Implementing the Lessons Learned From a Major Cyber Attack

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning to introduce myself I'm Andy pol I'm the chief information security officer at 8:00 p.m. on a mosque I have been there for 18 months I wasn't there during the cyber attack two years ago I was the guy who came in afterwards read into that what you wish and I'll explain a little bit as we go forward the thing I love about blackhat is it's one of the few places where the guy wearing the suit is the odd guy okay which is great I think it's a really good thing about this conference in particular by way of background I spent 28 years in the Royal Air Force I was the chief information officer and chief inpatient Security office of the Royal Air Force and also ran cyber defense operations for the Ministry of Defense for two years when I left six years ago I ran the cyber defense I practice for CSC and then the cyber practice for Capgemini selling cyber security to companies like Musk I decided it was time to walk the talk and when Merce maybe an offer I came over on to the other side so I've seen both sides both the vendor and the user perspective what this presentation is aiming to do is is primarily bring a key thing to your attention the most important thing is that two years ago over two years ago now in June 2017 the world changed completely for those of us in industry trying to defend our networks the world changed because for the first time we could be the victim or collateral victim of a state-sponsored cyber weapon which is exactly what happened and what that really woke us up as a company was what would we do to try and counter that or react to that in the future so this is as much about what we've done subsequently there's about the attack itself so it's really in two parts what happened during the attack how do we cope with that what was the resilience posture and how do we move what were the golden lessons but really the major part is what we've done subsequently and why and hopefully some good lessons in there there's some time at the end for questions and we'll go into that then so as I mentioned I'm going to talk about not petia what we did at the time the damage that was done and why we'll look about the implementation of the lessons I'll talk about some of the strategic changes from my perspective that we as a community need to be aware of many of you probably already aware of them but if you're not I will reham and then primarily I'm going to look at how we sustain what we've put in place because that's as critical as anything else okay so cyber instance itself those of you who are many of you be aware of what happened with not Petra at the time um it was really interesting background scenario we were not alone Merck is one of the few companies that's been open transparent and honest about what happened during that attack a number of big international companies did not take the same approach and hid from the impact tried to disguise it tried to shy away from it I think Merce did the right thing by being open and transparent about what happened and why it has been able to leverage a lot of support both from our suppliers and from a lot of partners that we brought on board I think much more than many of the companies that opted not to so we'll talk about that so for those who you're not familiar with musk we are we move 20% of world trade and 33 percent of the world's bananas so one in three of the bananas you have in your house was put there by us all right just remember that when you're eating the banana next time and thank musk via banana but we move that amount of trade we are if we were brought down 20% of the world trade would be disrupted that's quite quite important does it add to my sleep at night not really okay but that's quite important 753 ships most of our vessels can take nineteen thousand 24 ISO containers okay 74 ports and terminals globally we own and operate and then a number of large warehousing capabilities and 300 tugs so just imagine that amount of infrastructure that supports the business it's quite phenomenal and I'll talk later about the challenge that really is started faces round up rationale technology for those of you who are in that space the whole challenge around ot and how we secure that in a cyber sense has really come to the fore as well but that's the size of the company and two and a half years ago it was like the rest of the shipping industry in the logistics and supply industry in terms of its maturity it's at pretty low on the sector maturity scale at the top the banks and the government's who spend a lot of time and money on protecting what they've got in the middle we had primarily the sort of the retail business and closer to the bottom we had the manufacturing and we had the logistic supply type capability so we were very similar to most of our competitors and most of the industry at the time in that the network was not at the time considered a critical part of the company it supported company operations in the mindset of most of what they did but really it was an asset focused company like most it was about ships it was about ports it was about containers and the fundamental lesson was actually what was lying underneath was connecting all that together and making it work the manual fall back was not there and we'll talk about that as we go forward and it will be even less so in the future as automation starts to move far more into these sectors so therefore the impact will be far more difficult to counter and we'll talk about that so the reason I show our rather nice headquarters in Copenhagen but I seem to spend most of my life on a sunny day on June the 27th my boss who was two weeks into being the CIO SAS just by the flag having a photograph taken when his phone went off to tell him that things were looking a bit awkward okay it all could probably the understatement of the year because what had happened and I'll talk about this in a second is that within seven minutes seven minutes of the not petia striking our network most of our network capability was down seven minutes most the damage was done within an hour and we spent most the time after that recovering so really most of that catastrophic damage was done in what I now call the golden hour and it's the golden hour principle that's one of the key principles I actually use at this stage not surprisingly Adam quite quickly reached out for as much support as he could get and this is the first golden lesson by telling our suppliers and our customers what was happening straightaway we got support really really important Microsoft who were brilliant they immediately leaned in to try and understand what was going on but not surprisingly there was a little bit shocked as most of us about what this was doing and how ok Microsoft were trying to help us develop patches as we went but it was pretty clear that we were not going to be able to sort of counter what was going on and I'll talk about why in a moment but the reality of life was the suppliers reached him to help us our main outsource supplier is IBM they were our main supporter running our data centers and a lot of our background capability Microsoft one of our key suppliers all jumped dropped everything and came to help us because we were open with them similarly our clients started calling us clearly they were slightly worried about where their bananas were going to be but the most important reason they started to call us funnily enough is we started telling them what was happening their first response was how can we help good ok doesn't always work there were a few of them who were a little bit more worried about where the container was going to be but at the end of the day it was very very open a transparent nor petia for those of you who are far more expert at what not petia was and have done the forensics and we have a forensics report that big that we commissioned with a number of providers to look at what net pet here was not petia was was not a ransomware capability whatsoever it was a state-sponsored cyber weapon disguised to look like a ransomware attack it was deeply unpleasant and deeply aimed at disruption it was aimed at disrupting the economy of the Ukraine and the reason I raise that is we had an office in Kiev and like all people who do business in Ukraine we had to put our taxes into the Ukrainian tax system via an application called M II docks it was mandatory it was required and it was through the Emma dock software which was effectively the equivalent of your HMRC software you put your tax return in - we entered all our tax information through that it was through the Emma docks application that not petia was spread basically an individual within the company who provided the software was we believe coerced or blackmailed or bribed some months before to provide the credentials to enable a third party to insert the malware into the next upgrade to Emma docks and it was that upload that then caused what happened but anybody thinks it's some smart front door in methodology to get it in it wasn't as we understand it it was coercion or bribery through an individual user which is a golden lesson in itself about how many of our third-party software suppliers represent quite a large risk to us which also something I'll touch on later as you can see a lot of the open media was very clear about what not pettier wasn't at the time it used about four different forms of exploit to get at us two of which are pretty much open press one most people can guess at one most people couldn't guess at and there's often a story about well if he'd been fully patched with Windows 10 it everything was up to date you could have stopped it no because one of the exploits would not have allowed us to do that and one of the reasons for that is that most of what we did was standard operating procedures we had a server based in Ukraine for us to operate with that server was running the standard way most Microsoft service of based service a run and it was through the methods by which that server was run that the fourth exploit was able to operate and spread across our network so quickly so we have looked long and hard about could we have stopped it the answer is no what we could have done is potentially we could have contained it but at the time we were at the same standard as our competitors in terms of the network's maturity and in reality having that level of containment across such a broad network is really difficult to do we've subsequently done quite a lot of work around that and I'll explain the challenges of trying to bring in containment across your network but the reality is that's what we face so I've talked about how it got in I've talked about how it exploited the network you can imagine the reaction of our users ok this was something foreign this had never happened before their screens were going black and strange messages were popping up but in reality things were being taken out what was taken out that what was the most profound thing that hit our company do you think not a rhetorical question any volunteers do you think the most critical component that was taken out that could have killed the company of all of that yeah heard all sorts of reputation etc but I'd actually say it was the active directory note for those of you who run these sorts of Microsoft based networks ad is king it is your engine room it is the thing that runs your network if you don't look after it and nurture it love it it will kill you all right it's a golden lesson Active Directory is king what was the key thing about Active Directory was that all our Active Directory nodes were taken out bar one okay all our online backups were taken out all our online backups were taken out by not petty it was designed to destroy online backup designed specifically to prevent you being able to recover using online methods okay another golden lesson how many of you've got properly utilized offline backup that you properly manage there's a few hands going up there's probably a few people in there in going but I'll look into that when I get home okay trust me it is the best thing to invest in because a lot of these sorts of high-level nation-state weapons will take out all your online okay Active Directory node all our ad nodes were taken out we had no copy of our Active Directory we thought we had nothing to restart the network so it's a bit like not having any jump leads so restart your Active Directory we didn't have it unfortunately for us there was a power cut in Lagos and our office in Lagos which had an Active Directory node was offline during the attack now I like to think that was designed specifically during that period but in reality we were very fortunate and a very lucky individual sat in Lagos got a first-class seat on the next airplane out and sat next to him in first-class was the active directory server it's probably the best move piece of equipment in the world and he was not to let it out of his sight until it got to the Maidenhead office we use that to restart everything and rebuild everything it's very very fortunate but let me be really clear at that time two and a half years ago very few people would realize that state-sponsored weapon could do that to that degree okay the other things that were taken out quite obviously where our applications so one of the other key things we discovered and this is another bit of a non rhetorical question how many of you believe you have no shadow IT in your organization excellent okay I love III introduced a policy of bring out your dead okay where I hold nobody accountable or culpable if they bring out and tell me what they've done okay they don't get told off they just tell me what they've done so I know where it is visibility visibility visibility I'd rather know about it than not so when we started rebuilding our applications and started them again and went to our people hey the applications working they went guess what they said no it's not because people had built macros to link applications and I hate it Excel macros stink all right but they run companies most major companies in the world have got all these lovely macros running to make life simpler and if you take them out and don't restart them all these applications are singing away and not talking to each other because the manual person who remembered who designed that isn't there anymore okay so we had a real challenge redesigning getting all those macros back up that was one of the challenges as went through but you can see the sort of damage that was done we bought every laptop in the UK I had people walking around well I wasn't there but they have been walking around with credit cards going into PC world and buying every laptop they could find which made us really popular really populist funny the prices went up as well I don't know where that was okay so this was phenomenal I mean I I was at the time that Gemini I had a number of companies reached out and I was helping them recover from not Petiot as well so I had a lot of experience with other companies as we were going through not petty but Merce themselves implemented a recovery method which is really really good shipping lines are designed to be able to recover from disasters there used to actually stopping ship sinking or containers falling off the side of ships but they implemented the same methodology to do what they did here and it was the commander control arrangement was really really good but the most important thing that we learned was that whatsapp was a really good application and the people running the company were below the age of 25 by the end of this okay because they're the only ones in here knew had to use whatsapp groups because what we did is we used whatsapp because all our phones have gone they're all IP based phones we lost all our phones so Mobile's working and what people are doing is forming whatsapp groups and you know what we've done since we took all those whatsapp groups that were formed at the time and we've used that to remodel our business because that was how people worked they created groups around the way they operated and we've gone back in and looked at those groups and used that to help rebuild our business processes so there was a really great bit of fallout from the attack I mean some might say it was great we had the attack because it helped us redesign our business but those whatsapp groups were formed by many of our younger staff and they were brilliant because what they were doing was being able to group people together come up with decisions and work out to solve problems problems were sold in those groups they were collated together through a centralized command command and control in Maidenhead and basically every single packet of crisps in Maidenhead was bought by us as well to feed our people living 24/7 for that period but the reality of those 49 days as we built the initial 2,000 laptops literally in the office from scratch and I had some very very happy people singing and whistling or so I was told at the time that these people were really please the active directory node as I say was built and the individual who brought it across from Lagos was lauded and given a free meal and sent back by the first-class plane ticket and we were able to rebuild the systems go forward so it took us nine days to get Active Directory back up nine days and in those nine days before we could refire the network you can imagine the logistics problem we had 19,000 containers a ship okay four or five ship visits to a port you can just start doing the maths we didn't know what was inside the containers we knew what was inside the reefers the refrigerated containers bananas medicines okay we had to get those those were our priority the cold chain because those medicines had a lifetime expiry issue and a temperature control issue so we moved all those to Eyre and clients but we had a lot of empty containers so a lot of containers we didn't know what was in given we moved most of Primark it was a real danger that my daughter wasn't going to be able to get to prime Rd and buy her clothes for the summer okay so the reality of life was we had to find out what was in the containers there was a fantastic effort to find what we use the people at the ports and the terminals use many more suppliers to help us to identify what was there and more importantly talk to our clients about delaying that but I want to bring out one very important thing that we've done since I'm going to say it now 9 days to recover your Active Directory isn't isn't good enough ok every company should aspire to have Active Directory back up and running after an attack within 24 hours because if you don't you can't do anything else so that's one of the key lessons that we learnt and we've spent a lot of time and effort around that so we're out the lessons changing threat landscape nation-state weapons are even more pervasive than they were ok they're all out there what's really worrying is that those nation-state weapons which are high-end well developed are moving into the hands of proxies ok criminal organisations acting on behalf of the nation-state the kickback is that they can keep whatever funding and money they can make from it and the quid pro quos the nation-state uses the weapon to get inside big corporation networks that is that is really starting to happen big-time or we're seeing that don't get me wrong but most of the attacks and like most companies we're being attacked all the time okay I'm not pretending or not the good news is that we're actually coping with that the reality is most of those attacks are criminal still in nature okay but behind some of those we're now starting to see nation-state actors the a PT's many of us recognize okay are operating we have identified at least three key apts who have used a proxy to get into our networks over the last six months okay and we've been able to stop that but they're doing this to all the major companies around the globe it's a constant war of attrition they're also using multiple attack vectors and then what I used to call it's sleight of hand okay all of us are used to trying to stop the front door okay it's the guy getting through the back window that you should worry about and that's what's happening with many of these attack vectors they're lulling you into the front door while things are coming through the back door and you've got to be alive to that do not think that what's just hit you is the sole method of exploitation it is likely to include this it's a bit like an ICBM into context into content opposite miss well and it's got about ten warheads inside one warhead okay and they're all primed to go and do different different things in different places that's how advanced some of these weapons are starting to look like um the second thing is the attack surface like most companies I call it the sugar cube okay if you imagine that you your company used to be one sugar cube and you could protect the surface area of that sugar cube with a very old-fashioned you know front door defense what's happened is somebody's come along with a big hammer and smashed that sugar cube up and said now operate your network with those small pieces that has multiplied the surface area of your company okay so it's no longer a front door when somebody asked me the other day what's the analogy it said the analogy is you've spent all your time making sure the front door and the windows were secured and then some swine has come along and built 12 new front doors and given keys to a bunch of people you don't know often who they are sometimes they giving pleas directly to the customer for pete's sake so suddenly you're having to think in a different way to protect the network so that attack surface has changed what we've got to protect against has changed okay the second thing is for us we're moving we are looking to be a digital integrator of global logistics we are moving big time into being a digital company so data data is King data is the new gold okay anybody sitting there thinking the disruptive nature of the attack is is still ethically wrong with protecting against disruption but actually loss of commercial data is now becoming even more critical that commercial data is gold what the bad guys are trying to do is get that commercial data and sell it because they'll make more money than just simply disrupting your network okay and that's the issue data is gold what are we doing about data integrity and all those what used to be known in the no offense or anybody who's a data security expert in the room but data used to be the sort of the boring bit didn't it okay let's just focus on that the disruptive side data is not the boring bit now in the nature of our digital businesses data is king we've got to work out how we manage that data the good old CIA around data has to apply okay then we have to work that out finally ot but manufacturing companies and companies like ourselves some swine has come along and put flipping IP addresses on all my engines okay what have I got to do well that engines suddenly become a node on my network I've now got to protect the engines in my ships I've got to protect the automated cranes I've got to protect my warehouse automated warehouse capability one of our warehouses in China makes more of Amazon's look really small and it's fully automated so how do I protect the IP driven machines inside that Factory it's becoming even more of a challenge and finally that data piece I've talked about data theft is a real worry because of the black market in data okay that is key understanding that black market conscious to time so the other issue is the balance it's somebody some of the earlier and I heard them say it said probably the most important thing was brand and image yes it is don't get me wrong and particularly they were a bank clearly through a TSP customer for instance but if you're in a bank you'd worry about the brand and reputation and trust because you're going to lose clients quite quickly if that's lost and clearly that's really really important but you've got to expect these nation-state weapons can get in if you are the collateral victim of a big weapon that goes off in the middle in you you're not in the middle of the war between that country in another country they just fire a cyber weapon you just happened to be the victim because you've got offices you're a global company you're gonna be hit can you stop it to a degree yes can you fully stop its impact possibly no therefore what should you invest in recovery many many companies and many CEOs to have a mindset that a hundred percent protection is possible and that's what you should focus on as a vendor I thought that was brilliant because I could sell millions of dollars worth of protective capability and walk away smiling knowing that despite me selling multi-million dollars worth of protective equipment the chances are that high-end nation weapons will still get through and they are getting through so what should you do well you should equally invest in what I call contain and recover so contain an impact should it occur better and then recover the capability to minimize loss so go from 300 million dollars of loss to X million dollars of loss actually that appeals to the CFO in many ways and now if you're a brand centric company that's not the same issue you're going to invest much more in the protection but if you are less worried about the brand piece particularly the manufacturing space then you should be looking at that recovering containment equally and then finally one of the golden lessons we learned during the attack was that the IT department used to be those bunch of geeks that nobody talked to okay they were just accepted that is not the case in any business anymore the joy of being NIT is you are the business particularly in digital industries where we're all going you know these businesses cannot move forward without us being integrated with them and that applies to cyber so when the business folks come up with a new product you've got to be integrated into that product development from day one it's not just DevOps this is actually the business DevOps as I call it where you are absolutely upfront with the business trying to work out what they're trying to do and why so you're going to create a direct relationship with a client in the middle of that country really ok let's work out how we're going to protect our data because that is a particularly high threat scenario and you've got to get in early before it goes too far down applying the lessons so what do we what do we do and I came in to help implement this plan I'll give you I went in because my CEO gave me a lot of money ok not personally they sent work but gave me money for a cyber program that would enable us to rebuild and put in place cyber capability now that cyber capability by the way many of our maybe our peers in the industry have done the same thing so realizing that they saw what happened to us and they're doing the same thing in their areas we had a 90 day plan and that first 90 day plan was to rebuild and put in place heightened protective capability on our end points so and I'm not going to pretend I'm not going to hide the fact that we use CrowdStrike for our endpoints and it's really good ok anybody out there from CrowdStrike well done it's a good bit of EDR capability and it helps a lot because what it allows you to do is take breath as you rebuild your security organization and put more people in with the skills you need the actual thing about CrowdStrike is it sort of helps you automate a lot of that endpoint protection it's really really good but it isn't the only method would clearly want to use we had that three year program we're now just oh just don't just coming up to two years into the program I've got a year left it's been the hard work but the real focus is that balance of containment application vulnerability fix and working on our recovery measures we now have contingency plans all our ports and terminals and you'd be surprised how some of our stevedores who operate in the ports now understand what to do in the meant for cyber crisis and these people have no education some of them yet we now train them to deal with the cyber incident should it occur and they know what to do it's like all they're ready measures we treat cyber like safety because in Danish safety and security is the same word therefore we decided that it makes sense to put cyber inside our safety organized well within our safety mindset so that people think safety think cyber and that's really paying off big time it's really hard to get people to think cyber if you associate it with safety and test them funnily enough it works so that's one of the things we've been doing but I've talked about the three areas we focused on the engine-room Active Directory so we now look at how we can make that more resilient and it's about resilience of your Active Directory node many of you in the room who are smarter than I and are in the white hat hacking territory will know that Active Directory is as as currently delivered in DNS and DHCP as currently delivered by Microsoft has vulnerabilities can we stop and protect all those vulnerabilities not necessarily what we can do is mitigate the impact of those vulnerabilities being exploited and we focus quite a lot of time and attention on that privileged access hands up those of you who know how many people in your company have privileged rights to your network one hand two hands okay there is a problem ok because of the method by which people can get privileged rights in Microsoft based networks it's a nightmare you've got to introduce a draconian method to prevent people having too many high privileged accounts at least privileges King and we have reduced the number of purchased holders in our account massively for that reason it is a massive thing to do it's painful we've used cyber-ark as the key capability to do that but it is painful to get the process in place to manage that you've got to do it and the third area is around the business critical applications you how many of you know which the business critical applications in your company the ones that are on what I call the real top end end-to-end process because most companies do strangely enough you we learnt which were our critical applications it's the old classic turn it off and when the first person who squeals probably means it's important okay that's a good way of finding out but I wouldn't recommend doing it doesn't we were lucky because we were able to then re-establish what our business critical applications were and our end-to-end processes so we mapped our business processes end to end and saw where our key applications sat on those processes because that allowed us really critically to to move forward so I'm just gonna saw I'm getting a back one number of things quickly the bottom we put three target operating models in place GRC security operations and secure by design because every day you don't have a secure by design model in place to prevent people building bad bad security in you create a vulnerability to be exploited you've got a train all your developers train all your users to to adopt a secured by design mindset and that's been painful we've placed standards I hate the word policy by the way it's band policy is just dust okay standards are king you introduce standards and you draconian ly apply those standards and make sure people use them the other issue is exercise in training I call out my sock no notice call outs of my sock are very regular I'm hated okay because they get up at 3 o'clock in the morning just to say they're there all right that's important you've got to rehearse your security operating procedures in real time and see how they work and that helps you understand how the organization works I'm gonna leave a bit of time for questions so I'm just going to go over the OT piece the thing about ot that's really important is notice the word framework that's another word I've banned by the way okay framework is an excuse for not doing things okay I built the framework yeah great does it work okay so frameworks are important but we've built two frameworks we're on the ran the OT side and one around the IT side why - do you think and I'm an engineer by background and training ok IT people used to be the scum of the earth to me okay now mom you're not now you're lovely people but there reality of life is the engineers see you as a threat because they're running their machines and now they're putting this IT on their machines and you're coming in to tell them how to run their machines really so you've got to create an environment where the engineers running that ot and the enterprise IT guys can talk to and work together there are two frameworks but they're federated in other words on top of that we look down and we control those two frameworks the bowtie model by the ways that we have a balance of reactive and proactive controls as I mentioned earlier don't put all your eggs into one basket I'm gonna jump over these two slides okay four key principles and by the way I forgot to mention at the beginning that there is an exam at the end okay you all have to pass the exam before allowed to leave no mumbling in a minute I'm actually going to give the exam away in the in a second I'm gonna take you through the five security operating principles that everybody in my company has to be able to tell me in a lift sounds a little bit rakonin doesn't it but everybody from the lowest guy working on a ship is one of our crew right through the CEO has to understand what the five are as part of their training these are the four principles that we built our strategy around the most important one of those by the way is visibility visibility visibility visible you can't see it you can't fix it and that's really one of the biggest problems we have but here are the five remember them because right at the end we're going to test you okay everybody is responsible for security okay that's really important not just me it's not just Andy Powell okay it's everybody and I hold everybody accountable but critically in the business I've held the business accountable for cyber risk not me I've pushed and devolved cyber risk to the business so I actually have the guy who runs the ships owning cyber risk on vessels that's part of it third is trust builds trust with your clients because we have found that we've got customers flocking back to us to do business with us because they trust us there might be the fact that we've been hit once and therefore likely doesn't strike WAIS but I don't think that's true I think they're coming back to us because they see that we put investment into building secure supply chains for them and that's growing our business by up to 20% fourth resilience as I mentioned earlier don't just protect be able to react and recover and finally that security is a benefit not a burden and that's really really for our developers sakes are you remembering those five because you're going to shut them back at me at the end and we've also been getting our credentials some of you certainly the UK will be aware of cyber essentials possibly one two contracts by getting cyber essentials plus that's quite appealing to the CFO and the chief commercial officer for those of you out there I think it's just bumper stickers it isn't I think it's important because it shows that you've got somebody third party showing that you're getting to the right place and sort to certification as well on our supply chain so before I go into any questions can you remember the five security operating principles without mumbling number one everybody's responsible very good number two you're not all saying this number two very good number three trust number four come on come on you get in there and the most important one it's a benefit not a burden okay everybody at top hat should go around saying I am a benefit ok not a burden because that's how you sound bit some people see okay I've got time for questions Falls open any question you like I'm a lifelong Liverpool fan so chances are liver for winning the Premiership this season really good well sorry come back to you in a sec if we can get a microphone hey over here wait yes all right Kay so do you think I don't think it should be a blame game but vendors are promising you 100% coverage and all this nonsense do you think they should be held accountable when this kind of stuff happens you were you were a vendor as I said you know how this game works but yeah it ends up this way when we believe their claims yeah it's a really really really good question thank you for that I'm not sure I'm happy with the question but let me go let me go ahead should vendors be accountable there are lots of variables when you implement a cyber solution I'll say that now as a vendor there's one thing I used to hate was unlimited liability clauses in contracts because most vendors just shy away you know from those unlimited liability clauses because there are so many uncontrolled factors in the way that that capability is landed in the organization that to be held fully unlike you know have full unlock liability cover is really hard so one of one of the key things is most contracts negotiate about 100% to 200% liability on failure of that particular piece of capability which is really up to the cost of the product soul is that the right approach I think most vendors would not be happy going to unlimited liability and you'd struggle but the real issue it's a two-way process okay I think what we're doing with our vendors by the way is I have put this year that coming is the year of sustainment for me I've landed all this new capability it's great I've landed all these new tools and all them all the vendors are all thinking they can walk away but as an ex vendor I'm not letting them they're going to sit with me until I'm happy it's sustainable and when it's sustainable and we've ironed out the bugs then I'm happy and that's part of the deal we've reached for them as they've come in so I think it's really answered your questions you change the dynamic of how you bring the vendor in you don't just let them give you a black box and walk away you ask them to open the black box up and explain it and then be around for it when it goes off okay and the vendor that stays is the vendor I trust that makes sense it's hard don't give me don't get me wrong it's hard but having been a vendor I would love to walk away and then go and sell else but when somebody holds me to account I go ok but I can then build some trust and actually if you stop building trust you might get more business that makes sense so an answer your question it's a dynamic you mustn't let them walk away good question yeah so you mentioned and the slides that you talk to the person who brought the malware and I'm just curious how did that play out um well I was entrapped but the individual came forward actually to speak to us and what they told us sort of indicated to us that what they were saying was you know they were the likely person involved in developing the weapon that was a conversation clearly with no attribution at the time we wanted to understand what had happened that person was protected by the way under their state law but we were able to get quite a lot from that individual about the nature of the exploits particularly they forth exploit which they developed and that's helped us quite a lot how one of the golden lessons that I didn't put up with forensics forensics forensics every time we currently have a failed cyberattack I always have a forensics investigation even if it seems quite small because every event that you're trying to deal with teaches you something even if it's quite small so we will always do a forensics back up so those of you in forensics companies you're probably rubbing your hands going how do I get on Andy's framework ok and there is a framework but we do forensics all the time we learn all the time and what we're starting to see we're sharing some of the reasons I'm in as soon as I'm off to go and visit some people in London to talk about that those sorts of things so we have to share can I be honest with the people folks in this room we have to share what we know about how these things work openly to stop them one more question then a few more minutes why do you think that especially you were chosen by the state level attack and what do you think of the the whole movement into the cloud in with this background because I think the cloud is really good to protect for a medium resource attack attacker adversary yeah very hard against the state level adversary yeah so let me um answer the question so there were about 600 companies impacted it's not just us any company doing business in Ukraine that had to file a tax return was it was hit okay let's be clear so it wasn't just mercy we were collateral victim we just happened to be in Kiev operating in Ukraine and most of the key companies that were hit were doing business in Ukraine there were some very very big companies in America who never said anything about what happened to them but they were very big and got hit quite hard that two of them harder than us I think so we were not alone but we were collateral victim we weren't intended target the intended target was the Ukrainian government we just happened to sadly be linked to that at the time that's first up that's the first thing so I would ask anybody who knows those companies who didn't open up they should because to be interesting to understand what the lessons were that they learned in the event the second piece about the cloud Coward's a great interesting one I'm a huge advocate of clearly moving to the cloud but I'm also a huge advocate that cloud based security is in need of help there's a lot more work needed in cloud security than there's currently there no offence only be from Azure or Amazon but I don't trust the baked in security in cloud and therefore we are wrapping our cloud services in additional security and you should because the end of the day you've got to understand what weight you can bring all a lot of your sensitive data and operations and capability into a insert into the cloud you want to make sure it's protected are you going to rely on the third party doing that for you in the cloud not necessarily that makes sense so there's a lot of work to be done in cloud security anybody in cloud security companies I'd buy more shares okay because a lot more needs to be done before big companies like us start to trust you know that full cloud-based approach is that answer you're after any other questions cut you are down to last minute so I keep getting cards flashed to me five minutes okay over here yep this your annex RAF officer and military man aren't you in danger of fighting the last war here isn't that a problem so the attack that kind of hit you was developed probably year or two yeah for it you are a side effect yeah the danger here is that more weapons have been developed over the next few years yeah what's your assessment that's a really really really good question my assessment is I've told my people not to trust me for that reason so what we've done is we've bought in a red team capability who if you like actors are forward look as they're looking at the horizon from a red team point of view and looking at the emerging threats and they're constantly testing me to say what you're doing Andy is great - you're very good point two years ago will it protect us from this new development that we're seeing over here and the answer to that is shoot okay best we do a bit of test and adjust so to your point every organization and every size Oh needs a conscience to test them and I I deliberately did that because of that very good point about fighting the last wall I want to fight the next war and be ready for it so that's why I brought in the red team capability they're about nineteen in age and they look young and really young younger than most people in this room seriously they wear ripped jeans and nose rings no offense to those wearing ripped jeans and nose rings but and they talk in a language I don't understand okay but they're brilliant because what they're doing is thinking laterally and thinking in ways I wouldn't think of I'm just a guy in a suit okay well they're thinking and bringing is original and unique thinking and you've all got to do that every big organization needs somebody to do that and to your point that's what we tried to do is bring in that sort of test and adjust so our threat we're building a threat information platform and that T IP is being populated by the that sort of thinking okay we're also bringing in government agencies to give us some their emerging thinking as well so we're bringing the Danish the UK and other governments to give us their thoughts and so that that to me is what wall should do if you don't have a threat platform in your company you need one and you need to populate it with some lateral thinking then you need to run some red team based exercises on what you've done bring in people to try and break it it's not an open invitation by the way to this audience please don't I get quite I get quite grumpy but the reality of life is we do bring in red team's to come and do it's not a fashion pentesting by the way good I used to run pentesting teams I know what pentesting teams can do we're not doing pen testing in the traditional sense we're asking people to be smart and think smartly and then test us with those sorts of questions and test us with those sorts of approaches then we can try and think so my Tier three analysts and I think Lewis is here in the room who they work for my Tier three analysts I'm asking them to be my red team not my Tier three analyst I want them to be the red team or to think hard about how people could get round what we've put in place so a long-winded answer to a very good question but the answer is I have bought a conscience to test me I think we're almost at time that's time for one more question one more question I don't know I think you didn't cover it in the slides did you think about it like heaven completely like a mock up like backup of your entire infrastructure which is a standby and then which you can flip over in case when you lose everything so I know it's very expensive to maintain because when I was threatened unless myself so that was my recommendation to give to the customers because especially in the medical you know like you lost you can't perform operation but the problem is that maintaining the cost of maintaining the complete backup is really expensive like mostly airlines are doing that so did you Sidda that did the calculate costs is it worth it right so one thing I didn't show is one of the best things our partner we we employed Deloitte's is our partner to help us over the last three years with the program you know it sounds like an advertisement for Deloitte but they did bring a very smart approach and we used a risk based triangle and at the top of that triangle what we call the extinction events to bigger events and then we worked our way down so that below a certain level in the Triangle systems that only had a localized effect that were damaged we would we do stuff about but we're not investing as much in that makes sense but everything at the top of the triangle on those business critical processes that we've got those five processes that run our company we have backed those up so we know how we can operate them in the event of those five key process is not working what I have not done is invest in all the ones below the a certain line and it's the risk-based approach to your very good point you can't back up everything because it just basically build a second company and even my CFO my CFO might not like me very much if I did that so the reality is you've got to have a risk-based approach the risk based triangle is king and then you've got the hardest to find where you draw the line because it's really hard to get the business to do that the old Billy Connolly sketch is I want everything and I want it now applies you know and there's not always enough money so you've got a work out through the risk prime triangle I think that's it I think we've run out of time but many many thanks thank you [Applause]

Info

Channel: Black Hat

Views: 8,298

Rating: 4.9432626 out of 5

Keywords:

Id: wQ8HIjkEe9o

Channel Id: undefined

Length: 50min 58sec (3058 seconds)

Published: Wed Mar 18 2020