Picture this: a news story detailing a cyberattack in which no data was exfiltrated, thousands (or even millions) of credit card details weren’t stole, and no data was breached. While this isn’t the type of headline we often see, it recently became a reality in Las Vegas, Nev.
On January 7, 2020, news broke that the city of Las Vegas had successfully avoided a cyberattack. While not many details were offered in the city’s public statement, local press reported that the attack did employ an email vector, likely in the form of a direct ransomware attack or phishing attack. The use of the word “devastating” in the public statement led many to believe ransomware was involved. This inference isn’t farfetched—and is likely a correct conclusion—given that cities throughout the U.S. have seen ransomware attacks on critical systems. Attacks that have cost those cities millions of dollars.
According to the media, in the hours and days after the attempted Las Vegas attack, the security tools used by the IT security team quickly recognized the attack and set into motion a series of activities to prevent impact to the city’s systems and sensitive data. Aside from the city’s website being taken down in response (along with various other systems), the city appeared to escape any real consequences.
Examining this scenario yields three important cybersecurity attack prevention lessons. These may seem somewhat obvious but are foundationally critical to detecting and responding to cyberattacks. I’d also like to emphasize that there is as much value to doing a review of what happened when an attack attempt was thwarted as there is in diagnosing a high-profile breach.
Lesson 1: Diligent Detection
The city of Las Vegas had tools in place to monitor systems and detect the attack. After all, no organization can effectively respond to an attack of which they aren’t aware. While tools are a critical element, these tools had to be properly installed and configured, and kept up-to-date with the most recent attack profiles in order to be effective. The tools’ data and warnings were also properly routed to those who monitor the systems and could initiate a prompt response.
I spent some years in the world of advanced persistent threats and detecting exotic tradecraft. One of the lessons from that experience is that attackers are human. As such, they are prone to the path of least resistance and will use well-known attack vectors. They bet on a lack of adequate detection and simply make intrusion attempts until they find an organization that is not prepared to detect what is easily detectable. Thus, your organization must be diligent in protection. Spend the resources to keep tools up-to-date and prepared to detect readily identifiable attacks.
Lesson 2: Prompt, Prepared Response
Given the city’s success at addressing the attack, it is safe to assume they had a plan prescribing a course of action when such an attack was detected. Without a response plan, detection can set off chaos. Knowing what to do and in what order ensures that nothing is left to chance and that the response does not cause as much or more damage than the attack itself.
Another critical element in preparation is the concept that any plan that has not been simulated is essentially an educated guess. It is prudent to run simulations against probable attack vectors so that the team is able to determine if their plan is solid and sufficient. It also provides the team much needed practice. When an attack is detected, time is of the essence. Running simulations will help any team respond quickly and efficiently.
I was working in midtown Manhattan on September 11, 2001. I saw both of the towers fall. After several months had passed, a series of disaster recovery seminars began to pop up. In the midst of unspeakable tragedy, IT professionals were asked to implement disaster recovery plans across the city. If you could set aside the emotion of the event, the seminars on the lessons learned from the experience were incredibly instructive. A common thread among those who successfully met the challenge was that they had run simulations and rehearsals—a proven method which organizations should also apply to their cyberattack response plans today.
Lesson 3: Empowered Employees
It would appear that the team working the night shift (the event reportedly happened at 4:30 AM) felt empowered to carry out the incident response plan. They also did so in a timely enough way as to prevent significant damage to their systems. Referring back to the public statement, the team took down systems that were targeted in the attack, including the city’s main website. This goes to show that if you have a plan and the team has been trained, they need to also be empowered to implement the plan as in the case of Las Vegas.
This responsibility for empowering the team to respond falls squarely on management. If the team feels that management does not have their back if they take action, that hesitation may be the difference between a successful defense and a “devastating” outcome. This relates heavily to the previous two lessons: management must invest in the right detection tools and ensure they’re correctly put in place and must commit to preparing the team to respond. If they do those things well, then the last step is to trust the team by letting them know in no uncertain terms that they are empowered to act without threat of reprisal.
It comes down to mutual trust. This is where the notion of rehearsals and simulations comes into play. One way to build trust is to have the experience of working the plan to confirm that the plan is viable, and that the team is capable of making it work. This builds trust in the team on the plan, and trust of management that the team can implement the plan.
A Successful Defense
The city of Las Vegas’ success is a refreshing change of pace from the normal recounting of attacks and their aftermath. Just as there is value in diagnosing a successful attack, there is just as much value in addressing a successful defense. It would do every organization well to consider the lessons learned from this story and apply them to your own environment. After all, wouldn’t you rather see your organization’s name in a story of a successful defense rather than an inventory of what was lost in yet another successful attack?