A day in a life of a hacked organization

ddos 2.PNGI meet with many customers through conferences, meetings, briefings, etc. and share many stories about these organizations. Most organizations think they are invincible. They have never gone through the  fire drill of a data breach. They don’t think they will ever be breached because they are "too small" or "too big" or simply too confident about their security posture.

 

Let me try to combine some of the experiences and stories that I have heard from organizations that have gone through a data breach. You may recognize some of this story from the news headlines.

 

 The story starts here:

The Anonymous group tweets at 11p on a Saturday night that they have successfully penetrated the IT infrastructure of your company, Invincible Inc., to "teach a lesson" that monopoly in your industry is not good. Anonymous claims to have acquired 100 million records of your users over a period of last 7 months. They have posted a sample of 100,000 records of your top users with their personal and financial information.

 

The media immediately picks up this tweet, investigates the tweets and records that are posted by Anonymous to check the authenticity, and writes about your company in the headlines. The next thing you know, your company, Invincible Inc., is  accused of catastrophic failure as an organization for not adhering to security and compliance policies, resulting in disclosure of 100,000 personal records and theft of 100 million account information records.

 

The social media community manager gets an alert on her iPhone that she reads at 2a on Sunday after a party and notifies her boss by calling him and the VP of Marketing. The marketing head then calls up your CEO directly at 3a and informs of the global media outburst on the data breach and on the CEO. The CEO reads all about this online and freaks. CEO becomes cold, drinks water, catches his breath, and wants to find if this true. He calls up the CIO & CFO for an ad-hoc meeting at 5a.

 

The CIO calls the CISO and asks him to investigate about the data breach, finding this information within 30 min, so that they can report back to CEO. The CISO immediately calls his entire team of analysts asks them to confirm if there is a data breach, to validate the breach, to validate the number of records stolen or how & where the data breach occurred.

 

Assuming the best case scenario (that all your analysts are available at 3a on a Sunday), and that they have access to their computers, they still don’t know what to look for as they never had a fire drill. 30-minutes pass and the CIO calls the CISO at 3:30a and they all report back that they don’t see anything wrong with any of the systems nor do they believe that their data was stolen.

 

The CIO yells at the team and shows the proof of 100,000 sample records about their top users completely disclosed. The analysts, however, see no trace of any suspicious activity and validate that the data breach did not happen. The CIO orders for comprehensive forensic investigation and asks all the analysts to go through logs of all suspicious servers and systems to see if they can find something. The analysts start looking into logs of hundreds of servers, firewalls, and weblogs for the last 7 months to see anomalys or patterns.

 

The CISO gets on the call at 4a with the CEO, CIO, and CFO and says that the initial investigation does not validate the data breach and it could be an attempt to defame the brand. However, he can't validate that data breach did not occur and that they are conducting comprehensive analysis of every log of every server and system to analyze the information. The CEO loses his patience and yells at the CIO, saying he cannot believe that this has been happening for 7 months and that they can't even validate or reject this information. The CIO seeks a few hours to investigate and come up with a response.

 

It is 9a on a Sunday morning. The analysts have been up and working for over 5 hours and they have been able to analyze logs from only 10% of the systems. They have not found any trace of a data breach or loss. Most of the analysts are still learning on what to do after a data breach, and really don’t know what to do. The CISO calls an all-hands meeting at the office at 11a on a Sunday morning.

 

It is 11a. Analysts have all been locked up in the data center room to do research. CISO has ordered pizzas and is accompanied by the CIO, CFO, CEO, and bunch of VPs with the analysts in the data center building. The PR and marketing team are also around, forming a response for when they find some information. Most of the exec's phone are constantly ringing with their network, media, and family calling to find out information.

 

It is now 8p on Sunday night, no information could be found on whether data breach occurred, if the hackers still have access, or it is just a PR stunt to defame the brand. The CISO gets a call from his buddy who uses ArcSight. CISO requests the ArcSight contact and calls for help.

 

Fortunately, ArcSight has a partner in the same city, and they offer to help the CISO the same night. ArcSight, with its partner, arrives at Invincible Inc. at 10p on a Sunday night with ArcSight and TippingPoint boxes. ArcSight is a SIEM solution that helps to detect and protect IT in real-time and TippingPoint is an IPS solution that blocks the attacks in real time. The ArcSight solution consultant plugs in the IPS solution to network and fires up the software in 15 min. They configure to the network to monitor where critical data exists. They immediately start seeing suspicious activities, such as communication through proxy to known bad networks, and TippingPoint blocks it.

 

ArcSight, in the meantime, gets fired up and configured in two hours and they start collecting logs from TippingPoint and other sources where IPS showed the data navigation and flow. The data connectors pull logs for the last 7-8 months from hundreds of devices in few minutes and start correlating the data, while reporting it on dashboards. It is around 1a on Monday morning, and now analysts have complete information on what systems were attacked, what data was stolen, who attacked it, and where the data was transmitted. The audit-quality log data was saved and can now be used as proof to validate the attack.

 

Invincible Inc. finds out, for the first time, that they could be breached. Even though Anonymous group claimed that they have 100 million stolen records, the report confirms that only 27.8 million records were actually stolen, and another 30 million records were captured and in the process of being decrypted. Thanks to TippingPoint, the data transmission was blocked, and ArcSight ensured right policies were deployed to ensure all their remaining malicious software was removed from the entire network.

 

The company prepares the response all night. The CEO discloses that the data breach occured, and apologizes for taking the security lightly. Invincible, Inc. publishes the response before the market opens and sees that it loses about 30% of its market capitalization in the next 6 months through hundreds of lawsuits and regulatory fines. The good news is that Invincible, Inc. deployed the tools and stopped the complete loss of data in time. The company has not been attacked since. It has built a new state-of-the-art security operation center (SOC) through ArcSight and HP security solutions, including Fortify and TippingPoint.

 

Moral of the story:

Don’t wait for something to happen and then look for solutions. If you have important information, you need to secure it. Call HP ArcSight today or evaluate our free software trials and see how you can prevent 97% of data breaches through simple controls such as log management.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation