Imagine a cyberattack story where no data was exfiltrated, thousands or millions of credit card accounts were not stolen, and no data was corrupted or lost. That very story became a not-so-commonly-witnessed reality recently. And there is as much value to doing a review of what happened when an attack attempt was thwarted as there is in diagnosing a high-profile breach.
On January 7th, it was reported that the city of Las Vegas had successfully avoided a cyberattack. There were not many details available, but the local press reported the attack used an email vector, perhaps in the form of a direct ransomware attack or a phishing attack. Many took the use of the word “devastating” in the city’s statement to mean ransomware. Given that several cities throughout the U.S. have seen ransomware attacks that affected critical systems and cost those cities millions of dollars, this is likely a correct conclusion.
According to the published stories, the security tools put in place by the IT security team recognized the attack, and steps were taken to prevent impact to their systems and sensitive data. Short of some down time for the city’s website (purposely taken down in response) and various other systems, the city appeared to escape any real consequences.
Digging into this attack yields three important lessons that may seem somewhat obvious, but are key to detecting and responding to cyberattacks:
They were diligent in detection
They had the tools in place to monitor systems and detect the attack. It goes without saying that no organization can effectively respond to an attack of which they are not aware. But tools are not enough – they had to be properly installed and configured, and they were up-to-date with the most recent attack profiles. Further, the data and warnings from the tools were properly routed to those who monitor the systems and could initiate a response.
They were prepared to respond
Given the city’s success at addressing the attack, it is safe to assume they had a plan prescribing a course of action when such an attack was detected. Again, this sounds obvious, but without a response plan detection can set off chaos. Knowing what to do and in what order ensures that nothing is left to chance and that the response does not cause as much or more damage than the attack itself.
It is also important to note that any plan that has not been simulated is essentially an educated guess. It is prudent to run simulations against probable attack vectors. This enables the team to determine if their plan is solid and sufficient and provides the team much needed practice. When an attack is detected, time is of the essence, and running simulations will help any team respond quickly and efficiently.
They empowered their people
The team on the night shift (the event reportedly happened at 4:30 AM) felt empowered to take the steps prescribed by the plan and did so in a timely enough way as to prevent significant damage to their systems. Their statement said that they took down systems that were targeted by the attack, including the city’s main website. Any delay caused by having to contact management to take action may mean the difference between success and failure. If you have a plan and the team has been trained, they need to be empowered to implement the plan. This falls squarely on management to activate because it requires a commitment to build the response plan and train the team to implement the plan, so they can be empowered to act.
Summing it up
The City of Las Vegas’ cyberattack success story was a refreshing change of pace from the normal recounting of attacks and their aftermath. Just as there is value in diagnosing a successful attack, there is just as much value in addressing a successful defense. It would do every organization well to consider the lessons learned from this story and apply them to their environment. After all, wouldn’t you rather see your organization’s name in a story of a successful defense rather than an inventory of what was lost in yet another successful attack.
*** This is a Security Bloggers Network syndicated blog from Security – TechSpective authored by Jim Ivers. Read the original post at: https://techspective.net/2020/01/31/gleaning-lessons-from-las-vegas-thwarted-cyberattack/