While working for security, I’ve faced several challenging situations, working with management, researchers, foresics, police – but only 3 where I will think of after retirement (so far ;-)).
I would like to express them here and share some lessons I learnt…
The story is simple: I think I was one of the first finding the code. When I came to the office in the morning the mailserver hang and was full of spam email trying to send out (which was blocked on Checkpoint Firewalls by the way).
I analysed the email attachment (encrypted VB script which I decode by writing my own functions for analysing it) and I sent my findings to our partner – Kaspersky Labs. Half an hour later they respond to me that this was known and old and I don’t need to take care of. As I was young and had a high respect towards the „experts“, I called myself stupid…
2 hours later heise published an article about a guy somewhere else in Germany who found a critical worm called „LoveLetter“…
That could have been my starting point towards a brilliant career in security and could have build a great reputation… 😉 I missed it and guess what? I’m still doing security and I’m still good…
When this came up I had a day off at the company I worked for. I was at a drivers training with my own car… This was the time I did a hard call completely disconnecting an international company from the internet for several hours until we got the situation under control – by the way, we don’t get infected, we were quick enough.
To be correct, it was not my call alone, my manager agreed, but it was the first time I realized the responsibility towards a company infrastructure and the importance of balance and the right strategy.
The other learning to took out of this scenario was the fact that not all systems can be patched due to financial constrains. This was the time when I reduced to talk about security as burden, as something nobody want to take attention to. Instead I changed my message towards the term „Risk Management“ – as it’s always the question on how much risk you are willing to take.
Risk, and how much you want to take, is the driver for successful emotet attacks. There are software solutions and (more important) process and training ideas to reduce the probability of a successful cyber attack, but they do cost work, time and money.
Seeing a screenshot showing an anti-virus software that it found a virus, is nothing important. But if it comes from a client computer and the executing user was a domain admin – well – than you realize, you have a problem…
Emotet – with the consequence of taking a company down for weeks and with all the fear and wild running people – this is what your personal stress-test is about.
An experience you don’t want to go for again. Because – independent how good you have acted, how secure you operated, how creative your team was to find secure operational ways – there will be always someone from external claiming to be better – and, of course, faster.
And believe me: the big consultant companies (KPMG, PWC, BearingPoint, Deloitte etc) they know how to sell their view to your C-level – even when they never had talked to you. The challenge is to bring the attention to the dynamic of these attacks, the affected underlying infrastructure and the time you need to keep your company secure. The physical limits of the infrastructure cannot be expanded in the short term by more manpower.
The simple fact about Emotet? We defend it, no encryption happened, only some passwords stolen, etc… Yes, they came in, but we were fast and hard enough to do the right calls! And we had a setup which was robust enough. We kicked them out! This time.
In summary, modern security operation has not yet achieved the level it can be. There are still skilled security experts required, to do the correct judgement and get the right conclusions. I’ve meet serveral companies – splunk for instance – claiming that they do have KI technology in place. They might be right, but this KI is not what I expected.
Behaviour based detection and analytics in combination with existing multi-layered protection approaches and and indeep view into the environment should be basic. The same level of importance should be raised towards the need of playbooks and general operational standards. But any technology will fail if there is not the rigth level of attention from c-level to this. This includes the need of a dedicated security team lead by a CISO.
I’ve seen people being completely convinced on their systems, on their approaches, that they could not imagine that an attacker could find another way. These are the one who will fail – at a point in time.
This leads finally to some sentences driving this part of my life:
1. The last limit is your imagination.
2. The only way to be safe is to never be secure. (Benjamin Franklin?)
3. They all cook with water only. (a german sentence – maybe better: Everyone puts their pants on one leg at a time.)