Are We Seriously Thinking?

So much has been said about the CrowdStrike matter and many have expressed relief that it wasn’t a cyberattack!

8.5 million machines impacted, multiple sectors ground to a halt at least for some duration and the resultant chaos that made headlines on news channels.

My question remains – are we seriously thinking?? I mean enterprises and service providers.

Pause for a moment and think …. What if this were indeed a cyberattack with 8.5 million systems impacted?

Businesses could possibly have come to a standstill and not be mostly up and running within 3 days as was generally the case in the much-reported incident. It could mean months of effort to return to business as usual and the consequent financial, regulatory mess to deal with amongst a host of others.

Though the official RCA isn’t out but the general sense is that it was possibly due to poor SDLC processes that the update passed internal muster within CrowdStrike and was live without obvious rigorous testing and what happened is well known.

Just imagine a situation of a deliberate malicious endeavor by a threat actor to exploit an existing vulnerability in a software/system/platform and thereby cause havoc for monetary benefit or any other devious designs. “WannaCry” did happen in 2017.

I am drawing attention to the level of preparedness enterprises and their service providers must have to deal with a possible cyber crisis of the magnitude that we recently saw.

·?????? How many of the people concerned in the CIO or the CISO set up have honestly looked at what happened and undertaken a simple self-assessment of their true level of preparedness?

o??? Do they have well documented and rehearsed procedures to deal with a cyberattack?

o??? Do they have access to the HLDs for the tech stacks deployed to understand interfaces for implications and clear owners for the same?

o??? Are their key team members aware of the very initial/ basic actions to be taken?

o??? When was a semblance of a cyber drill undertaken, if, it ever was?

o??? Do they have skilled level 3 staff (Tiger Teams) who are clear on the steps to take to arrest the situation and contain some damage before specialists are engaged? We are all theoretically aware of the golden hour theory related to minimizing the possible impact of a cyber-attack. In the event of a real widespread cyber-attack, TAC from technology vendors will be stretched to provide dedicated support and efficient Tiger Teams will be the key to minimizing impact.

o??? Did the crisis communication plan work? …..beyond chatter on WhatsApp groups?

o??? Do they really have technically competent senior leadership who can visualize the impact, direct teams and most importantly engage with relevant internal and external stakeholders convincingly? Or are they expecting engineers handling systems or middle managers handling delivery to do that and become scapegoats and sacrificial lambs?

o??? Very seriously, how many of key cyber staff, internal or service provider provisioned at very senior to junior levels have ever been put through a cyber range exercise?

o??? Drawing from my military background, one never expected people to effectively use their personal weapons and allied military hardware in a combat situation without them having been tested umpteen number of times on a firing range and in simulated battle environments.

o??? In any adverse situation, well-rehearsed battle drills and procedures can be the difference between success and failure or even life and death. It applies equally to simple drills to be followed on a patrol coming under fire, counter measures by a fighter pilot on getting a weapons lock from enemy systems or in this case what you do first when you know it’s a cyber-attack!!! Drills are so important.

o??? Did you ever think of a Cyber Drill beyond a phishing simulation? Whereas the second Monday fire drill in office in most corporates is so common!!!

·?????? One felt a general sense of gung-ho; “Oh it wasn’t a cyber-attack and we got systems up and running with work arounds and businesses were alive”, seriously?

·?????? Do understand that in the recent CrowdStrike update case, the situation beyond the initial flaw in the software was static. Once the error was identified, there was a playbook to follow to get the vast volume of systems up and running. And it’s the volume impacted that essentially caused the downtime.

·?????? Please visualize an adaptive adversary who has planned the situation step by step and is going to change his TTPs as the situation unfolds. Your senior leadership and security teams must have an attacker’s mindset to visualize and act. And unless you have trained them for that you are living on hope like an ostrich.

·?????? Understandably, cyber ranges are expensive, but you can get your key people across seniority bands in a room for a few hours periodically and white board situations… it will at least get people thinking and you will have some sense of a realistic BIA and consequent actions to begin with.

For the last time. Are we seriously thinking?

?If yes, Great!.. If not, please start now !!!