Data Breach Response, Prevention

Thursday, October 11, 2018 @ 04:10 PM gHale

By John Grim
Cyber-espionage is a primary motivation behind data breaches in the manufacturing industry.

Manufacturers have a lot to lose from a breach. Threat actors may target a manufacturer’s proprietary information and intellectual property to sell to a competitor. Customers trust third-party manufacturers with their cutting-edge prototype and sensitive design plans – if a manufacturer’s weak network security leads to a data leak, business is impacted, and customers will take their business elsewhere.

GSX: Integrate All Security
ICSJWG: Solid Solutions ‘Not Rocket Science’
ICSJWG: ‘If it Isn’t Secure, it Isn’t Safe’
Black Hat: Breaking Down Safety System Attack

One manufacturer—highlighted in Verizon’s 2018 Data Breach Digest report—was infiltrated by state-affiliated threat actors.

The hackers used “Mimikatz” — a credential theft tool — to steal passwords, and in turn, traverse multiple systems in the company’s network and steal thousands of sensitive, proprietary computer-aided drafting (CAD) drawings, circuit board schematics and engineering design documents. The threat actors gained access into the company’s system through a targeted phishing email to a senior IT administrator purportedly about their 401K retirement plan.

This story is not unique – thousands of companies experience data breaches or cybersecurity incidents every month. What can other manufacturers do to prevent similar attacks? Manufacturers must respond quickly when they discover a breach. Furthermore, every manufacturer should make cybersecurity training and preparation a top priority.

Fast, Thorough Response
Once a manufacturer determines a data breach has occurred, time is of the essence. And with regulations like GDPR now in effect – time equals money. It is imperative that organizations quickly determine the depth and scope of the breach and stop any further information leakage. The local IT team should coordinate immediately with the company’s crisis management team, if applicable, as well as any relevant third-party consultants to address the situation. In the event a breach occurs, the manufacturer should:

Call in the experts: If not already involved, the manufacturer should engage their legal team, law enforcement (when the time is right), and third-party investigators (when applicable), to support the internal IT team.
Gather system information: The manufacturer and investigators should collect access logs to key servers and email, and prior to system shutdown, they should collect and quickly examine in-scope volatile data and system images. This will help determine what information may have been compromised and who may have been responsible.
Gather breach information: The manufacturer should use the data gathered and information about other breaches to figure out how the threat actor operates and determine the Indicators of Compromise (IoCs), the data and information that indicate potentially malicious behavior on a network.

If the manufacturer does not already have a cybersecurity response plan in place, it should develop one and train employees on the systematic protocol before it experiences a security incident. Cybersecurity response plans should be all encompassing – to making sure the right people have access to outside lines to communicate with one another to knowing what to do from the minute the breach is found.

Reducing Risk
Beyond having a strong incident response plan in place and working with professional cybersecurity investigators, manufacturers should also have a strategy for cyber-attack prevention and mitigation. Manufacturers can take several steps to mitigate the risk of a data breach:

Conduct Training and Awareness: Manufacturers should provide cybersecurity awareness training for all employees at least once a year. Training should emphasize awareness and reporting of phishing emails. In addition to training, employers should provide employees with a quick and easy way to report suspicious emails. Internal threats are one of the most common causes of a breach.
Utilize External Communication: To help mitigate the risk of phishing emails, manufacturers should make external emails stand out by adding prepend markers to the ‘Subject:’ line indicating an email has originated from outside the company.
Implement Multi-Factor Authentication (MFA): With the threat of cyber-attack a commonplace reality, manufacturers need to implement multi-factor authentication for access to web applications and databases. Single-factor authentication is no longer adequate protection. Manufacturers should also require virtual private network (VPN) access for remote connections to the corporate environment.
Limit Access: Manufacturers should keep highly sensitive and secret data separate from their larger networks. By restricting access to sensitive data to only the employees who require it to do their jobs, a manufacturer may decrease the chance this data will be compromised if part of its network is breached. The manufacturers should also monitor access to this data to make sure it is not access or copied in a suspicious manner.

Cyber-attacks are an unfortunate part of doing business in the digital age and manufacturers should make cybersecurity a top priority to protect proprietary information. CIOs and IT managers should institute comprehensive cybersecurity training for all employees – not just those in IT. They should also be sure their companies have incident response plans in place in the event the manufacturer experiences a cybersecurity incident. Strong response and prevention methods together can help a manufacturer greatly reduce the risk of a breach and help it respond appropriately if (or when) its systems become the target of a cyber-attack.

John Grim is a senior manager at Verizon. He has over 15 years of experience in conducting digital forensic investigations within the government and civilian security sectors. He currently serves as a part of the Verizon Threat Research Advisory Center (VTRAC) and leads a team of highly skilled technical digital investigators.

Leave a Reply

You must be logged in to post a comment.