April 24, 2014
The Federal Bureau of Investigation (FBI) recently said it notified 3,000 US companies that they were victims of cybersecurity breaches in 2013, according to the Washington Post.
The sheer volume of notifications is stunning. It’s also newsworthy because it is the first time the US government has released the number of companies contacted about cyber intrusions, many of which are carried out by foreign nation-states. It is perhaps no coincidence that the FBI announcement reported by the Washington Post comes just two months after the launch of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a set of guidelines for improved cybersecurity that is centered on the principle of open communication and collaboration.
For most companies, notification from the FBI that its corporate systems have been breached and/or corporate information is being transmitted to a nation-state threat actor will be a call to immediate action. There are a number of important actions that senior executives should take in order to understand and manage the business risk posed by this type of notification. Complete delegation of the corporate response to the IT and/or information security leaders is not recommended.
First, remember that the business has been targeted by a nation-state threat with specific objectives. As a result, the compromise is not an IT problem; it is a business challenge. Response activities should be led by a senior executive, governed by legal, and be as independent as possible from IT and information security. Customers whether consumer or business can expect a response that leverages all possibilities, including cooperation with government agencies.
In our experience, law enforcement’s visibility into the entirety of the threat activity can sometimes be narrow. As a result, immediate remediation of the limited known set of systems can be challenging and ultimately unsuccessful. It is paramount to first understand the scope of the intrusion and when it began. It’s also important to know that long-term intrusion campaigns always involve the establishment of multiple points of unauthorized access (backdoors). Until all backdoors are identified, “remediation” is not an option. Senior business executives should also consider how security can be improved to disrupt future attacks after the current remediation strategy is executed.
Other issues to consider include:
- Why did the threat actor pursue the organization? What information was targeted and stolen? Executives should understand if their infrastructure was used primarily as a pathway to attack another organization, or if the purpose of the intrusion was to maintain access to disrupt business operations in the future.
- If information was stolen, what are the notification requirements? In addition to personal information and payment card data, executives should also consider information governed by contracts with business customers and find out what unique instances of that information were actually breached.
- Were insiders involved? And if so, who are they? It’s important to remember that nation-state actors leverage all threat vectors–not just cyber.
Also consider that the FBI rarely advises the compromised organization on the initial method of intrusion and the security vulnerabilities that were exploited. Understanding these early-phase intrusion activities can be very important to implement security changes that deter the intruder from regaining access to the network.
To get all these steps right, it may be advantageous to bring in external, independent, and objective resources such as forensics firms that have experience in espionage and cybercrime, and have a team of specialists who maintain government security clearances and relationships with government agencies. Designing a defensible but reasonable forensic investigative approach to your response requires experience and patience. In a crisis incident, sometimes you have to slow down before you can speed up an investigation.
Charles Beard is a Principal in PwC’s Advisory Services practice. Prior to joining PwC, Charles was the Senior Vice President and General Manager of SAIC’s Cybersecurity Group.
Sean Joyce is a Principal in PwC’s Advisory Services practice. Sean joined PwC from the Federal Bureau of Investigation, where he was most recently Deputy Director.
Shane Sims is a Principal in PwC’s Advisory Services practice. Prior to PwC, Shane spent over ten years as a special agent in the FBI.