public, it helps to instill confidence if you have a very documented trail of here is what we knew when, and here is what we did.
The third thing relates more to coming up with a plan for the investigation and remediation aspects. The response should include both remediation planning and execution as appropriate, as well as investigation—starting these right away.
Fourth, on the investigation, making sure that if there are signs you have an enterprise-wide intrusion or an attack that’s been in the environment for some time, making sure you fully investigate the scope of the compromise. In other words, don’t just say we have two systems infected with malware, pull the systems offline, clean them, and call it a day. Take the time to actually follow the trail of evidence in your environment, because you may pull those two systems off line, but there might be five other systems that have a different piece of malware that the attacker’s currently still active on. You might miss that, and that will ultimately prolong your period of exposure.
TCB: Are there any special considerations that must be taken into account when responding to breaches where a state sponsored entity is suspected to be the perpetrator?
JA: I do have one, and it’s not so much predicated on the actor being state sponsored. In many of the state sponsored intrusions, the attacker tends to have been in the environment for a longer time. State sponsored actors are typically motivated by the theft of information. They have particular intellectual property they are interested in, or they just want a presence within the network to understand something, to be able to read emails, or to insert information when it’s requested of them. They tend to operate in a different manner than a financially motivated actor who wants to get in, for example get the cards, and then get out. That’s going to be detected through your fraud detection mechanisms. Regarding the espionage motivated actor, usually when an organization finds out about it, a majority of those organizations are notified by an outside party, typically law enforcement. At that point, they typically only know about a small piece of the intrusion. In a typical case that I deal with, the actors actually have been in the environment for some time, possibly years, and so you want to make sure that you fully scope the intrusion and understand how the attacker is operating in the environment so that you can contain that attacker fully. Pulling those initial systems offline can actually, counterintuitively for a lot of people, prolong the exposure.
TCB: How have intrusion and investigative techniques and technologies improved, and how do you see them changing in the future?
JA: One of the reasons that my company has been able to be as successful as we are in investigating enterprise intrusions—large-scale, 100 thousand node or more environments, global companies—is that we developed technology that allows us to respond at scale and act as a force multiplier for our team. That’s one area that when I started with Mandiant five years ago, there were no other products out there that really facilitated that. And what you’ve seen in the last couple of years, there’s now healthier competition in the market place. Being able to query across the environment and look for host-based artifacts—where do I see this file, where do I see this memory artifact, where do I see this registry artifact, or where do I see this log entry? – being able to ask these questions very quickly, that’s a key technology component for investigations.
Where do I see it going? One of the challenges is that more organizations are moving into cloud hosting environments, and some of the largest of those deployments are systems that function as part of a grid. As a result, the individual system doesn’t matter as much. It may go up and down, it may be dynamically redistributed across multiple clusters. That presents a challenge for investigators; how to get a handle on those types of environments. I think that is something we will see addressed by technology going forward.
TCB: In your experience, what have been some of the best practices for maintaining business continuity during the response and recovery period?
JA: I don’t recall an incident where continuity was really an issue, typically because most of the cases I’ve dealt with are intrusions versus the denial of services type attack or a destructive attack. The big example of what made Sony such an anomaly was that the information was actually destroyed, based on public reports. In terms of the planning ahead for that, effort would need to be focused on integrating the response into the business continuity plan so that the IT folks and the business folks have additional scenarios to consider when thinking about continuity. For example, what if we told you that you needed to replace this critical system, or that there was a piece of malware on it and it needs to be rebuilt? Having a plan to do that would be in line with a typical business continuity plan.
TCB: How can the U.S. government and private industry better work together to combat cyber security threats?
JA: That piece is a challenge, but one of the advantages government has is a wide, broad, and deep understanding of the actors and of the techniques. One of the things that I think the government could do that would be most impactful is help advise and provide recommendations on countermeasures that are effective. In effect, the U.S. government already does this in a way through the NIST publications and some of the Defense Information Systems Agency information. Technical guides are extremely helpful; I recommend them all of the time. The Australian government, for example, the Defense Signals Directorate, actually published a paper about what specifically it recommends for mitigating the threat of state sponsored actors. It’s a real concise set of recommendations that I think is really in line with what we see in our work. That type of advice can be helpful.