cyber attack simulation in budapest with dbh group

www.CyberRescue.co.uk Page: 1

Cyber Crisis

Executive Simulation

Budapest, June 2017

http://www.cyberrescue.co.uk/



For full list, see our

Membership Manual

Who we are



https://ee.linkedin.com/in/josephcarson

https://ch.linkedin.com/in/saragoldberger

https://ch.linkedin.com/in/davideratcliffe

https://uk.linkedin.com/in/jf-cecillon-01ab8213

https://uk.linkedin.com/in/matthardy67

https://uk.linkedin.com/in/davidv3

https://uk.linkedin.com/in/gregory-h-b4a6012

https://uk.linkedin.com/in/julia-hilger-ellis-a953a12

https://uk.linkedin.com/in/duncan-gallagher-10518b4

https://dk.linkedin.com/in/martin-knight-91310a4

https://ee.linkedin.com/in/josephcarson

https://uk.linkedin.com/in/jf-cecillon-01ab8213

https://uk.linkedin.com/in/duncan-gallagher-10518b4

https://se.linkedin.com/in/jorgenhjort

https://uk.linkedin.com/in/julia-hilger-ellis-a953a12

https://nl.linkedin.com/in/alexandervantoorn

https://uk.linkedin.com/in/zeeshantayyeb


what we do

We help executives lead business recovery when hackers break through

Practice your Response with Executive Simulations

Bespoke Commercial Response Plan

Commercial Coach for Cyber Attack Response





Where we do it





FBI data storage in 1942 = 10 million sets of fingerprints,

plus 23 million paper cards = 680 Gigabytes

Why we do it




Digital transformationof assets

£600 storage device in 2016 a “memory stick” from HyperX,

stores 1,000 Gigabytes

Digital opportunity

and cyber risk




Option 1: Show market risk




Cyber Threats Annual Growth

125% Zero Day

71% DDoS

55% Spear Phish

29% Malware

21% SQLi

38% growth in reported crime

Option 1: Show market risk

Typical Executive Response:“OK, the market must fix the problem”




Option 2: Show systems risk

Client

Typical Executive Response:OK, the IT Director must fix the problem




Option 2: Show systems risk Staff Systems Suppliers




Staff Risks:•78% of staff don't obey info policy•63% of breaches involve passwords•41% of staff install apps on work PC•30% of phishing messages are opened•12% of staff download malicious s/ware

Supply Chain Risks:•41% of breaches affecting healthcare are caused by Third Parties•17% of breaches investigated by Kroll caused by Third Parties•AT&T, Home Depot, TalkTalk, and Target all suffered breaches via 3rd parties

Assess Risks beyond IT




Option 3: Simulate a Breach

Typical Executive Response:OK, WE must work together on this




Option 3: Simulate a Breach




Do you have a plan?



www.CyberRescue.co.uk Page: 20Amy Pascal former CEO of Sony Pictures, February 2015 [Click on name for full interview]

There was this horrible moment where I realized there was absolutely nothing at all that I could do.


http://www.cyberrescue.co.uk/library/quotes


www.CyberRescue.co.uk Page: 21Robert Pera CEO of Ubiquiti, on “whaling”loss of $46.7m that his staff didn't tell him about, January 2016

I’ve been through stages of

denial, disbelief, frustration.





The only crime that has been proven is the hack.

That is the story.

Ramon Fonseca founding partner of Mossack Fonseca ("Panama Papers"), April 2016





I am incredibly angry about this data breach.

John Legere CEO, T-Mobile USA, on breach of T-Mobile customer data stored by Experian, October 2015





The awful truth is that I don’t know.

Dame Dido Harding CEO of Talk Talk, when asked if affected customer data was encrypted, October 2015





Atiur Rahman, Bangladesh Bank Governor,

after cyber thieves compromised their systems -

15th March 2016

It was like an Earthquake.


http://www.thedailystar.net/frontpage/it-was-militant-attack-earthquake-791800



CEOs struggle to visualize cyber response




“Hands on your head” isn’t enough for adults

Material for Earthquake Response. Slogan “Shake Out. Don’t Freak Out.”




Companies should be thinking about

decisions the CEO will need to make.

Michael Vatis Director, FBI's National Infrastructure Protection Center, January 2016





You are “blindsided”

You weren’t told of other Security Incidents CEO (55%), HR (68%), Legal (72%).

You are told of the Breach by an outsiderLaw Enforcement (41%), 3rd Parties (35%), Fraud Detection (14%) or Internal (10%).

You are already weeks behind the attackersAverage time to discovery of breach: 69 days (114 days in health, and 46 in all other sectors)

Cyber Attacks are different from other business continuity challenges in

the “paralysing ambiguity” of the situation.


http://www.cyberrescue.co.uk/library/threat


http://www.cyberrescue.co.uk/library/response



Authorities are “difficult”

Who to call? 31 organisations fight cyber threats to Financial Services in UK. 68% of IoD Members are unaware of Action Fraud.

What resources do they have? UK NCSP gives £30m pa to combat cyber crime, including £12m to NCEC. The ICO has 30 officers handling over 200,000 concerns & 1,000 cases per year.

What do Authorities do? “4% of cyber crime dealt with appropriately by police.”






https://www.linkedin.com/pulse/banks-hide-cyber-attacks-says-uk-police-kevin-duffey



There are a lot of opinions

Who is in charge? The UK Parliament expressed its view on 20th June 2016.

What has been breached? Only 45% of security professionals are confident they can determine the scope of a breach. External forensics typically lasts 43 days.

How soon to notify customers? 91% of consumers expect "24 hours or less." But32% of consumers say their loyalty would diminish if they knew of a data breach.











(International)

Laws are complicated

Click to view DLA Piper’s 425 page summary of Privacy and Breach Notification laws

and other “response” documents






Decisions imply a Budget

Insurance Pays?52% of UK CEOs believe they have cover, but <10% actually do. Some 81% of companies with cyber cover in USA have never claimed on it. Claims covered: In USA, 78% went on Crisis Services, 8% on Defence, 9% on Settlement, & 4% for Fines.

Big Gesture?53% of Breach Notifications offer Credit Monitoring, which is taken up by 10% of affected consumers.


http://www.cyberrescue.co.uk/library/calc

http://www.cyberrescue.co.uk/suppliers/insurance

http://www.cyberrescue.co.uk/suppliers/insurance



How to triage complaints?

Irate consumers want to receive the global standard in call centre response, 80% of calls answered in 20 seconds.

But volumes can be 100 times normal, with call duration x2 standard 4 mins.

And in addition - - Social Media - Regulators - Suppliers - Press - Staff - Police - Shareholders

You are overwhelmed




Which attack to simulate?




Risks vary by Sector




We will now run a simple simulation




Enjoy the SimulationMuch will be uncertain during the exercise. That is deliberate.

Paralysing ambiguity is a defining characteristic of cyber attacks.

Decisions have consequences, as does failure to take prompt action.

None of you will be evaluated.

The exercise is safe and enjoyable. It is OK to make mistakes.

Teamwork is key.

Who? How? Why?




Tomorrow…

Acme Ltd is a new subsidiary of Acme PLC.

You employ 1,000 staff, with 100,000 customers.

You have 5 key partners you work closely with.

You launch a new service “Acme Cares” in a week.

Your IT Director is away.

You operate in Hungary, Germany, Singapore, UK, USA.

Acme Ltd

You work in the senior executive team of a medium-sized luxury hospitality business.




Day 1 – Friday, 10:30amFORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Attack Collective of Korea. We own all your secret. We paste WWW if you not pay 100 Bitcoins protection end of Monday to g9jq65SKx1jj721kca7H2L

Price to stop will go up 100 BTC for every day of attack. This is not joke.

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will know you cooperated.




Day 1 – Friday, 10:30

Acme Ltd

What do you do?




Day 1 – Friday, 10:30What do you do?

Example responses -

1.Inform key colleagues

2.Pay the ransom

3.Inform regulators

4.Inform police

5.Inform customers

6.Ask IT how data was lost

7.Disconnect from internet

8.Back-up systems

9.Invoke business response plan

Acme Ltd




Colleagues: Who gets told about their worst cyber security incident? CEO = 45%, HR =32%, Legal =28%, PR =24%. (Jan ‘16)

Police: 82% of companies don’t report breaches to police (May ‘16)68% of Directors unaware how to report cyber crime (March ‘16)

Pay Ransom: 91% of Executives say they won't pay a cyber ransom.But 64% do “if they have to.” (June ‘16)




Day 4 – Monday, 10:30am

HERE PROOF YOU DONT CARE ABOUT CUSTOMERS!

Real data posted to WWW. Pay we post more every day.

Acme Ltd




Day 4 – Monday, 13:10



Acme’s Analysis

“Data looks real. It shows sensitive personal info held by Acme on 187 individuals who bought services

from us last year.”

Acme Ltd





Who to inform, today

Acme Ltd




Day 4 – Monday, 14:00Who to inform, today

Example responses -1.Key Customers

2.All Customers

3.Suppliers

4.Distributors

5.Shareholders

6.Insurers

7.IT Remediation

8. IT Forensics

9. PR Agency

10. Regulator(s)

11. Law enforcement

12. Lawyers

13. Key Colleagues

14. Cyber Rescue Acme Ltd




Consumer’s stated reactions to a data breach•91% say "24 hours or less" is acceptable for notification (May’16) •62% “would lose trust” if company didn’t communicate (Jan ‘16)•32% “would have diminished loyalty after a breach” (May ‘16)•11% “would quit doing business with hacked company” (April ‘16)

46% of Irish companies say they would not disclose a data breach to impacted third parties (July ‘16)

Among causes of a breach, the least harmful to consumer loyalty is Human Error (May ‘16)




Day 4 – Monday, 16:00Acme’s IT Analysis

The Koreans are probably still in our systems. We can stop them taking our

crown jewels if we disconnect for 3 days.

One of our staff may have helped them. Too many staff have Admin accounts.

If only you’d approved our budget request for Silverbullet Cyber Security Software.

Our cloud provider says they are secure but won’t let us audit them.




Time: How long for IT specialists to respond to Breach (June ‘16)•201 days to identify a breach (range = 20 to 569 days)•70 days to contain a breach (range = 11 to 126 days)

Missing Info: Log Files “often” poorly configured or unavailable (Oct ‘16)

Capability: 45% of IT security staff say they “can determine scope of a breach” (Jan ‘16)




Day 4 – Monday, 17:00What do you say, today

a) Press release: Our IT systems were hacked by Korean criminals who will publish all our confidential information unless we pay 100 Bitcounts. We’re victims of an APT and we have invoked our crisis plan.

b) Holding Statement: We are working with police to investigate a claim that data on 187 individuals may have been compromised. All 187 are being informed. Our priority is our customers. We never ask customers for passwords. This is a police matter.




Acme don’t care about my safety! Now Russians will steal my money

Because we careOn Friday, Acme launch a great new service to show customers how we care


Comments about “a massive breach” spread quickly on social media, hijacking the long-planned “because we care” campaign




Day 5 – Tuesday, 07:50“Door stepped” by Journalists




Day 5 – Tuesday, 07:50“Door stepped” by Journalists

Do you care about your customers?

What are you doing to help them?

What data did the Russians steal?

What did celebrity Kara say?

How do you train your staff and help suppliers keep data safe?

Did you invest in SilverBullet?

Are you criminally negligent?




On average it takes 21 hours before companies are able to issue meaningful external communications to defend themselves – Edelman – April 2016




Day 5 – Tuesday, 09:10Group Finance Director calls




Day 5 – Tuesday, 09:10Group Finance Director calls

How much will it cost to fix?

What does this do to next year’s forecast, will it hit sales or increase attrition?

What costs will your insurance cover?

What compensation will customers demand?

What do we say to our shareholders?

Why didn’t you invest in SilverBullet?

We will have to cancel bonuses this year.




Insurance: 52% of British CEOs think their company is insured for cyber risks. Just 2% of large businesses actually have stand alone cyber insurance in UK (March ‘15)

“The market for cyber insurance isn’t sustainable” (Sept ‘15)

Why businesses say they do not have insurance (Nov ‘15) “Premiums too expensive” (52%) “Too many exclusions” (44%)

Companies with cyber insurance but not claimed = 81% (March ‘16)

£1m cyber policy costs £5 - 25k pa for “average” company (April ‘16)




Day 5 – Tuesday, 11:40

Call Centre staff demand help, guidance & protection

“Do we let customers cancel their contracts with us?”

“Do the Russians have my annual appraisal, salary & medical details?”

“Shouldn’t we got someone else to handle calls about stolen data?”

Call Centre

Wait time 54 minutes

Call Duration9 minutes




55% pa increase in spear-phishing attacks on employees (April ‘16)

52% of IT professionals re-use personal passwords for business apps

41% of Millennials install apps on work PC without consulting IT

30% of Millennials email company info to a personal email address

30% of phishing messages are opened (April ‘16)

29% of companies with mandatory data protection training give an exception to CEOs (May ‘16)

Cause of breach (March ‘16): - 48% Current Employee - 31% Outside Perpetrator - 17% Related Third Party - 4% Former Employee.





Public Network Acme’s Cloud Providers Acme’s Network

CustomerEdge

ServiceAPI

ServiceApplic

ServersComms

User DirectoryEg Admin Accounts

EnterpriseData

Enterprise ApplicationsEg Email, Payroll, Operations

Log Files

Cloud ApplicationsEg Salesforce, Procurement

Acme’s Distributors & Suppliers

Staff

EdgeService

Channel &Suppliers

Vendor 1Vendor 1Vendor 1Vendor 1Vendor 1Channel 1 Vendor 1Supplier 1 Development & Testing

Comms

Group IT Director calls: What are your crown jewels? Where are they held? Who has access? Why don’t you shut down for 3 days?







Acme’s Analysis

Customers are in Hungary, Germany,

Singapore and USA. Includes

some celebrities.

Acme Ltd





Kremlin in Acme breach?

Tomorrow’s papers

Acme helping police investigationForensic police are analysing a filesaid to contain data on 187 Acme Customers. All have been contacted.

Kremlin in Acme breach?Russia stands accused by experts of taking secret data on 1 million people including celebrity Kara, who said “Acme should have done a better job”




20% fall in share price in 1 week

2 month volume in 2 days

Day 6 – Wednesday, 09:40




Day 6 – Wednesday, 11:00Messages & Requests building up

•23 individual consumers

•3 distribution partners

•2 supply partners

•1 police

•Chair of your Board

How do you handle these calls?




Day 6 – Wednesday, 11:30Chairman of Board

“Get a Grip!”

•Set expectations for updates

•Find a way to close down the breach

•Offer credit monitoring to all customers

•Let customers break contract, but only if they can show harm caused by us

•Consider your position, unless there is someone else to blame




Day 6 – Wednesday, 12:00Lucky Break - Authorities help

“The breach is at your partner!”

•We think your customer data was stolen from one of your distribution partners.

•We are investigating a breach of over 100 organisations.

•The breach happened five months ago.

•Data on your customers was posted on a dark web forum, two weeks ago.




Day 6 – Wednesday, 22:50

Tomorrow’s papersPolice arrest teenage hackerAuthorities believe a student bought data on dark web to threaten over 100 businesses across the country.

A “lucky” breach?•Acme should have known its data was put at risk by distributor

•What lessons can be learned from each decision made?

•Many challenges weren’t faced in this short simulation, eglegal issues, procurement, compromised accounts, regulators.




Which attack to simulate?




the future?

Massive growth in digital opportunities and cyber threats.

Expectations on CEOs will rise:to have a detailed planto reduce harm fromcyber attack.




what we do

We help executives reduce harm caused by cyber attacks

Practice your Response with Executive Simulations

Bespoke Commercial Response Plan

Commercial Coach for Cyber Attack Response




thank you

www.CyberRescue.co.uk

Kevin DuffeyManaging Director

+44 (0)7920 766530




Cyber Crisis Follow upGreater challenge? Unresponsive Vendors, Angry Regulators,

Communications compromised, Multiple frauds on consumers,

Other attacks: In your next annual simulation, what to focus on?

Data integrity attack; IoT attack; Ransomware;

Prevention: •“Trust but verify” partners – automatically tell them if compromised• Create a “cyber resilient culture” - train your staff




Agree Goals with IT Director




https://www.youtube.com/watch?v=sq-0tjv4_BA



cyber attack simulation in budapest with dbh group

Business