ICSJWG: ‘Need to Rethink Game Plan’

Wednesday, May 4, 2016 @ 05:05 PM gHale


By Gregory Hale
Today’s well-funded and intelligent enemy is decentralized and not afraid to prod and poke around potential victims until they find a weak spot in their cyber security infrastructure.

“You can do a lot with technology and collaboration, but at the end of the day, it all comes back to people,” said Frank Grimmelmann, president and chief executive at the Cyber Threat Response Alliance during his keynote address Monday at the ICSJWG 2016 Spring Conference in Scottsdale, AZ. “It doesn’t matter what sector you are in, you will be attacked, that is a fact.”

RELATED STORIES
German Nuke Infected with Malware
Gold Mining Company Hacked
Ransomware Attack Hurts MI Utility
Hack Attack Plan Thwarted

While it may be simple to fall into an abyss and say the bad guys are always going to win.

“Are we going to keep looking every year and see things are getting worse? We are losing today,” Grimmelmann said. “We are losing to an enemy that is very well funded. We can go to the next level and write the book. We need to rethink the game plan.”

Part of rethinking the game plan is better coordination of attack information between the private sector and the public sector.

Grimmelmann heads up the Arizona Cyber Threat Response Alliance, Inc. (ACTRA) which is a hub for collaborative cyber information sharing in a neutral environment where partners from industry, academia, law enforcement and intelligence come together, leveraging cross-sector resources to more effectively analyze critical, real time intelligence and respond to emerging cyber threats to Arizona’s Critical Infrastructure and Key Resources.

“We look at why private actionable evidence is not shared,” he said. “Membership is private and public sector and we talk about intellectual property and economic security. We want member organizations to empower themselves and leverage resources back and forth with governmental resources. We want to be proactive and pull resources. We want to bridge private and public sectors.”

Going back to the decentralized attackers, Grimmelman said we can’t go by the way we have always worked at security with a strong perimeter defense.

“The adversary is coming at us and we have to be right all the time,” he said. “But sometimes we get caught up in the details” and forget the main priority.

Along those lines, Grimmelman discussed the Verizon Data Breach report, where he pointed out there there 64,199 incidents and 2,200 breaches, which is a 3.5 percent success rate.

“You don’t want to be part of the 3.5 percent,” he said.

What are some of the most successful types of attacks:
• Phishing
• Weak/Default passwords
• Less time to breach than to discover
• Minimal CVE data
• Workstations/People

As far as the key attack vectors, Grimmelmann reported from the Verizon report it was phishing and POS.

Thinking about it though, Grimmelmann said why should attackers go to the trouble of creating code to crack into a system, when they can target people and social engineer the daylights out of them and learn passwords and get into the system that way.

He also pointed out 95 percent of breaches were financially motivated. “With financially motivated attacks, everyone is open to attack.”

Grimmelmann also talked about knowledge and working together could help stave off attacks like the grid attack in the Ukraine.

On December 23, 2015 a significant power outage occurred in the Western area of Ukraine including the regional capital of Ivano-Frankivsk. Up to 700,000 homes went without electricity for three to six hours. Malware was a component of the attack. This was a case where a hacking incident involving an industrial control system affected ordinary citizens.

While no one knows the ultimate goal of the grid attack in the Ukraine, there were experts saying that attack was not sophisticated, Grimmelmann said, but he disagreed.

“I say it was very sophisticated. They took on three companies at the same time. It was not sophisticated in the type of attack code, but sophisticated in terms of coordination. It was a destructive attack, but restrained.”

About two months after the attack officials determined it was an attack. What was interesting is when the attacks occurred, the energy company got its systems back up and running quickly. They didn’t wait for anyone to come in to investigate.

“We need to coordinate and collaborate, but you also need to be empowered and not wait for anybody else,” Grimmelmann said.

There was another malware issue that became public last week and that was with a German nuclear plant. The Gundremmingen plant run by the German utility RWE had viruses, which include W32.Ramnit and Conficker, discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said. The operating system ended up saved because it was not connected to the Internet.

Grimmelmann said some issues were:
• Payload was in place since 2008
• Payload mismatch
• Officials had to bring the system down to remediate

“The malware brought the nuclear power plant to its knees.”