When the going gets tough, Lockheed Martin CISO Chandra McMahon responds with mature incident response, says Dan Kaplan.
For Chandra McMahon, being in charge of information security at the nation’s largest military contractor means the process of incident response must happen well before data leaves the building.
Lockheed, a 126,000-employee company headquartered in Bethesda, Md., and best known for its design and production of fighter jets and ballistic missiles, is an unsurprising major target of adversaries, namely foreign cyber operatives wishing to commandeer the company’s critical intellectual property.
To deflect such attempts, Lockheed relies on a seven-step methodology, known as a kill chain, to not only ward off attacks before any sensitive data exits the network, but also to gather intelligence about the threats the company faces so it can bolster future defenses. In a way, the proactive nature of the process is the modern-day take on incident response (IR): Accept the fact that compromise will happen, and adjust accordingly.
“The goal is not to get into incident response,” says McMahon, 45, Lockheed’s CISO since Sept. 2010. “But the way the kill chain is [set up], you’re doing incident response as soon as the attack gets started.”
And that’s exactly the process Lockheed kicked into motion in May, when its networks were compromised by advanced adversaries who used cloned RSA SecurID tokens to gain access. The intruders were after “program” data, McMahon says, and the attack originated through one of its suppliers. Lockheed, which was not required under law to disclose the incident because it did not involve the loss of personal data, chose to release a statement after media reports surfaced that the company had temporarily suspended remote access to employees.
Lockheed is hardly unique in its predicament. This year has witnessed an unprecedented number of high-profile breaches: from alleged Chinese spies after a company’s secret sauce or supposed Russian organized criminals in search of credit card numbers to loosely connected bands of hacker activists, such as Anonymous and LulzSec, who seek to embarrass corporations or government agencies with which they take issue.
It is now abundantly clear that a Fort Knox strategy for cyberdefense – trusting that high walls will keep the hacker out – is not only outdated, it’s inappropriate. According to a July survey from NetIQ and Harris Interactive, more than 70 percent of the 200 IT security decision-makers who responded say their organizations have been impacted by a data breach. In another study from Juniper Networks and the Ponemon Institute, just 10 percent of the 583 IT and IT security practitioners interviewed say their organization survived the past year without a breach.
Experts now agree that compromise should be expected and assumed and, as a result, organizations should invest just as heartily in detection and response techniques as they do in prevention.
“Incident response is really tied to the resilience of a corporation to rebuff attacks, because they are going to occur,” McMahon says. “The question is, what is the level of success an attacker is going to have when they attempt to attack your network?”
At Lockheed, the kill chain is made up of the seven steps that typically characterize a sophisticated infiltration: reconnaissance, weaponization, delivery, exploit, installation, command-and-control and action on objectives. Just as long as Lockheed’s defense mechanisms are good enough to identify and stop an ongoing attack at one of those seven stages, the mission will have succeeded, McMahon says.
“The premise is that the attacker has to be correct every step of the way,” she says. “Somewhere between steps one and seven, we have to stop those attacks.”
With every passing high-profile breach – it seems at least one major data leakage incident makes headlines each week – it’s easy to become desensitized to the sheer scope of the epidemic. Consumers of media have watched a who’s who of big-name brands fall victim this year, from Sony to Booz Allen Hamilton to NASDAQ. Even the top-secret Oak Ridge National Laboratory and the security company RSA succumbed to attack. So while the public may be more accepting of breaches – understanding full well that the precision of certain classes of attacks makes them nearly impossible to stop – that doesn’t mean customers and clients will sit back and accept a suboptimal response.
They want to be comforted that the companies to which they entrust their personal information are taking the right countermeasures to safeguard it. And if a breach does happen, the same organizations better be ready to mobilize their IR plan, which should involve not just security and forensic teams, but also legal, senior management and public relations groups.
“I think public perception of incidents is changing,” says Jeffrey Carpenter, technical manager of the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. “They’re developing expectations of how the people they do business with treat data and treat incidents where the data may have been compromised.”
While 46 states now require breached entities to notify individuals if their personal information is lost or stolen, a number of companies have opted to be even more transparent about the attack, offering details such as how it happened and what the likelihood is of fraud.
But for every breach response success story, it seems, there is a failure. For example, in November, the Indiana attorney general’s office filed a lawsuit against Indianapolis-based health insurance provider WellPoint for taking some four months to notify 32,000 state residents that their personal data was breached.
In some cases, companies admit to their response shortfalls. When hackers publicly posted 1.3 million email addresses, usernames and passwords of registrants of Gawker Media properties, CTO Tom Plunkett came clean in a memo to staff several days after the initial announcement was made. Among his comments: “First, we never planned for such an event, and therefore had no systems, or processes in place to adequately respond. Our focus as a team (and company) has been on moving forward. This put up blinders on several fronts. As a result, numerous wrong decisions were made by me this past weekend in responding to the security breach.”
Epsilon did have a plan in place. When the Dallas-based email marketing services firm learned on Wednesday, March 29 that its systems were plundered of customer data belonging to clients – mainly email addresses – it immediately reacted.Per the company’s IR policies, a team of senior leaders assembled to focus on key areas: conducting forensics and working with law enforcement, communicating with clients and investors, analyzing technology deficiencies and suggesting fixes, and interacting with the media. It was no simple task.
“The amount of stress and strain on a small amount of individuals working around the clock is astounding,” says Bryan Kennedy, Epsilon’s CEO.
Between Wednesday and that Friday, when Epsilon released a public statement for the first time, the company had already notified dozens of clients – including Best Buy, Capital One and Disney – whose tens of millions of customers were actually the ones directly affected. In an interesting twist of fate, Kennedy says, Epsilon’s mature IR plan actually hurt some of its clients.
“Some clients would have preferred that we not communicate so quickly because that turned them into IR mode, and not a lot of them were prepared for that,” he says. “I think we didn’t have a choice but to be frank. [But] the pace by which we moved meant there was some blood on the floor.”
He has no regrets, though. “We live and breathe by serving our clients,” he says. “If there’s not transparency and openness with our clients, we don’t really exist. We’re not going to maintain client relations over the long term.”
Practice makes perfect
However, for many organizations, especially smaller ones, IR often takes a backseat to other technology priorities because IT managers are unable to express its ROI value to senior management, say experts. In fact, the first step of the CERT Coordination Center’s eight-step process to implement a computer security IR team is to obtain executive management support and buy-in.
Entities also must ensure the IR team receives ongoing support with budget, personnel and equipment resources, or it runs the risk of losing its relevance. Each plan must clearly delineate the key stakeholders, their responsibilities and how to provide actionable information to the right people.
“It’s not enough for someone to just write a plan because it needs to be institutionalized so different parts of the organization that are going to be involved need to understand their role and authority,” says Robin Ruefle, team lead for CSIRT Development and Training at Carnegie Mellon.
Then, the involved parties must regularly review and test the plan. This also extends to partners. Organizations must ensure that third-parties with which they have business relationships handle incidents in a similar way.
“The worst time of figuring out how to respond is if you’re in the middle of an incident,” Carpenter says. “Under time pressure, if you don’t have anything to guide you, you’re likely not to have the right resources lined up, and you are likely to make mistakes in the process.”
These blunders may include not taking into consideration protection of legal liability and contractual requirements, he says. It could also lead to a publicity nightmare that could result in customer attrition or negatively impact the stock price of a publicly traded firm, say experts.
Steve Collins, the security sector lead at Text 100 Public Relations, says organizations must engage with their employees, constituents and investors soon after learning of a breach. But they shouldn’t feel compelled to include all the pertinent information right away because that could lead to inaccuracies being communicated.
“You have to be able to say that there is something going on here and we’re working on it,” Collins says.
Back at Lockheed, McMahon recognizes the delicate balance that must be struck between being up front with affected individuals and also protecting the company’s interests. “I think from a communications perspective, we need to balance operational security with transparency and candor around what’s happening,” McMahon says. “It’s a fairly intense discussion around what really should be the standard here. From my perspective, my job is to protect the Lockheed Martin enterprise to the best of my ability, and I want to provide information to organizations and groups and customers that need to know what we’re doing to do just that.”
The buck stops here
Of course, no company wants to get to the point where a major breach results in the theft of sensitive client data. So, they often turn to technology to help solve that piece of the puzzle. But even before enlisting any solutions, organizations must think like a criminal.
That means performing a discovery to understand exactly how much sensitive data comprises their networks – and where exactly it lives, says Nicholas Percoco, senior vice president and head of the SpiderLabs team at Trustwave, a security and compliance firm based in Chicago. This enables organizations, when they do experience a breach, to grasp the systems from which assets could be exposed.
“In general, organizations are not prepared [for a breach],” Percoco says. “A lot of organizations don’t know what they have out there. They don’t have a great inventory.”
He admits that incidents are a when-not-if scenario, but many businesses also are slow to detect an issue once it is happening. A Trustwave report last year based on 200 actual investigations concluded that the average amount of time from when attackers took an initial foothold in a network to when they were discovered and their malicious activities stopped was about 150 days.
In one example of a “well-known brand” with which Trustwave worked, only two people were responsible for monitoring and responding to security events, Percoco says. Many companies are in similar situations, which leads to them missing obvious clues. And, in the case of advanced attacks, they typically can’t rely on traditional security solutions, like anti-virus and firewall, to detect the hack because the adversaries use custom malware.
“We see it all the time,” Percoco says. “There are [help desk] tickets that they write off as normal system problems, and then six months later, we’re in that environment investigating for a breach.
Attackers still present
The investigation piece to the response puzzle is also critical, says Dave Amsler, CIO and president of Foreground Security, a security services provider. In some cases, organizations may overreact to an issue on one system and shut it off, but not realize that the attackers are still present. IT departments may begin “panicking and pulling wires” when, in fact, this is a pivotal time to collect data to assess how the adversaries operate, he says.
“Every incident we deal with – and we deal with thousands of them each year – the ones I’m most concerned with are the sophisticated ones,” Amsler says. “If I’m not able to replay what happened, I can’t figure out what happened, how it happened, are they still there and what are they doing.”
Lockheed, which also provides IT services and integration to the U.S. government, leans on its security toolbox to prevent data theft. Its portfolio consists of about 80 percent of commercial products that are apt at stopping the so-called low-hanging fruit attacks – categories like SQL injection that groups like LulzSec and Anonymous often leverage to infiltrate target companies. The remaining 20 percent of the toolbox is specifically designed in-house at Lockheed to respond to the advanced persistent threat.
Combine that technology with mature processes and well-trained human capital, and McMahon is confident that Lockheed Martin is well positioned to resist a cyberattack.
“We have gone through a transformation within Lockheed Martin within the last five to 10 years,” she says. “We are extremely well aligned to be able to execute and respond to an incident.”
Spring into action: Steps to success
The effectiveness of an incident response plan can be judged within the first 24 to 48 hours. But there are tricks to the trade, assuming organizations have prepared for the moment.
- Be proactive: Have the people, processes, and technology in place ahead of time.
- Lock down: Secure your network beyond current settings so you can bottleneck issues.
- Gain insight: You need capabilities to have complete visibility into your environment.
- Strategize: Identify the essential pieces of data that keep your organization going and ensure those pieces are protected first.
- Don’t overreact: Be careful of alerting the attackers and continue ‘business as usual’.
- Document: Record steps you’ve taken, issues discovered, anomalies, and other data that will produce information later.
- Investigate: Store as much important information as possible for forensic analysis later.
- Remediate: After enough information is gathered to halt the incident, clean up the network.
- Review: When all is said and done, make sure the whole incident is walked through to prevent a recurrence.
- Communicate: Keep executives informed, track facts, and work on talking points which could be used for media inquiries.
Source: Foreground Security
Key stakeholders: Sources of help
Experienced staff is essential to incident response. Be sure to involve leaders from these organizational groups.
- Business managers
- Human resources
- Public relations
- Security, including physical
- Audit and risk management
- Constituent representatives
Source: Carnegie Mellon University’s Software Engineering Institute