Chronicle of an out of control cyber incident - case study - Einat Meyron
Leveraging the municipality’s phishing incident knowhow, this is an opportunity to validate the vitality of the organization’s information security culture as well as the effectiveness of their Playbook (procedures), which includes concrete guidelines for conduct before and during a cyber incident (be it an attack or an exercise).
The municipalities’ audit department chose Integrity- a consulting company, to perform a phishing exercise. The exercise (whose aim remains unclear) was apparently performed without the knowledge or consent of the municipality’s Chief Information Security Officer (CISO).
Due, in large part, to frequent campaigns, the municipality is considered well trained in general.
Background and event sequence:
An email sent to a Petah Tikva Municipal employee on Tuesday afternoon, April 21th.
Ido Naor, a well-known cyber researcher, performed an analysis of the email and published his findings on Facebook in the early morning. Naor was not particularly impressed by the qualities of the malicious code. It should be noted, however, I wrote in a post on LinkedIn that it is a rather successful message. The content as well as a reference certainly exceeds the types of messages that we are accustomed to in their own woven Hebrew and in the messages that they typically relay.
On the morning of the 22th, news outlets began publishing that the Israeli police were also investigating the incident. The investigation began in response to a request from the Israel National Cyber Directorate (INCOD), claiming that it was a criminal offense that involved identify theft.
Meanwhile, a person who claims to have first-hand knowledge of the incident argues, in various forums, that the practice was carried out according to all the rules and received all the permits needed to do so.
At the same time, a discussion develops that states that the INCOD was also involved. That the use of its name was approved among the involved parties became a new topic in and of itself.
The sequence of events (as known at the current time), raises several questions:
What was the aspiration of this particular exercise, above the CISO?
Disclaimer – It's more than legit to examine the functioning of the CISO. But isn't the goal in the end to help him/her specialize and improve? How is this possible if the exercise “fails” so quickly? What if the process fails to consider professional goals as well? No organization has unrestricted resources, so why not leverage the exercise for the benefit of the entire organization?
What is the exercise initiator’s cyber risk background? Did the lack of understanding and preparation detract from the drill’s success?
Without getting into the nature of the exercise itself, the technological processes, the rapid detection of the threats, or the communications within the organization- it remains tru that a number of shortcomings diminished the drill’s effectiveness. The lack of a clear and executable goal, the exclusion of the municipality’s CISO, the failure to identify gaps between processes and practices and the overall lack of groundwork and preparation each detracted from the drill’s potency.
All these and more, apparently led to the conquest of the practice, even if he had indicated the gap. By the way, a familiar gap that's already been taken care of.
Why is it that the INCOD chose to act in a devalued and potentially impulsive manner, with the use of a familiar brand, as a way of building trust among constituents? Is this commonplace? Moreover, is it possible to assume that a real attacker would use any name to serve its purpose, including that of a government body?
According to Integrity’s (the consulting company that carried out the exercise) statement- the INCOD were informed about the use of the organization’s name.
Should thisassertion is true, it raises the question of whether the counseling company reported to the right person or whether they just briefly discussed it with a contact and not an actual official. If there was indeed a reference to an inappropriate actor, why wasn’t this information escalated, to be sure that it would be handled correctly?
From my point of view, the question is- why, when the facts are in front of them, did the INCOD choose a puzzling and impulsive decision and rush to file a complaint to the police? Why not address the issue directly – the one person ordered the drill and the person who executed it?
The object of filing the complaint has become a story of a failing and esotery exercise due to the fact that it is very extensive and requires the formation of communication channels with a technology journalist and the distribution of official messages in the social networks.
Meanwhile, over the course of a decade, a message (signed by the name of Tomer Shemesh, who served as Director of Information Security at the Prime Minister's office) is periodically published, with a warning of impending incidents according to current events. Why does the Prime Minister's office refrain from providing an opinion to the matter in an attempt to stop this message from spreading? Could people be assuming that it is impossible to prevent a specific name or brand from being used in a cyber incident?
How does a Cyber Event Spiral Out of Control?
As stated previously, if implemented without prior discussion- the decision-making processes and their outcomes alike will suffer dire consequences. The complaint to the police could have ended with the same critical post of Ido Naor. I wrote about it in another post .
After conversations held with several people involved in the event in different contexts (including the planners and subjects of the exercise as well as the agents of the attack) some first-hand insights underscore a number of issues:
In the current event, poor Information Security culture and reputational damage were identified.
Lack of communication and understanding between the internal audit and the security department, coupled with extensive and unnecessary media coverage, resulted in sub-par exercise outcomes.
Exploitation of financial resources that is not implemented efficiently can lead to a halt in the allocation of budgets for other professional processes. This will lead to the infringement of the organization's readiness, due to the lack of available tests and services.
Damage to the CISO's work plan and provided that another factor has an agenda, may also threaten the organization’s security.
The CISO holds a lot of responsibilities; if s/he experiences an obstacle or bottleneck, the entire organization will be impacted.
On the media level, the INCOD’s decision to file a complaint with the police took on an exaggerated and unreasonable level of importance.
Insights and Summary:
Cyber-attacks and cyber incidents are events which typically don’t involve fairness (the exploitation of an organization’s name is testament).
Decision-making in an organizational context is about the quality of the decision’s outcomes. There must be a constant, continuous and ongoing discussion of existing and new issues in order to ensure an effective process of decision-making that supports the organization's business needs.
A train that is already out of the station is impossible to stop. It is always preferable to review all the issues and all decision-making steps preemptively, and to produce appropriate channels of action that will serve to contain the event as much as possible.
Any playbook should describe procedures in plain language that is not filled with legal content and should serve to immediately clarify what should be done under various circumstances. The "case," should be recognized by preliminary hearings during routine times and never at the time of the event itself.
A preliminary discussion about how to respond if an organization’s brand or name is exploited may prevent the event from escalating into an issue.
In addition- for any organization that includes a wide range of stakeholders at different levels- it is necessary to establish processes that include only relevant role holders so that they can each provide (in a short and simple procedure), their professional opinions in real time, based on their own insights that have already been formulated and input into the Playbook according to the particular event.
A permanent steering committee is one of the best options for implementing a good organizational Information Security culture, provided that it includes business roles rather than technology.
If the audit department is interested in challenging the CISO, it is recommended to use professional services who can help to clarify what is going to be done and how it will happen.
Defining a steering committee that includes a limited number of relevant stakeholders will form the basis of a sound organizational Information Security culture.
Coordination and synchronization amongst the organization’s various departments will serve to maximize the use of resources at their disposal.
Display a work plan in a clear business language that is understandable to all departments (so that everyone is familiar with the terminology used and no one mistakenly assumes there are gaps in the processes)).
Configure setup procedures- establish clear definitions for “cyber incidents” and “cyber crises”. Estimate the escalation detection, determine a response team and establish communication channels for convergence.
Obtain advance counseling for the variety of scenarios identified as essential in relation to cyber events, with emphasis on the correct conduct and minimization of sub-risk exposures.
Determine and implement methodologies involving business activity representatives aligned with marketing and public relations representatives, in the framework of the unique perception of cyber event management.
Create an event file tailored to a cyber event in general, including pre-drafted messages in accordance with potential escalations relevant for a variety of stakeholders-communications, customers, social media, investors, and more.