This week, HSBC revealed that there was a data breach that affected some of their account holders.
https://www.bbc.com/news/technology-46117963
This, however, is not their first breach, as described in this article:
https://www.bankinfosecurity.com/hsbc-bank-alerts-us-customers-to-data-breach-a-11685
Why do we look at past attacks?
Vince Kelly says
I’m cringing as I write this because I’m worried that this response is going to be interpreted the wrong way and it is absolutely not intended to be disrespectful or condescending so I’ll apologize up front if it appears that way.
My response to:
“Why do we look at past attacks?”
…. is to (rhetorically) ask the question:
Why do we go to school?
I think we look at past attacks for the same reason that we read a book or attend college,(discounting freshman, sophomore and junior party years of course:). We do it to gain insights and experience where perhaps none existed before. I think a quote from Sir Isaac Newton certainly applies here :
“If I have seen further it is by standing on the shoulders of giants.”
Imagine a world in which everyone kept everything to themselves, felt no need to help others, were so self absorbed that they could find no motivation to invest and expend the levels of determination and energy that
are required in order to understand and then thwart the fruits of an evil mind.
In this nightmare world, every day would be a 0-day, every Phishing attack a lucrative opportunity to prey upon the innocent.
To say that the desire to research and study past attacks are solely motivated by altruistic intentions would represent the apex of hypocrisy – there are most certainly self-serving reasons why we look at past attacks; company promotions, more money, a reputation of professional competence, etc.
But it is also true that we could have pursued these objectives through any number of other venues – finance, accounting, the trades or others.
But instead we chose to attempt the mastery of a discipline where all efforts and energies can lead to only one of two possible outcomes:
….at the end of the day, we study past attacks to either help or hurt others.
Dan Bilenker says
Okay so let’s throw in a cliche, but still true quote:
““Those who fail to learn from history are doomed to repeat it.” – Sir Winston Churchill
But, we can take it a step further and say “Those who fail to learn from history are doomed to be exploited”
If we don’t assess past attacks and pinpoint the deficiencies that allowed them to occur, we can’t prevent them from occurring again. You can bet that hackers are learning from our successful defenses, and tracking our mistakes.
Jonathan Reid Kerr says
I completely agree. It is the same reason we continue to study past civilizations in school, such as Rome, despite the relatively low impact it has on our daily lives. If we cannot learn from past mistakes and understand them, then we will surely repeat them.
William Bailey says
The organization that is breached is doomed to repeat the same mis-steps if they don’t conduct a lessons learned, or post-mortem. Other organizations are likely to be exploited in the same manner if they don’t perform similar remediations.
What is the benefit to an ethical hacker if they research previous breaches?
Vince Kelly says
It allows them to understand what is possible to do, they can get a sense for how likely a particular type of attack probably is for the organization that they are helping, allows them to find out who has already dealt with the attack previously and what they did to mitigate it. It also helps them administratively in terms of recommending budgeting, preventative controls, technical controls, etc., etc., etc.
Brandan Mackowsky says
It is definitely crucial that and organization who does not assess itself after a breach will likely experience a similar exploit. The benefit to the ethical hacker here is seeing where the breach occurred and taking a focus on the exploited organization as well as others in the market to see if the same or similar vulnerabilities exist and are likely to be compromised by hackers in the community. It allows for a communication to patch similar vulnerabilities through testing prior to them being exploited for unintended and malicious purposes.
Jonathan Reid Kerr says
Researching and examining the past is how we learn from others without having to endure the same experience. For an ethical hacker, the premise is the exact same. By looking into past attacks and the details surrounding them, we can understand what was done correctly, what was done poorly, and how it happened in the first place. Then we can reasonably improve upon existing policies and procedures so that the same mistakes will not be repeated.
Duy Nguyen says
All good points guys.
Post-incident activities are as critical as all the other phases of an incident response plan. Preparation, Detection, Containment/Eradication & recovery, and Post-incident activities. It’s a cycle with each step support the next. In this stage, the organization should review response and update policies, plan, and take preventative steps so the intrusion can’t happen again. An organization should consider whether an additional policy could have prevented the intrusion a procedure or policy was not followed which allowed the intrusion, and then consider what could be changed to ensure that the procedure or policy is followed in the future.
Vince Kelly says
Duy,
Great points and I totally agree with you but at the risk of sounding super cynical, how often do *we* think that comprehensive post-incident assessments really occur? A lot of times it just turns into finger pointing matches right?
Duy Nguyen says
Hi Vince,
Of course, a post-incident assessment only happens when there are reported incidents. This is not always guaranteed there should be scheduled maintenance/review of policies at least yearly. This is the minimum I would say. If an organization could take it a step further they would do practice run or drills.
Vince Kelly says
good points but I was referring to your previous point regarding post-incident assessments – i.e. they *should* be done but I was wondering just how often that actually happens in the real world – as you know, the attitude is generally “whew, great, we put that fire out now let move on to the next one” :):):)
Dan Bilenker says
Secondary point regarding “as you know, the attitude is generally “whew, great, we put that fire out now let move on to the next one” :):):).”
I get that, and I’m sure it happens. But there’s also a level of reality that pervades the decision making process post incident.
If a threat is intercepted, and the “fire” is put out using the establish mechanisms and protocols, they know that the defense mechanisms work. Why would they conduct an in-depth post assessment when they know that the can successfully defend against an already mitigated attack? They already did an initial risk assessment to prevent the situation that has already been mitigated.
When a threat turns into a vulnerability that has successfully been exploited, then the blame game occurs. But even still, many of these exploits have been conducted at the global level, and it is increasingly difficult for organizations to play the blame game forever without drawing too much unwanted attention. Due to the increased speed at which news is disseminated, I can’t see how organizations would be able to not conduct any kind of investigation without being penalized or ridiculed.
Dan Bilenker says
Vince,
I agree to some extent that finger pointing will always be an inevitable outcome of breaches. However, I can think of plenty of real-world examples where despite finger pointing, real post-breach assessments were conducted. Think bigger – “breaches” in “security” aren’t just technical & IT related.
Post-incident response and assessment is a functional component of most any organization. Not to take it from 0-10 too quickly, but think about 9/11, which is as much a breach of security as anything IT related.
Sure, there was finger pointing – the FBI & CIA failed to prevent this, that , or whatever. We all know the blame game that went down just after the attacks.
But you can listen to & read countless hours of analysis of the NORAD & FAA tapes, hearing the Army National Guard & Force initiate emergency intercept protocol. The post incident analysis showed multiple points of failure that forced commanders and their civilian counterparts to rethink joint response doctrine.
Unless you’ve been in hiding since 2001, you’ve probably gone through an airport and been subject to the plethora of new security rules that followed – as a result of analyzing how the hijackers were able to get into the cockpit of a 747 armed with knives.
Plus, its now much harder to attend a civilian flight school without prior background checks.
I know this is sort of an extreme example, in that any lack of post-9/11 incident assessment would have caused no less than public fury, but incident follow up definitely occurs.
It happens in more companies than you think, despite finger pointing. Nobody wants to take blame, its human nature to defend the ego. You may see publicly that leaders try to shift blame to protect their public image – particularly in large organizations, but beneath the surface real money is lost and key leaders want to recover that money, and try not to lose more in the future.
Jonathan Reid Kerr says
In regards to your mentioning of the additional security policies and procedures that were implemented post 9/11, I believe it is worth talking about security theater as a response to breaches.
While security theater does have a purpose, I feel like it can be relied on too much to make up for real security. My personal favorite is how some websites force you to add in a number or a symbol in your password, making it harder to remember and barely more secure. It makes you feel like your increasing the security of your password, when in reality adding a 1 and a ! does nothing. Though it is important to balance security theater with effective policies. You don’t want employees or executives to ‘feel’ that their systems are secure when they really aren’t.
Vince Kelly says
Dan,
If I understand what your saying then I *think* we are saying the same thing. My “whew, done fighting that fire now lets move on to the next one” comment was, I believe, me trying to make the same point that you do when you say:
‘You may see publicly that leaders try to shift blame to protect their public image – particularly in large organizations, but beneath the surface real money is lost and key leaders want to recover that money, and try not to lose more in the future..’
I think we are agreeing that often, not always, but often, there is an inadequate post-incident process that is followed – i.e., money and resources are expended as a *RESULT* of the problem and it gets ‘fixed’ in *REACTION* to the problem so that the embarrassment of it being brought up at the next earnings call is avoided.
Again, (at times) organizations are often too busy or too organizationally hampered to adequately ensure that the incident is institutionalized in any effective, formal way (they just react and move on).
In other words, many times only the *results* of what was fixed or an abrupt change in the organization suddenly and mysteriously appear – there is no exchange of information, vocalization or a level of clarity about the circumstances that would add incredible value and increased awareness for *everyone*.
Case in point, since we’re on the subject of 9/1 🙂 – there was ample evidence and warnings of the impending attack. In fact there was specific details that came out of the Philippines in and around the July/August time frame that commercial aircraft were going to be used to attack targets and that the attack was imminent. In the 1990’s Colonel Oliver North specifically pointed out to congress that Osama Bin Laden posed an existential threat to America, etc., etc., etc.
The problem however was that up until 9/11, American law enforcement and intelligence agencies were structured in such a way as to prevent them sharing information or collaborating and this was done on purpose in order to avoid the US becoming a police state, (e.g. Congress expressly forbade the CIA from conducting domestic intelligence gathering operations).
Immediately after the 9/11 attack every aircraft in the country was grounded – but this was only as a *result* of the attack.
Your comments about NORAD, the FAA and the National Guard scrambling around doing their best in trying to prevent the disaster while it was unfolding and you comment that:
“Unless you’ve been in hiding since 2001, you’ve probably gone through an airport and been subject to the plethora of new security rules that followed – as a result of analyzing how the hijackers were able to get into the cockpit of a 747 armed with knives.”
…miss the fact that these weren’t results. They were *reactions* to the event – had US intelligence agencies been organizationally structured to collaborate and share information before 9/11, then I think that there’s an *EXTREMELY* high probability that 3,000 would not have died on that day.
…the *most* important point here Dan isn’t an attempt to wordsmith or quibble over what’s a ‘result’ and what constitutes a ‘reaction’. The most important point here is that all of the facts about the lack of a unified intelligence structure did not emerge until *after* it was memorialized and *publicly* institutionalized by a congressional investigative committee **almost a year later** !!
Turning to the business side –
If what I was saying is not true then you’d never see the all too common scenario’s where banks or other institutions don’t even report and at times actually go out of their way to ‘obfuscate’ the fact that an attack even occurred (internally or externally) for fear of the repercussions, (Equifax is a *classic* example of this)
Again, I think we are saying the same thing – I’m just reacting as a result of your comments that were a result of the reactions that I had as a result of Duy’s observations – I think – Ouch! My brain hurts!:):):)
Brandan Mackowsky says
One of the biggest reasons that we look at past attacks is to truly understand where in our business process that we went wrong or where did we leave a vulnerability that was able to be exploited. By looking at past attacks, we can use this as a lessons learned to figure out a root cause and ensure the same exploit does not occur again. However, looking at past attacks can be used by outsiders to see if similar attacks continuously occur. For example, if the same exploit occurs multiple times to a business, the public may be less inclined to utilize their services as it is a key indicator that a company does not know how to or does not care to resolve its issues and vulnerabilities. Essentially, examining a past attack should be leveraged to repair existing vulnerabilities and provide a full assessment as to where vulnerabilities may exist or can occur. The question really is whether or not a business uses its past attack experiences to do this or if it finds ways to continuously fix issues as they occur and learn nothing, ultimately damaging its reputation as similar attacks occur time and time again.