Friends, Colleagues, former SWRX Clients, and Current Clients,
At the risk of sounding alarmist….
Over the past decade I have assisted hundreds of you in the development of Containment Plans as part of your TTX/CIRP objectives/deliverables. Many of you have listed in your 10-K that Nation State Attacks as part of world events/conflicts were possible cyber risks to your organization. When we exercised these during your TTX, this was usually manifested in Inject #1 as “NATO/US and Russian aircraft are now shooting at each other in Ukraine”.
This morning on my drive to Santa Clara University where I was presenting on the topic of Cyber Security to Jeff Klaben’s graduate class of Tech, Business, and Law students, I heard on the radio that the US had engaged in offensive military actions against the Iranian regime.
As a retired military cyber warfare officer, the threat of non-kinetic attacks from cyber weapons is not unprecedented. Iran was credited with the Shamoon attack of 2012 & Russia with NotPetya in 2017. These attacks were devastating zero-day attacks that essentially “bricked” IT assets with great efficiency and scale. This risk is still present today.
To my clients for whom I developed Containment Plans, I would recommend that you look at this morning’s developments as an Inject #1 and execute accordingly. If you have not already, (re) socialize the containment plan to ensure CISO/CIO & CEO/CFO level authorities are still OK with the leadership team. Review the column 4 assignments and procedures so that if events do in fact unfold, your teams are ready to go.
For those of you who weren’t my clients, here are some low business impact, proactive containment options that may “save your bacon” should Iran launch a NotPetya type attack your way:
- If you have several Domain Controllers behind a load balancer, take one of them offline (air gap) and rotate this action weekly. The goal being that if all the other DC’s are bricked, you have a fairly recent one offline/ “Air Gapped” and ready for recovery. Maersk accidentally did this when they got hit by NotPetya, and they were able to quickly rebuild. I was onsite for a client who also got hit and they lost ALL of their DC’s and all of their build data that was stored on “bricked” servers. I have clients who started doing this after their TTX.
- I was speaking at a function in London after the NotPetya outbreak and a member of the audience approached me. He was hit with NotPetya and he commented “Do you know how hard it is to get 1200 thumb drives?” (He had to rebuild all of his widows-based desktops). I responded, “Do you know how lucky you are to have had the first thumb drive?” MAKE SURE YOU HAVE THUMB DRIVE #1 NOW.
- Same for your server builds. Put this information somewhere that can be “air gapped” for the next week or two or three. See comment #8 below.
- Any unused computers (e.g. training room, DevOps), I know you want to leave them on, so they get all their patches, TURN THEM OFF. They will auto patch when you turn them back on, but if your network is bricked, these will be the first assets you will bring back up in order to get the organization functioning.
- I’d say maybe a dozen out of the ~400 TTX clients had very sensitive IP that if lost, it’s gone forever. The people who built it are dead. It’s not coming back. One answer was copying the IP to an external hard drive, bubble wrapping it, and storing the box at Iron Mountain. If this “Business Extinction” risk applies to you, do this ASAP.
- Review your cyber insurance to ensure “bricking” is covered. Unfortunately, if there is an attack of any scale, cyber insurance underwriters may be in the same position as those insuring fires in California.
- Consider modifying your back up strategy from hardware failure to deliberate warfare/attack. I don’t have easy answers for you.
- Do not for a minute trust that your “technology” will protect you (e.g. Immutable drives). Whenever possible “air gap” these “proactive” assets. This is a temporary measure until we see how things turn out.
- For my regional banking clients, as we previously discussed, I would recommend you look at increasing your cash reserves and formalizing how you would administer paper-based zero percent interest micro loans to your known customers for small amounts (e.g. payroll/groceries) should we lose Fiserv or your enterprise becomes “bricked”.
- Northern European countries have already warned their populations of this concern, each of you individually should have 2-3 weeks’ worth of cash on hand in case none of your cards will work.
I wish you all the best of luck and hope we never need any of this.