Sony’s highly visible data breach once again thrust cybercrime into the national spotlight, prompting heated discussions on company disclosure of breaches and public-private sector communication regarding these costly leaks.
The 2014 breach, which exposed Sony films, corporate emails and staff salaries, was one of the most public breaches in recent memory. But much of the time, cyber breaches are less visible, and can compromise a company for months and even years before management makes the unfortunate discovery.
In 2013, 1.5 million monitored cyberattacks occurred in the US, and according to studies, organizations are attacked almost 17,000 times a year – many resulting in a quantifiable data breach.
For the modern company, the most effective way to avoid becoming vulnerable to cybercrime and corporate espionage is to have the proper safeguards in place and a response plan ready in the event a of a cyber breach.
The Timeline of a Cyber Breach
The average date of intrusion of breach discovery is approximately 300 days, according to Don Ulsch, managing director with PwC, focused on cybercrime and breach response.
This can translate into a lot of lost intellectual property, trade secrets and other proprietary competitive information.
“Some breaches can remain undetected for years,” Ulsch said. “There is a direct correlation between the span of time between breach and detection and cost – and an undetected breach can certainly have a devastating competitive impact.”
Ulsch said that boards and management should also assume their company has been breached until proven otherwise.
“The first step is being aware of the potential risks cybersecurity threats can pose on a business and shareholder value,” he said. “We’re seeing smart board members beginning to ask the right questions about their business’ cybersecurity preparedness measures, inquiring about policies and procedures when it comes to cyber risk.” William Gragido, director of threat intelligence at Bit+CarbonBlack, said it’s also important to understand why an organization that’s been breached was initially targeted, and to recognize the distinction between the two types of targets.
“In reality, every organization should assume it’s a target. However, some are merely targets of opportunity as opposed to targets of intent,” he said. “Organizations that have been compromised and/or breached will need to understand their role as a target within the threat landscape ecosystem and understand what it means to their business partners, customers, providers/vendors, peers and competitors.”
Once a company has undergone a breach, they should have a pre-determined outline of steps to follow, according to Cameron Kerry, senior counsel at Sidley Austin LLP and former general counsel and acting secretary of the United States Department of Commerce.
“[Companies] need to have a set of understandings about what gets escalated through the organization, and be familiar with the basic frameworks of what you have to know and at what stage,” Kerry said.
Ulsch said when companies create response plans, it is imperative to consider a set number of questions:
- First, whether the company is already under breach and does not know it
- What assets need protection, where those assets are located, and whether or not they are encrypted
- How serious the insider threat is, including third-parts vendors, whether there was a contractual requirement for vendors to obtain cyber insurance
- Who the principal threat actors targeting the company are
- What the company’s regulatory and reporting obligations are
- If there’s attorney-client privilege in place through an external law firm
- If there’s a cyber forensics firm under contract
- Whether the company’s cybersecurity and risk teams are adequately funded and configured
- Whether the company board adequately understands the threat and risk and if they are briefed appropriately by both internal staff and independent third-party experts
- What cyber breach insurance is in place
- Whether there is potential for physical danger to employees
It’s also crucial that a company doesn’t consider information technology (IT) to be the golden-ticket solution for cyber breaches. A common public misconception tends to be that since breaches are exclusive to IT, the solution must also be IT, according to Ulsch.
“Cybersecurity is much more than just a technology issue – it’s a business issue. There’s legal, regulatory, financial and reputation and brand risk,” Ulsch said. “These are the domains of the board of directors and senior executive management. IT is tool of attack, as well as a tool for cyber defense. But IT is only a tool.”
Ulsch said management and boards need to weigh cyber risk with the same consideration with which they weigh other factors, such as the cost of oil, the impact of a natural disaster, the cost of capital and other risk factors.
Industry and Government
The public sector has addressed the issues of cybercrime and company disclosure in a number of ways.
In 2011, the Securities Exchange Commission Division of Corporation Finance established a set of guidelines outlining cybersecurity disclosure obligations, requiring registrants to share their vulnerabilities and cyber incidents and what form of insurance, if any, is included in their cybersecurity plans.
Under the regulations, there’s an expectation that the SEC registrants need to do more to inform investors and prospective investors about that registrant’s cyber risk, its potential impact and what is being done to mitigate the risk, according to Ulsch.
“[The guidance] addresses not only compromises of personal information, but any cyberattack that could impact an investor or shareholder’s holdings in a company,” he said. “Many SEC registrants are just starting to consider how they should address the cyber risk when analyzing overall corporate risk for inclusion into public filings, such as the company’s 10K or an 8K, in the event of a breach of an 8K disclosure.”
In February 2013, President Obama mandated the development of a national cybersecurity framework and programs to encourage voluntary adoption of the framework: Executive Order 13636, “Improving Critical Infrastructure Cybersecurity.” The order tasked the National Institute for Standard and Technology (NIST) to work with the private sector to build existing industry best practices into a cybersecurity framework.
And in January 2015, the White House proposed a federal data breach notification law proposal titled, “Safeguarding American Consumers and Families.” The proposal is designed to “clarify and strengthen the obligations companies have to notify customers when their personal information has been exposed,” according to the press release language. A month later, a February 2015 executive order promoting cybersecurity information sharing between the private and public sector was signed, structured to complement the White House’s January proposal.
A key point of the January 2015 proposal is the requirement of companies to notify of data breaches within 30 days, Kerry said. The proposal is composed of one set of requirements that are applicable across the US, and disclosure is dependent upon the nature of the breaches.
Overall, Kerry said he considers the proposal to be useful and an “important step.”
“The idea will strengthen the data breach response by making it simpler, and by being applicable to everyone regardless of differing state laws, whatever that state’s law mandates,” Kerry said.
Ulsch said when a breach is disclosed, investors may inquire about the nature and duration of the attacks that have been experienced by a registrant (a company that has formally reported a breach), the costs and consequences of a breach, risks associated with outsourcing and what aspects of business or operations give rise to material cybersecurity risks.
“Registrants have long been required to address other types of risks that could impact the company and its performance,” Ulsch said.
One of the more challenging debates surrounding disclosure of corporate breaches has been the relationship between government and industry and how closely intertwined they are and should be regarding breach disclosure.
Kerry is adamant there needs to be a definitive partnership between the two to adequately tackle the issue of cyberattacks, a union he said is essential to the idea of working on a business framework.
“The core piece of [the January 2015 proposal] is to create more robust information sharing. The president’s executive order has done a lot to [put] mechanisms in place,” he said, referencing the February 2015 executive order. “But it will take Congress to really enable the information sharing to provide some of the liability that will make it easier for companies to share information with the government, and set up privacy protections that will reassure the people involved that they will be protected.”
Ulsch, who said some state regulations are stronger than some federal requirements when it comes to protecting individual personal information, added that neither industry nor government acting independently will resolve the cyber threat.
“There’s no going back to the abacus. In today’s digitally-connected business environment, we use technology to develop and manage virtually all facets of everything we do…Technology is vulnerable to attack, and there is little if anything that will change this fact. So the key is to more successfully manage the vulnerabilities that are subject to exploitation that lead to risk,” he said. “Government and industry must be partners in combatting and defending against the cyber threat. And not just in the US. This is a global problem. And while there are no silver bullets to obliterate the threat, there’s much more that we can be doing.”
Another Dimension of Cyber Crime: Corporate Espionage
In 2007, Hanjuan Jin was stopped during a random security search at O’Hare International Airport before boarding a flight to China. Jin, a Chinese-American software engineer for Motorola Inc. for nine years, was found carrying $31,000 and hundreds of confidential Motorola documents stored on various devices, according to prosecutors.
Though it surely wasn’t the first case of corporate espionage to occur in the U.S., it soon became one of the most notorious.
As crimes, corporate espionage and economic espionage are comparable, with aligned end goals – the covert theft of tangible and intellectual property.
But there’s far more available research and knowledge on economic espionage, orchestrated by governments with the goal of breaching national security.
Corporate espionage, in contrast, is less understood as a crime because companies are reluctant to disclose information of their own accord to shareholders. This presents a unique challenge for professionals whose livelihood depends on their ability to predict and protect from corporate espionage.
John Pirc, chief strategy officer at Bricata, said corporate espionage has always existed.
The reason it has recently slipped into the forefront of conversations is the varying shape it has begun to take on, thanks to modern innovation.
“The different forms in medium in carrying out corporate espionage have changed with technology,” Pirc said. “I think it is becoming a lot easier [to commit corporate espionage] due to technology and mobility.”
Gragido, co-author with John Pirc on the 2011 book, “Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats,” said that about four years ago, the idea of corporate espionage wasn’t new.
What was new was the growing visibility being provided through investigatory methods and tools, making these compromises more well-known.
“Fast forward to today where we live in a world that is even more connected than before, and better equipped through information and intelligence sharing in both the public and private sectors, and you arrive at a position where more visibility and notoriety is a given,” Gragido said.
He added this doesn’t mean all compromises are communicated to the public, particularly in the case of “true nation state espionage,” but that more cases overall are being made public. This is often due to either regulatory rulings or the driving need to share data with the world at large.
The image of “corporate espionage” may drudge up romanticized images of federal agents methodically combing through a criminal’s garbage – a valid assumption in some cases.
But many who commit corporate espionage do so, ironically, by mistake.
“You see it all the time where people work for other companies and they might have roadmaps, intellectual property, et cetera,” Pirc said. “They’ll take that information and put it on [online storage sites] Dropbox or Onedrive, and when they leave companies, they may not realize that they have it. So it’s kind of inadvertent espionage.”
But there is still a fair share of deliberate cases, where the individual is well aware of their actions, Pirc said. He added that the cases that make the public eye are theft of intellectual property from federal contractors.
Similar to Ulsch, Pirc said most companies that are breached have been breached for a couple years and aren’t yet aware of it, creating a significantly higher chance of criminals getting away with it.
“If you look at it from that scenario, if someone is committing corporate espionage using the same type of tactic, then the likelihood of them getting caught is pretty slim,” he said.
Pirc said the effort and resources that are put into researching, designing and building an automobile or a space craft costs companies and countries billions of dollars, heightening the incentive to simply steal.
The most insidious element of corporate espionage, the fact that these criminals strike from the heart of a company after being found qualified and trustworthy, brings the question: How do companies successfully vet out these people? Particularly in a world that’s rapidly becoming more globalized?
Pirc said these questions frequently surface when companies contract out work.
“Most of the companies I worked for, we outsourced code development for our products. You have vetted the offshore firm, but you have no idea who they’re hiring,” he said. “If you’re outsourcing to Bangalore or Hyderabad or somewhere in India, you have no idea who they are hiring on the background, on the back end, who could get access to source codes and all that other stuff.”
Pirc, who formerly worked for the Central Intelligence Agency, said the same depth that is reached when screening individuals for government jobs should be applied to corporations to help stave off opportunities for corporate espionage.
“If you’re pulling somebody into a critical project, I think the same scrutiny that is given in background checks and all the other stuff to people who are going into federal government…you have to get down that deep. You need to understand who you are employing and what their backgrounds are,” he said. “You want to believe people are trustworthy, but you have no idea at the end of the day until they make a mistake and your intellectual property is out the door.”
Gragido said the vetting of individuals is slowly evolving over time at organizations outside of the intelligence and defense communities because beyond background checks, the average corporation has few resources at its disposal to investigate someone to the same degree a government agency may be able to.
“Vetting humans is hard work. Even the best and brightest of organizations have, over time, been fooled in some cases by their own people,” Gragido said.
Pirc said one of the most common ways these criminals get pinched is from someone monitoring their access to data when they begin downloading or printing uncharacteristically high volumes of data and documents. If someone who routinely works from 8 a.m. to 5 p.m. suddenly starts downloading content late at night, that change in pattern is an immediate red flag.
“There’s different ways you can approach this one and I think a lot of it has to do with access. Who has access to this data?” he said. “I think corporate espionage happens a hell of a lot more than people are willing to admit, or because they don’t know [it’s occurring]…There are stupid things people do. They get caught with stuff on a disk or a hardrive, or trying to take data out with proper controls in place.”
He said there are a number of safety measures in place at companies that address that issue, such as data loss prevention solutions that safeguard information in the event that it were to travel outside its designated infrastructure.
Beyond those measures, there is passive surveillance technology that disables criminals from using thumb drives or restricts them from sending out content. One tool in particular watermarks documents and if an employee attempts to steal that content, the watermark either blocks the document from sending through or flags it as intellectual property.
Bouncing Back From a Breach
Once companies that don’t prepare for a breach learn they’ve been struck by one, whether it’s of the cybercrime or corporate espionage variety, Ulsch urges that responding swiftly and seeking external resources are essential steps to take.
“Most breaches will have a potential regulatory and litigation component. Managing the regulatory and litigation defense will require expert legal and forensic analysis,” he said. “In the absence of a formal and well-tested plan, with on-call legal and forensics specialists, do the best you can to hire the best you can.”
“Forensics and incident response play huge roles in how corporations deal with breaches — espionage driven or not,” he said. “Why? Because they allow for responders to paint a picture of the activity of a threat actor within the enterprise, down to the host level. Provided the organization has the tools in place to provide them with the visibility on the host and network, their work in achieving that critical vantage point will be far less arduous.”
Ulsch said a point to note is the difference in responsibility between a security team and a forensics team, both valuable components brought in by the company’s board or legal office to help quell a crisis.
“To put this in perspective, consider the following. Your house has locked doors and windows, and maybe a security system. The locks were selected by a security provider. A security service monitors the environment by checking the doors and windows every night,” he said. “This is what security does. But if someone breaks into a home and commits a serious crime, a forensics team will show up and go to work. There are special skills, special tools and experiences that distinguish between the two groups. Both are important, both have a role, but they are different roles.”
Gragido said his advice for those who have been compromised is to “first breathe.”
“Take a moment to reflect on what has occurred and take inventory of the events that have played out and lead to the compromise,” Gragido said, agreeing with Ulsch and Pirc that the breach may have been occurring unknowingly for years – an unnerving discovery. “These organizations should in fact engage in an incident response exercise — lead by internal or external sources in order to better understand the nature, depth and breadth of the compromise.
Gragido said he would also advise an organization that’s been breached to exhaustively review their previous ratified processes and procedures, as they would, by default, come under scrutiny during an investigation.
“It will be important for an organization to understand if the root cause of the breach or compromise was through a targeted phishing attack or if it came through the exploitation of a vulnerability on an internet-facing server,” he said. “Understanding their processes and procedures and being able to speak to them with confidence and fluency will aid responders seeking to identify the kill chain of an attacker.”
Companies that have been breached should first concentrate on the problem at hand before considering how to safeguard against potential crimes down the line, according to Ulsch, who compares it to the steps taken in a medical situation.
“If you are having a medical emergency requiring immediate attention, it doesn’t make much sense to focus on long-term plans to diet and eat more healthy foods,” he said. “You need to deal with the crisis at hand. Then consider plans to exercise, lose weight, and so on.”
Safeguarding against further attack is the second step in addressing a breach, but it’s also the most effective way to avoid an attack altogether.
Gragido said that the first action to take in preparing for potential breaches is possessing the right internal resources, namely a formidable Chief Information Security Officer.
“I would say that the first order of business is to have a strong CISO in place who understands the dynamics of the threat landscape and can use that understanding to direct the creation of policy and plans, like incident response, in order to mitigate risk and reduce their attack surface,” he said.
According to Gragido, organizations may want to invest in a 24×7 monitoring of their environments, either through internal means or services provided by third parties, and invest heavily in red teaming exercises in order to test their risk posture for exploitable vulnerability.
“Doing so will provide a keen understanding of the organization’s attack surface while providing the organization in question with paramount information related to what needs to be addressed to mitigate risk,” he said.
Gragido said organizations should also consider investing in technology with two functions: to offer protection and mitigation capabilities while also providing visibility and response capabilities.
“Most organizations have some form of mitigative technology in place today already, like firewalls or IDS/IPS [Intrusion detection and prevention services],” he said. “However, many, if not the majority, do not possess technology that provides them with unparalleled visibility at the network and host level. This visibility is critical and will over time prove to be the saving grace in the event of a breach or compromise.”
Though mitigative technology can ensure some peace of mind, it can’t promise a company complete immunity from cybercrime in all its deceptive forms.
So when a company has undergone an attack, they need to identify the key data assets, according to Kerry. The next step is to understand what the lists of threats are, helping a company prioritize their assets.
“If you guard your diamonds and your toothbrushes equally,” Kerry said, referencing a famous George Bundy quote, “you’re going to save more toothbrushes but lose more diamonds.”