Cybersecurity experts from the Department of Homeland Security and the Federal Bureau of Investigation congregated at Boston College to simulate a cyberattack and to assess the legal and technical challenges that persist in the construction of a cohesive response to a security breach — the Wednesday, May 18, event was spearheaded by the Woods College of Advancing Studies. Technology experts from Boston College, California-based firms such as FireEye, Inc., Mandiant, legal counsel from Baker Hostetler’s Privacy and Data Protection practice, and representatives from the commercial industry and state and local government centers were also amongst those who convened at BC for the event.
FireEye, Inc. offers its clientele continuous compromise assessment and response, using registered FireEye products and intelligence as control diversion/deterrence tools to detect signs of intrusion early, rapidly investigate, and provide the customer with comprehensive solutions for the preemption and mitigation of security breaches.
The interconnectedness of the Internet represents “huge benefits for the world, but also unprecedented opportunities for harm,” demonstrated a representative from FireEye, Inc.
Representatives from FireEye, Inc., Mandiant, and Baker Hostetler elucidated cyberspace as an “interactive domain” comprised of digital networks that are utilized to “store, modify, and communicate” information. In essence, cyberspace includes the Internet, but also the other information systems that support businesses, infrastructure, and services.
The simulation, amongst other things, was spearheaded by FireEye, Inc., which discussed dire cybersecurity attacks, such as advanced persistent threats (APTs), as recently making headline news more and more frequently. Advanced persistent threats bring serious damage to organizations of all types, including governments. The representatives asserted that there is no commonplace observation that establishes a benchmark for what a cybersecurity incident is, and with no agreed definition — and many corporate entities adopting different views in practice — it is difficult for organizations to efficaciously plan and truly comprehend the type of response that is required.
The original government definition of a cybersecurity incident is a “state-sponsored [attack] on critical [national] infrastructure” or defense capabilities. This definition is still valid, but industry has adopted the term to describe traditional information (or IT) security incidents.
The primary distinction between different types of cybersecurity incidents appears to lie in the source of the incident (e.g. a minor criminal committing petty larceny juxtaposed with a crime syndicate) rather than the type of incident (e.g. social engineering). One end of the spectrum gives way to minor crime and localized disruption, whilst the other end gives way to major organized crime, widespread data disruption, the decrease of the integrity of IT services, and even critical damage to national infrastructure. As of late, the intrinsic nature of cyberattacks has changed from overt exhibits of formidability to covert displays of subtlety.
The conference, and research conducted at Stanford University and firms such as FireEye, Inc. has demonstrated that few organizations really understand their “state of readiness” to respond to a cybersecurity incident, and are usually not well prepared in terms of people, which entails aligning an incident response team and enabling prudent decisions, process, which entails knowing what to do, taking appropriate action, and recovering critical systems and data, technology, which entails comprehending the intricacies of data and network topology whilst creating and storing event logs, and information, which entails recording adequate details about when, where, and how the incident occurred, defining business priorities, and comprehending interdependencies among business, supporting systems, and supplier processes.
Although there exists a substantial level of threat from cybersecurity incidents, representatives at the conference explained that those responsible for responding wisely to cyberattacks continue to face challenges in knowing who to contact for expert assistance, involving experts at an early stage in proceedings due to confidentiality constraints, providing experts with adequate information to be able to conduct investigations, and persuading management officials to provide resources and budgeting provisions according to the magnitude of the problem.
Representatives and firms, to solve this problem, have recommended the employment of qualified, perhaps even third-party, experts who can provide monumental assistance in helping entities handle cyber-security incidents in a more effective manner. Research conducted at Stanford University suggests that the main benefits of using external suppliers of expertise are that qualified experts can provide resourcing and response expertise by gaining access to more experienced, dedicated technical staff members who know how to implement meticulous incident investigations quickly. Additionally, experts can conduct technical investigations by providing information about the different types of attackers while remedying malware, monitoring emerging cyber threats, aggregating relevant data from many different systems, and gauging the detriments posed by advanced persistent threats.
The unique selling point of the conference was the need to follow up on cybersecurity incidents — an indispensable necessity in the preemption of future cyberattacks. Officials must consider the need to investigate incidents comprehensively, reporting the incident to stakeholders, and updating information, controls, and processes for more cohesive responses.