IBM X-Force simulates worst-day scenario

  • Be prepared: Chris Crummey, a cybersecurity expert with IBM, shared advice on how to protect against a cyberincident, and how to respond to one. He was a speaker at the International Cyber Risk Management Conference in Bermuda (Photograph by ICRMC/Twitter)

    Be prepared: Chris Crummey, a cybersecurity expert with IBM, shared advice on how to protect against a cyberincident, and how to respond to one. He was a speaker at the International Cyber Risk Management Conference in Bermuda (Photograph by ICRMC/Twitter)


A worst-day scenario played out for delegates at a cyber-risk event who took part in a simulation of what to expect when a cyber incident hits, and how to protect and defend themselves.

They learnt skills and approaches that work best in protecting against and dealing with cyber incidents.

Chris Crummey, a cybersecurity expert, and an executive director of X-Force Command IBM Security, was in Bermuda to help present the one-of-a-kind immersive cybersimulation at the ICRMC conference.

He helps customers prepare for their worst day and did so at the conference by letting attendees feel what it was like to be in the middle of an evolving crisis.

Those in the gamified simulation played roles that would be found in a real cyber fusion centre — an advanced version of a security operations centre.

Mr Crummey said a cyber fusion has a business response, not just a cyber response.

During the simulation there was someone playing the role of legal counsel, someone as HR, some as business executives, someone as cybersecurity team, and someone as comms and PR.

There are two distinct sides to a cyberincident, one is the technical side of the equation, where most customers spend their time. However, much of the eventual damage occurs on the other side of the equation, which is the business response.

Kurt Rohrbacher is the North American lead for the IBM X-Force Iris team, which provides incident response and intelligence services.

“When our clients have a breach, whether ransomware or targeted attack, we come in and respond and be the forensic team on the ground,” he said.

He ran through the best practices to mitigate risk from the technical side of the equation. They are:

1, Security hygiene. Blocking and tackling that most organisations should be doing. He said: “Things like vulnerability and patch management. Are you patching within a reasonable time frame? The WannaCry patch is two years old, but I’m still going in to clients and finding they have not patched that.”

2, Asset inventories. “Do you know where your assets are, where your endpoints are? How many highly privileged accounts you have,” he said.

“You’ll be surprised how often we find a system that’s compromised and we ask a client what is this, and they say they don’t even know. They don’t know who owns the system, what its function is.”

3, Network segregation. This is fundamental security control that almost no organisation does well, Mr Rohrbacher said.

He added that WannaCry was a worm that propagated itself automatically. If an organisation had proper segmentation in place to prevent Windows protocols it would not have been infected by WannaCry.

4, Multifactorial authentication. Many businesses use Microsoft Office 360, but only have username and password for access, with no second factor authentication. Mr Rohrbacher said a bad guy could get into one account, find out who else is in the organisation and target the “accounts payable” people, sending phishing e-mails from a real account to the people in accounts payable, saying, “Hey, can you process this wire transfer, by the way I have a new account number, here it is.”

5, Tiered access mode. This locks things down in a Windows environment so an intruder can’t pivot to every other system in the network.

6, End-point visibility and threat hunting. Mr Rohrbacher said this is probably the biggest security gap he sees. End-points give visibility into what is going on in an organisation’s network, and are a place where it is easier for security teams to spot unusual things.

7, Detection and response. “If you can identify the threats and respond quickly, you mitigate the risk of that breach,” he said.

8, Plan and playbooks. It is recommended that businesses have a step-by-step plan for dealing with a cyberincident and practise extensively.

When it comes to the business response side of the equation, many of the recommendations are for things you should stop doing in a crisis.

Mr Crummey gave the example of Equifax, the consumer credit reporting agency that suffered a high-profile cybersecurity breach in 2017.

He said the company’s Twitter account was operating seemingly unaware of what was unfolding elsewhere as the breach took its toll. He said the marketing team was not even aware they were in a crisis.

It got worse when a website regarding the security breach was created by Equifax, only for a similarly named malicious site to go live too.

“The internal marketing got confused and they copied and pasted the malicious site into Twitter, who sent it out over and over again,” said Mr Crummey.

“That means they are on their heels. That’s why we want you to train like you fight, and fight like you train.”

He contrasted this with mechanisms at IBM where, when a crisis occurs, marketing stops, sales stop, and executives cannot buy and sell stock.

Mr Crummey ran through the top things learnt from the popular simulation exercises conducted by the IBM X-Force team to teach businesses and organisations where they are at risk, and how they can improve security and crisis response.

Among his advice was a focus on culture and shared fate. “Culture needs to come from the executives down. Culture is how your employers feel,” he said, while shared fate was about recognising that it’s everyone’s job, not only the cyber team’s job, to be part of the cyber defence. He said one of his favourite moments was seeing a cybersecurity customer wearing a T-shirt bearing the words “You are the shield.”

Mr Crummey said IBM lowers its risk with safeguards, such as not allowing employees to use USB sticks, but instead to use the cloud platform Box to share among colleagues.

“All e-mails have the word ‘external’ on it if they are coming from outside, [in order] to lower the phishing attempts,” he said.

“I use face ID to authenticate in to the cloud, which is unbelievably quick.

“What they are doing is dramatically increasing security, but making it easy for me to doing my job.”

He said the company had moved to 15-charactor passwords, and everyone is given a password manager that they can use for their personal accounts and their IBM account.

“Why 15 characters? Because it takes 300,000 years to brute force break a 15-character password,” he said.

In conclusion, he said: “Make sure that everyone in your company is the [cybersecurity] shield.”

You must be registered or signed-in to post comment or to vote.

Published Dec 12, 2019 at 8:00 am (Updated Dec 12, 2019 at 7:25 am)

IBM X-Force simulates worst-day scenario

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon

  • Take Our Poll

    • "Who will the Progressive Labour Party run in the Smith's West by-election against Vic Ball after the retirement of Trevor Moniz?"
    • Vance Campbell
    • 24%
    • Ernest Peets
    • 17%
    • Anthony Richardson
    • 29%
    • Curtis Richardson
    • 15%
    • Roseanne Tucker
    • 15%
    • Total Votes: 1132
    • Poll Archive

    Today's Obituaries

    eMoo Posts