In the worst-case scenario of a cyberattack like a wiper that destroys systems or a ransomware attack that encrypts them, nothing works. In an age of Voice-over-IP this may mean there is no phone to communicate with employees, insurers, law enforcement, press or business partners; no email available to notify regulators or data subjects within the mandated timeframes; no security tools available to even start your response and sometimes there isn’t even access into the building itself due to unavailability of access control systems. In order for the security and IT operations teams to respond and recover after a cyber crisis, all elementary data and tools are kept isolated in cleanrooms for emergencies. But the cleanroom concept can do even more - it helps security teams to proactively defuse the attack before it ignites.
Cybercriminals are creative and unpredictable, both of which make it extremely difficult for security teams to prevent or detect attacks and contain their blast radius. While the root cause and effect of a traditional IT disaster recovery scenario like a flood or fire can be clearly defined, attackers reassemble their cyberattacks from thousands of known and new puzzle pieces in random sequences, stretched over hundreds of days.
Many of us who work in cybersecurity use the MITRE ATT&CK Framework to map the complexity of cyber attacks in 14 stages or “tactics'' that contain over 292 individual techniques. This knowledge is based on precise analyses of attacks from the real IT world and is continuously updated. Security teams will find everything from reconnaissance tactics against target networks to cyber actors achieving their final objectives: be it data exfiltration, data deletion in a wiper attack or encryption in ransomware. All common techniques and tactics of a cyberattack and how they are connected are described by the framework.
The cyber actors do not follow a script. They mix tactics, jump back and forth between the individual attack steps and invent new approaches. For example, many organisations are familiar with phishing as a common initial attack vector for ransomware, but the economies of scale of Ransomware-as-a-Service platforms have meant that they are moving to the exploitation of zero-day vulnerabilities quicker than organisations can scan for, and remediate, vulnerabilities.
This results in millions of different ways and techniques to break in, and just as many ways to recombine them into yet-unknown attack paths. This is coupled with the fact that the MITRE ATT&CK tactic with the greatest number of techniques under it is Defence Evasion, the ability to render end-point and network security tools ineffective at preventing or detecting these attacks. Once the adversary has infiltrated and carried out their hostile actions, they can exert massive pressure on their victims. Recently, one ransomware group reported its victim to the SEC because the victim hadn’t reported the breach (or paid the ransom).
All the stories about successful attacks against companies show that despite high investments in clever defence techniques, fully-staffed Security Operation Centers and increased focus by boards of senior management on cybersecurity, hackers still manage to penetrate even large environments. The incident at MGM with a potential loss of $110 million USD is just one of many recent examples.
Are there better ways to efficiently find clues in all the signals the Security Operations team receive and stop an attack before it reaches the final Exfiltration and Impact stages of the MITRE ATT&CK Framework?
The danger is real
In crisis management, people massively underestimate how much a successful cyberattack can limit the capabilities of the target company. It is often assumed that the teams can phone each other, coordinate in meetings and start their security analyses and tools.
However, in the event of a successful ransomware attack, much of an organisation’s infrastructure may be impacted: from the physical access control server, VoIP systems, CMDBs and all IT services and tools. In the event of a massive incident, all employees, partners and customers are isolated and no one knows what anyone else is doing. Even access control systems can be brought down, meaning employees can't open doors to get into buildings or leave rooms. It is imperative that an organisation understands that these impacts are real: the disruptions caused by many successful attacks prove it. They also need to ensure that they establish an isolated clean room that is capable of rapidly restoring the organisation’s ability to investigate, contain, eradicate and recover from the incident, including all of the security, collaboration and communication tooling needed.
Isolated playing field
Organisations often focus all of their efforts on ensuring the rapid recovery of their production systems, but pay scant regard to the systems that are required to ensure that incident response mitigates the risks that caused the incident in the first place before systems are put back into production.
The cleanroom is the emergency first responder, free to act without disruption or observation from the attacker. It contains all the basic tools and data sets that an organisation needs to respond to the incident. It provides the core services for communication and collaboration, investigation of the incident and the mitigation of the threat prior to moving on to recovery.
Different skill sets with the digital forensics and incident response team can work on several copies of the snapshots of affected systems in parallel, conducting file system forensics or extracting binaries for detonation in sandboxes or submission to resources like VirusTotal; hunt teams can passively hunt for indicators of compromise across diverse systems across the entire incident timeline; and the regulatory obligations of organisation to notify regulators and data subjects can be understood even if data has been wiped or encrypted.
By definition, the cleanroom is an isolated, highly secured area that is separated from the rest of the network. The underlying infrastructure should consist of immutable storage and follow zero-trust principles. All data should be encrypted, both in transit and in storage. Ideally, a clean room should be able to take advantage of data already under management to supply the ability to hunt, perform forensics and classification without having to deploy yet more security tools. Data security and management platforms such as Cohesity provide all of this and, thanks to their backup and disaster recovery services, generate permanent snapshots of all production data.