When to think about a cyber security do-over

This is a piece that I co-authored with Greg Matusky and Mike Lizun of Gregory FCA. 

Imagine you’re on the precipice of greatness, some victory that will define you or your enterprise for eternity. Something important, game-changing, like going public, executing a merger, or something even bigger, like winning your first ever Super Bowl after 50 years of frustration.

And then it’s all lost. Stolen in the dark of night by someone who hacks your system and steals the secret sauce. Maybe it’s your IP or some market advantage. Or maybe it was simply the plays you plan to call that now will be used against your organization. ​

A lot of football fans, players, and coaches believe that is exactly what happened in 2005 when the New England Patriots beat the Philadelphia Eagles in Super Bowl XXXIX.

Even during that game, Philadelphia coaches knew something was amiss and tried to change set play calls. Every time the Eagles’ defensive coach blitzed, Tom Brady knew it and made a quick outlet pass. Two years later, the Patriots were fined $250,000 and draft picks for getting caught videotaping and the stealing the play calls from the New York Jets. A U.S. senator opened an investigation and found New England had been wrongly videotaping and stealing opponent play calls since 2000.

This year, after the Eagles beat New England, there’s been a lot of scuttlebutt about secret security measures the Eagles deployed to thwart any and all intrusions. One story holds that Philadelphia ran a fake practice the Saturday before the game, running plays and using a play call system they had no intention of using. Whether it happened or not, you gotta believe the Eagles weren’t going to be robbed again. Something did work. New England didn’t have a clue as to what the Eagles were doing on offense. They didn’t know about their calls and the result was Philadelphia putting up 538 total yards of offense.

Not every business gets to have a do-over like the Eagles. And in most cases, when it comes to cyber security and data breaches, hindsight is always 20-20. As an example, look at this recent Ponemon survey of 1,200 IT professionals. It found that the majority of them aren’t satisfied with cyber threat sharing tools in terms of timeliness, accuracy, and the poor quality of actionable information. Some of this has to do with a johnny-come-lately realization that threat intel could have been used to prevent a previous attack. Even UK-based telecom provider BT is now sharing its threat intel with its competitors, to try to stem attackers. So maybe the tide is changing.

There are lots of other cybersec lessons that could be learned from the latest Super Bowl matchup and what organizations can do when they get a second chance at defending their networks. They involve the role that revenge can play in motivating ex-employees, deliberate attempts to confuse attackers, and using specific traps to flush out intruders and confuse adversaries.

First, let’s look at revenge attacks.

These happen when insiders or former insiders get motivated by something that they experienced, and want to take out their frustration on their former employer.

The classic insider revenge scenario dates back to 1999, when Vitek Boden was applying for a job for the Maroochy county sewer district in Australia. He was a contractor for the district and the county decided not to hire him. To seek revenge, he caused thousands of gallons of raw sewage to be dumped into the local waterways, using a series of radio commands. He was eventually caught by a police officer with various RF equipment. What is important to note is that Boden had all this insider knowledge, yet never worked for the agency that he attacked. He was able to disguise his actions and avoid immediate detection by the agency IT department, which never had any security policies or procedures in place for disgruntled employees.

Ofer Amitai, the CEO of Portnox, has a more modern revenge tale. One of his customers is a big food company that didn’t pay attention to who was connected to its WiFi network. It had one employee who was fired, and came back to the vicinity of the plant with his own laptop. He changed temperatures on the refrigerators and destroyed hundreds of thousands of dollars of merchandize in revenge.

From these two examples, you can see it pays to be careful, even if a former employee never steps foot on your property or even if you never hired your potential attacker. Certainly, you should better screen insiders to prevent data leaks or willful destruction. And businesses should always monitor their wireless networks, especially as it is simple for an intruder to connect a rogue access point to your network and access data through it.

What about ways to obfuscate attackers?

Like in the Super Bowl, teams are now more careful about how they call plays during the game and practice times. Teams now use an array of sideline ruses to confuse prying eyes, everything from placards with pictures of Homer Simpson to using as many as three decoy sideline play callers.

That’s not too dissimilar to planting special “honeynets” on networks. Typically, they consist of a web server and a stripped-down operating system with tracking software that registers when a hacker tries to compromise the system. These servers don’t contain any actual data, but appear to be a target to a potential attacker and can trap them into revealing their location, sources, or methods that can help network defenders strengthen their security. Honeynets have been around for more than a decade and have an active development community to make them more life-like to confound attackers.

“There will always be timely weaknesses during such events that hackers can exploit,” says Dudu Mimran, the CTO of Telekom Innovation Laboratories in Israel. “Public events such as the Super Bowl present an opportunity because many people will be using digital devices and posting pictures and opening emails around the event. Defenders need to understand the expected sequence of actions around these events and create pinpoint defenses and guidelines to reduce the expected risks. There needs to be a series of layered defenses coupled with user education and better awareness too.”

Good luck with your own do-overs.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.