This blog was originally published on CyFIR.com and has been reposted as-is here following eSentire’s acquisition of CyFIR Inc. in June 2021. As of the date of the acquisition, no changes have been made to the content below.
Hollywood crime dramas make hacking appear effortless and instantaneous. Typically, a hacker—dressed in all black—drops from the ceiling with laptop in hand, whispers “I’m in” to their compatriots in a windowless security van, and within seconds makes off with crucial files to make the operation a success.
However, this is yet another movie myth—data breaches are often complex events that unfold over time as layered defense mechanisms are bypassed. Organizations can significantly contain the impact of a data breach by shortening the window of time an intruder can operate undetected. According to a 2019 IBM study, cyberattacks take an average of 279 days before they’re discovered and contained. When contained within 200 days, however, their total cost reduces by $1.2, down from their average of $3.9 million.
A Hollywood-style perception of cybersecurity implies that simply making sure bad actors don’t get in will be enough. In today’s threat environment where threats are rapidly evolving and data breaches are increasingly common, this approach exposes companies to significant risk. Instead, organizations need to shift their approach to cyber defense to focus on cyber resilience—an approach that not only aims to prevent cyberattacks, but also react intelligently to minimize or eliminate the potential damage from a successful network intrusion.
Cyber resilient organizations minimize damage in the event of data breach.
Cyber resilience begins with the premise that not all breaches can be prevented. After all, cyberattacks are increasingly common and sophisticated—globally, a little under 30 percent of organizations will fall victim to a breach within two years. This reality has prompted organizations all over the world, from the Department of Homeland Security, to the European Central Bank, to lobby for greater adoption of cyber resilience practices. Instead, cyber resilient organizations deploy security tools, processes, and personnel with the assumption that a breach has already occurred or will occur. Network monitoring with tools such as the CyFIR Enterprise Platform provide continuous analysis capabilities to identify if any processes running in a network environment are malicious or suspicious, while threat hunting assessments such as CyFIR’s Fast Forensic Digital Investigations go deeper to identify vulnerabilities that can be missed by automated tools. Regular examinations of a network environment are crucial to maintaining good cyber hygiene and identifying potential threats before they have chance to spread throughout a network.
Case study: How the 2015 Office of Personnel Management breach illustrates the necessity of cyber resilience.
For a real-life example of how damaging cyberattacks become when unaddressed, look no further than 2015 Office of Personnel Management (OPM) cyber-attack—one of the largest public sector cyberattacks in history.
An OPM contractor first discovered the entry responsible for the incident on April, 15, 2015. Two suspicious files were found on two servers, which were broadcasting data outside the network. They’d been undiscovered for more than a year, disguised as files from a popular antivirus software—one the contractor knew the office didn’t use.
What’s more, one of the two files were found on a particularly sensitive server, one that gave hackers access to a trove of highly-sensitive files: millions of background search forms the agency conducts to screen federal employees and contractors.
All told, this exposed extremely personal information of more than 21 million federal employees and contractors. Estimates vary, but the breach’s total cost to the federal government may be as high as $1 billion.
In the ensuing federal investigation, OPM leadership was largely blamed for not taking enough preventative security measures. This investigation tasked federal agencies with taking additional steps to protect sensitive data and “improve the resilience of federal networks.”
Cyber resilience could have prevented the now-infamous OPM breach.
Hindsight is, of course, 20/20, but it’s easy to see that the OPM’s breach could have been prevented with a cyber resilience approach to network security. With visibility into the network endpoints—like the infected server—staff would have likely discovered the malware well before the agency’s valuable data was compromised.
In fact, shortly after the breach was discovered, and well before OPM went public, CyFIR CEO Ben Cotton was invited to the agency to demo the CyFIR Enterprise Platform —without knowledge of the recently-discovered breach. Since the CyFIR Enterprise Platform offers real-time endpoint monitoring, the disguised files were found in 12 minutes.
As for why CyFIR’s services were requested without informing Cotton of the incident, Ms. Donna Seymour, the former CIO of the OMB, said the following in a congressional hearing:
“It is my understanding that we gave them some information to demonstrate whether their tool would find information on our network, and that—in doing so, they did indeed find those indicators on our network.”
After the meeting, OPM utilized the CyFIR Enterprise Platform through June 2015.
