The evolution of incident response

The general notion regarding the origin of hacking is that it started in the 1960s, around the time of the invention of modern computers and operating systems. To disprove this notion, let's next briefly explore the history of data breaches, to develop an idea of the context behind the modern attack environment.

The history of data breaches

Data interception associated with hacking activities goes as far back as 1836, when two persons were caught intercepting data transmissions in a criminal manner.

During the last decade of the 1700s, France implemented a national data network, which was one of a kind at the time, to transfer data between Paris and Bordeaux. It was built on top of a mechanical telegraph system, which was a network of physical towers. Each tower was equipped with a unique system of movable arms. The tower operators would use different combinations of these arms to form numbers and characters that could be read from a similar distant tower using a telescope. This combination of numbers and characters was relayed from tower to tower until it reached the other city. As a result, the government achieved a much more efficient, speedier mechanism of transferring data.

Interestingly, all this happened in the open. Even though the combinations were encrypted, and would've required an experienced telegraph operator to decode the message at the far end to bring up the original message, the risks were just around the corner. This operation was observed by two bankers, Francois and Joseph Blanc. They used to trade government bonds at the exchange in Bordeaux, and it was they who figured out a method to poison the data transfer and obtain an indicator of current market status, by bribing the telegraph operators. Usually, it took several days before the information related to bond performance reached Bordeaux by mail. Now, they had an advantage to get that same information well before the exchange in Bordeaux received it.

In a normal transmission, the operator included a backspace symbol to indicate to the other operator that they needed to avoid the previous character and consider it a mistake. The bankers paid one of the operators to include a deliberate mistake with a predefined character, to indicate the previous day's exchange performance, so that they could assume the market movement and plan to buy or sell bonds. This additional character did not affect the original message sent by the government, because it was indicated to be ignored by the receiving telegraph operator. But this extra character would be observed by another former telegraph operator who was paid by the bankers to decode it by observing through a telescope.

Using this unique information related to market movement, the Blanc brothers had an advantage over the market for two years, until they were caught in 1836. The modern equivalent of this attack would perhaps be data poisoning, a man-in-the middle attack, misuse of a network, or social engineering. However, the striking similarity is that these attacks often go unnoticed for days or years before they get caught. Unfortunately, the Blanc brothers could not be convicted as there were no laws under which they could be prosecuted at that time. Maybe the Blanc brothers' hack was not so innovative compared to today's cyber-attacks, but it does indicate that data has always been at risk. And, with the digitization of data in all shapes and forms, operations, and transport mechanisms (networks), the attack surface is huge now. It is now the responsibility of the organization and individuals to keep the data, network, and computer infrastructure safe.

Let's fast-forward another 150 years, to 1988. This is when the world witnessed the first-ever computer virus—the Morris worm. Even though the creator of the worm, Robert Tappan Morris, denied the allegation that it was intended to cause harm to computers, it did, indeed, affect millions of them. With the intention of measuring the vastness of the cyber world, Morris wrote an experimental program that was self-replicating and hopped from one computer to another on its own.

It was injected into the internet by Morris, but, to his surprise, this so-called worm spread at a much faster rate than he would have imagined. Within the next 24 hours, at least 10% of internet-connected machines were affected. This was then targeted to the Advanced Research Projects Agency Network (ARPANET), and some reports suggested that the number of connected computers at the time was around 60,000. The worm exploited a flaw in the Unix email program Sendmail, and a bug in the finger daemon (fingerd). Morris' worm infected many sites, including universities, military organizations, and other research facilities. It took a team of programmers from various US universities working non-stop for hours to reach a solution. It took a few more days still to get back to a normal state. A few years later, in 1990, Morris was convicted by the court for violating the Computer Fraud and Abuse Act; unlike at the time of the Blanc brothers, when there was no law to prosecute, Morris was criminally liable.

Moving forward another two decades to 2010, when the world saw what it never imagined could happen in Stuxnet: an extremely coordinated effort to create a specifically crafted piece of software, which was purpose-built to target the Iranian nuclear facility. It targeted Industrial Control Systems (ICSes). This was designed only to target a specific brand and make of Siemens ICS, which manages the speed of centrifuges in a nuclear facility. It is presumed that it was designed to deliver onsite because the Iranian facility that it was targeting was air-gapped.

This was one-of-a-kind industrial cyber sabotage. The malware was purpose-built so that it would never leave the facility of the nuclear plant. However, somehow (there is still speculation as to how), it still made its way out to the internet. It took researchers many months after its discovery to figure out the working principle of the malware. It's speculated that it took at least a few years to develop it to a fully functional working model. Since Stuxnet, we have witnessed many similar attack patterns in the form of Duqu and Flame, and it's believed by some experts in this field that malware similar to these are still active.

Currently, we are seeing new variants of attack with new modus operandi. Their intent is to earn money by using ransomware or to steal data in order to sell or destroy it. Ransomware attackers use computer viruses to infect a computer, encrypting and locking information in the computer. They then ask for a ransom from the owners to regain access to their computers. Alternatively, attackers might use victims' infrastructure to run crypto miner malware to mine cryptocurrencies.

Today, security has taken center stage, not only because the attack surface has increased for each entity, or the number of successful high-profile and mass attacks is more normalized, but because of the fact that each one of us knows that the need to secure data is paramount, irrespective of whether you are a target or not.

Modern cybersecurity evolution

Compared just with the last decade or so, the cybersecurity landscape has evolved as threats have become more sophisticated. Not only organizations but more and more individual devices are connected to the internet. While beneficial technological progress has been happening, attacks have also evolved, as illustrated in the following diagram:

Figure 2.1: Evolution of attacks

Considering the past couple of decades since 2000, Script Kiddies were initially the main culprits, and their main motivation was "mischief." Script kiddies are unskilled persons who use attack scripts developed by other people in attacks. They were a significant threat in the early and mid-2000s due to the increased access to personal computing, low levels of security capabilities in early computers, and access to scripts written by expert hackers.

In comparison, today we see that Organized Crime is getting more and more sophisticated and their Fraud and Theft capabilities are increasing. A good example of the damage more organized attacks can inflict is the 2017 WannaCry ransomware attack, which exploited a zero-day vulnerability in Microsoft Windows and affected 150 countries, extorting victims for decryption keys. While in the 2000s a single script could've been used by multiple script kiddies until it became widely known or obsolete due to patches, currently attackers can use zero-day vulnerabilities and use them to attack systems while there are no known defenses.

The activities of Nations and Terror Groups can cause serious financial damage, as well as a negative brand reputation for affected organizations. Nation-state attackers are usually sponsored by governments and they target other government agencies or critical infrastructure as well as any key industries known to contain sensitive data or intellectual property. Nation-state attackers are well known to strike via sophisticated techniques, one of the most well-known attacks being the Stuxnet attack on an Iranian nuclear plant.

It's really important to understand the attackers and think like them to be able to create a proper IR plan. As the famous general Sun Tzu said in his book The Art of War: to win a war, we need to know the enemy, ourselves, and the attack ground. To learn more about possible attackers, it is highly recommended to read intelligence reports from security vendors such as Microsoft or Comodo, or from providers like Verizon, which can give a more detailed perspective on the current security landscape. Verizon Data Breach Report 2019 is based on a detailed analysis of 41,686 security incidents, including 2,013 confirmed data breaches. Some statistics of who was behind the recorded cyber-attacks are as follows:

• 69% involved outside actors
• 34% involved internal actors
• 2% involved partners
• 5% featured multiple parties
• 39% of breaches involved organized criminal groups
• 23% involved nation-state or state-affiliated actors

When we look at the threat actors' actions, we see the following trends:

• 52% of breaches involved hacking
• 33% included social attacks
• 28% involved malware
• 21% of breaches involved human error
• 15% involved misuse by authorized users
• 4% of breaches involved physical actions

The report also highlights that the victims were:

• 16% public sector entities
• 15% healthcare organizations
• 10% financial organizations
• 43% small businesses

As you can see from the preceding figures, the increase in technology has resulted in an increase in attacks exploiting this progress. To be able to deal with these complex attacks, which can affect organizations of any size, it's important to develop capable IR teams, which we will cover in Chapter 3, How to Organize an Incident Response Team.

Furthermore, to combat this evolution of attacks, enforced structured change in IR has been, and continues to be, necessary in conjunction with the evolution of the threat landscape. It's important to highlight that the threat landscape will continue to evolve, but the basics of IR will develop around the same framework: identify, contain, eradicate, and recover. IR processes have evolved in some ways, though. In the past, cybersecurity professionals were often seen as security guards at the gate, responsible for protecting corporate data and preventing cyber-criminals from gaining access to enterprise systems. This largely involved maintaining a "perimeter defense" and dealing with attacks as they came.

However, enterprises in recent years have started to use cloud services and bring-your-own-mobile-device policies, which operate outside the corporate network. This has shattered the perimeter defense concept and forced the security team to spend most of its time searching for threats that have already penetrated the organizational walls. Thus, today, when confronted with a breach, as well as taking a more proactive approach (more on this in Chapter 3, How to Organize an Incident Response Team), more and more enterprises are aware of the importance of Digital Forensics Incident Response (DFIR) strategies. These specialist investigation techniques are used to more effectively hunt for more sophisticated malicious entities hiding in the infrastructure, as well as providing the right tools to detect and remediate compromises as soon as possible.

Despite some progress in this area, the following statistics from IBM show us why we need to continue to invest in and evolve our IR processes; the cost of a breach, on average, is astronomical, as shown by IBM's analysis in Figure 2.2. Please keep in mind that 2020 was a more extraordinary year, where organizations needed to deal with the COVID-19 pandemic alongside normal security protocols:

Figure 2.2: IBM cost of data breach statistics

Now, you can review the IBM statistics in the following figure, and compare them to the costs detailed in the breach report in Figure 2.2:

Figure 2.3: IBM security statistics highlighting IR value

Clearly, by investing in this book and learning IR, you are on the right path for yourself and your organization.

As you have learned by now, due to the continued evolution of attackers' techniques and methods, it is no longer a question of whether you will experience an incident, but rather when. Moving forward, readers are encouraged to communicate this to senior management since IR requires approval and input from every business unit. In the next section, we'll take a look at how IR imposes some challenges on the teams tasked with the process.