“Incident Response professionals are working in a high-paced and stressful environment”

At the beginning of 2021, when the cybersecurity community was reeling from the aftereffects of the SolarWinds supply chain attack, a new ransomware strain made a disruptive entry. Babuk Locker compromised some of the global corporate networks, encrypted users’ sensitive information, and demanded a lofty ransom of $60,000 to $85,000 in Bitcoins. And since then, ransomware threats have grown in volume and sophistication. It continues to be touted as the “most prominent” threat, crippling the security architecture of critical sectors and SMBs alike. While some companies volunteered to pay the ransom, others focused on building strong incident response and disaster recovery plans.

Pooja Tikekar, Sub Editor at CISO MAG, chatted with Sriram Tarikere, Senior Director with Alvarez & Marsal’s Global Cyber Risk Services in New York, to discuss the need for having well-prepared incident response teams in responding to threats. He also shares ways to respond to a cyber incident in a timely manner, common cloud migration misconceptions, and security predictions for 2022.

Tarikere has over 15 years of experience in executing cybersecurity and privacy risk assessments, ranging from very detailed ISO 27001/NIST, HIPAA, PCIDSS and Risk Quantification assessments, to technical cloud and blockchain secure design and architecture reviews, application and network security assessments, red teaming, threat hunting and social engineering exercises. He has led and coordinated incident response and forensic investigation efforts for some of the largest and high-profile breaches in the recent past. He also advises clients on some of the most complex cybersecurity initiatives and acts as a trusted security adviser to organizations, C-Suite and board members.

Tarikere earned a master’s degree in computer sciences/cybersecurity from New York University. He holds the Chief Information Security Officer (CISO) certificate. He is a CISSP, PCI-QSA, GWAPT, GCIH and ISO 27001 Lead Auditor.

Edited excerpts of the interview follow:

As information security and incident response professional with over a decade of experience, what are some of the pressing issues you encountered during your career, and more recently?

While the cybersecurity threat landscape is continuously evolving, threat actors are employing more and more sophisticated tactics to attack organizations, and organizations are continuing to bring cybersecurity to the forefront; below are some critical challenges that organizations continue to encounter to date.

• Industry Collaboration: Real-time threat and vulnerability information-sharing and widespread collaboration within the industry.
• Cyberattacks due to Emerging Technology: Inability for cybersecurity to keep up with the pace of innovation and rapid change in the technology landscape.
• People Problem: Humans are the weakest link in the chain, given their lack of technological understanding.
• Senior Executive Buy-in and Engagement: Cybersecurity has always been an afterthought. Although we see a shift in the perspective, we are far from where we need to be.
• Supply Chain Risk: Supply chain risk has, is, and continues to present a significant challenge for organizations.
• Cyber Skill Shortage: It’s not just buying tools; it’s investing in people, in their knowledge and ability, that they are prepared to detect, contain, and respond to cyberattacks. Hiring and retaining cybersecurity professionals remains a top challenge for organizations in 2021.

At the end of 2020, the SolarWinds attack blew the internet. In response, businesses and federal agencies prioritized their cybersecurity budgets and embraced proactive security practices. However, the threat landscape grew manifold in 2021, and supply chains and critical infrastructure continued to incur breaches and ransomware attacks. What, according to you, is the root cause for all this?

Gartner predicts that by 2023, in addition to costing businesses over $50 billion, cyberattackers would have weaponized the Operational Technology systems to the point that they may harm or take a human life.^[1] Historically, critical infrastructure has been designed to have their Industrial Control Systems (ICS) isolated and physically separated from the internet and other corporate networks. Furthermore, it was thought that the risk of cyberattacks on critical infrastructures was low because of the highly customized nature of these systems that required a specialized skill set to understand the architecture of the control system configurations and operate them efficiently.

As more and more organizations are modernizing their industrial processes by connecting these ICS components to the cloud and internet to improve system efficiency, employ open technologies and universal operating systems to reduce the cost of maintenance, they are also unknowingly giving threat actors more ways to compromise these systems through ransomware and extortion attacks.

Per the findings of VMware’s “The State of Incident Response” survey, 49% of organizations lack adequate tools (including staff and expertise) to detect cyberthreats. And it reflects a harrowing scenario in incident response. How can security leaders overcome this core challenge?

With the ever-growing threat landscape and attack vectors that the threat actors will leverage to attack an organization, the ability to detect, triage, contain, and respond to an incident in a timely manner will always be a pain point for the security leaders for the foreseeable future. Some of the ways to alleviate and overcome these challenges are:

• Enhance visibility of the system events within the organization.
• Implement a structured incident response process. Employ automation wherever possible.
• Continue and enhance employee awareness programs to include the latest types of attacks.
• Partner with an external incident response firm who are experts in the field and has been doing this day in and day out to do the heavy lifting during the incident response process.
• Partner with key internal stakeholders like legal, finance, crisis communication, and business groups to ensure they are prepared when needed.
• Test and practice the incident response process through simulated cyberattack exercises to ensure that the incident response process is working effectively and as designed.

While on this topic, could you shed light on the evolution of incident handling, incident management, and incident response? And what are some of the qualities to look for when hiring incident response personnel?

Knowing the how, why, and where of cyberattacks is a strong quality of the incident response (IR) professional. Having a finger on the pulse of the ongoing threat landscape and different cyberattacks happening across the globe will be a core criterion of any cybersecurity professional.

• Problem Solving and Analytical Skills: Not all incidents are similar, and IR professionals need to be able to adapt to changing situations, new leads that are uncovered, and a variety of attack scenarios to respond as quickly as possible. Strong problem-solving and analytical skills coupled with out-of-the-box thinking will aid in their ability to face and resolve the most sophisticated attacks and unexpected situations.
• Teaming and Collaboration: IR is a team sport. So, the ability of the member to collaborate and work in a team setting can aid in responding to an incident effectively and efficiently. This is important because these days, attackers have assembled teams of skilled like-minded individuals that have varied levels of experiences and perspectives themselves, so accumulating an internal team in a similar manner enables the organization to quickly identify tactics and anticipate the next move.
• Technical Capability: While the IR team member will be analyzing a wide range of systems and artifact types, like RAM, network traffic, and many different log sources. Ability to find and correlate small digital footprints “breadcrumbs” left behind any time anyone does something on a system or network is an essential quality of the IR professional. Furthermore, understanding the know-how and having intrinsic knowledge on the working of the operating systems, kernels, network protocols, middleware, application software and malware will come in handy when performing advanced forensics and planning the containment and response strategy.
• Communications: Although lower on the list, this is as important and, in some cases, more important than others. Incident Response professionals are working in a high-paced and stressful environment. The IR personnel should be able to articulate the technical details into something that the executives can understand when updating them of the incident. Furthermore, the IR personnel should provide clear guidance and action items for the other stakeholders like Business Groups, Legal, Crisis communications, etc. throughout the response process.

It is said, “data is the oil of 21^st century,” and with more business moving online, cloud storage to some extent assures reliability compared to local storage. But is it cost-effective? And how can IT teams alleviate a hasty switch to the cloud and ensure a smooth and secure data migration process?

Organizations need to understand the core concept of maintaining the Confidentiality, Integrity, and Availability of the data they are the guardians of. They can transfer the risk by moving it to the cloud but will not be able to eliminate the risk completely. Organizations will still need to implement appropriate security controls to protect the data in the cloud.

Some of the common misconceptions regarding moving to the cloud are that “Cloud provider is responsible for the Security,” “Organization can meet compliance requirement on the cloud,” etc. The organization needs to understand that although a cloud service provider (CSP) provides the necessary tools and technologies required to secure the environment and meet the compliance obligations, it is the responsibility of the organizations to do proper due diligence when moving their applications workloads and data to the cloud.

It is always recommended that the organizations perform in-depth due diligence of their cloud migration strategy using industry-leading frameworks. Although not a comprehensive list of controls, some of the questions that the due diligence assessment should address are:

• WHAT – What data or application is the organization moving? Is it sensitive, regulated, or restricted data?
• WHERE – Where will the data be stored? Are there any data protection regulations that restrict the movement of data?
• WHO – Who will have access to the application and the underlying data? Will it only be internal resources or any third parties? Will the data be shared publicly or restricted to specific groups of people?
• HOW – How will the data be protected? How will the organization detect and respond to the security events/incidents? How will the organization recover the data in the event of an incident? How will the organization protect the Confidentiality, Integrity, and Availability of the data being moved to the cloud?

Cybersecurity is often a fleeting thought for small businesses. And hackers commonly target them because their financial capacity (security budgets) is limited. How can small businesses re-think security preparedness in a post-pandemic world?

Cyberattacks are a growing threat for small businesses. According to the FBI’s Internet Crime Report, the cost of cybercrimes exceeded $4.1 billion in 2020 alone.^[2] Small businesses are attractive targets because they have sensitive information that threat actors can leverage without breaking into security infrastructures like that of big enterprises and corporations. cyberthreat vectors are constantly evolving, but some of the most common types of attacks that small business owners should be aware of are malware infection, viruses, business email compromise (BEC), ransomware, and phishing.

Cyber Hygiene: Organizations and their leadership should have a holistic view of their critical assets, systems, services, and third-party partners to determine the security risk and exposure. Hence, the organization must maintain strong cyber hygiene by keeping inventory of critical assets, ensuring that their systems are patched and protected, and is continuously monitored for security threats.

Multi-factor Authentication (MFA) – Enforce Multi-factor Authentication on accounts that store, process, or transmit sensitive information. It is always recommended to enable and enforce MFA on all internet-facing resources of the organization.

Security Awareness Training: Educate the employees to create strong passwords, follow good browsing practices, avoid suspicious downloads, protect sensitive customer, employee, and vendor information, spot phishing emails, and maintain good cyber hygiene. Perform periodic training on cybersecurity best practices for the employees.

Supply Chain Risk Management: Organizations should evaluate their current business partners and vendors and the level of access they have to their IT systems, network, and data. Ensure that the partners have sufficient security controls to protect the organization’s assets.

Protect sensitive data and back up the rest: Identify the critical data for the organization and ensure that they are constantly backed up to a secure location on a continuous basis. If possible, back up the data to an offsite location periodically in the event that the online copy is corrupted or unusable. Consider rendering the sensitive data unreadable when possible.

Secure Payment Processing and Fund Transfer: Work with the banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. Isolate the systems that store, process, or transmit payment information from other systems within the organization. Implement strong validation checks and controls when making vendor payments to protect the organization from wire transfer fraud.

DHS offers free cybersecurity toolkits for Risk and Vulnerability Scanning and Phishing Campaign Assessment toolkit here – https://us-cert.cisa.gov/resources/ncats and Supply Chain Risk Management Toolkit here – https://www.cisa.gov/ict-supply-chain-toolkit.

Could you give us your top cybersecurity predictions for the remainder of 2021?

Considering that the cyber threat landscape is continuously evolving, one cannot make true predictions on where the industry is heading. However, trends and security research by various organizations indicate that:

• Ransomware threats will continue to dominate the rest of 2021 and into 2022. Cyberthreats actors will continue to get creative, and their attacks will become more sophisticated to ensure that the organizations cannot recover normal business operations without paying the ransom.
• Social engineering, specifically phishing, will continue to dominate the mode of infiltration for the foreseeable future until organizations enforce a multi-layered defense approach to protect their users from falling prey to such social engineering attacks.
• Supply chain risks will be at the forefront with organizations evaluating their exposure and ability to protect and respond to attacks to or via their third-party partners.
• Even though cyberattacks continue to occur, cybersecurity investments will continue to rise. Organizations and solution providers will continue to innovate to stay ahead of the curve. Governments and law enforcement agencies will step in, propose policy solutions to protect their economies, organizations from ransomware extortion attacks.

Note: Views or opinions expressed by the interviewee are his own and doesn’t represent those of the people, institution, or organizations that the interviewee may or may not be associated with in professional and personal capacity, unless explicitly stated.

---

About the Author

Pooja Tikekar is the Sub Editor at CISO MAG, primarily responsible for quality control. She also presents C-suite interviews and writes news features on cybersecurity trends.

More from the author.