{"id":20845,"date":"2023-07-06T16:00:00","date_gmt":"2023-07-06T15:00:00","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=20845"},"modified":"2023-07-06T12:52:38","modified_gmt":"2023-07-06T11:52:38","slug":"compromise-by-design-or-how-to-anticipate-a-destructive-cyber-attack","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2023\/07\/compromise-by-design-or-how-to-anticipate-a-destructive-cyber-attack\/","title":{"rendered":"\u00a0\u00ab\u202fCompromise by design\u202f\u00bb or how to anticipate a destructive cyber attack"},"content":{"rendered":"\n\n\n

Most <\/span><\/i>organisations<\/span><\/i> are still insufficiently prepared for a possible compromise of their Information System, leading to its destruction. Taking this risk into account right from the project design stage will enable them to significantly strengthen their resilience capabilities.<\/span><\/i>\u00a0<\/span><\/p>\n

\u00a0<\/span><\/p>\n

On 17 April, the <\/span>ANSSI<\/span><\/b> published the <\/span>first doctrinal documents<\/span><\/b> concerning <\/span>remediation<\/span><\/b>, which is defined as the project to regain control of a compromised information system. These documents are the fruit of the Agency’s experience in supporting victims of security incidents.<\/span>\u00a0<\/span><\/p>\n

This corpus consists of three sections: strategic section, an <\/span>organisational<\/span> section, and a technical section. Currently, the technical section focuses on the remediation of tier 0 of the Active Directory<\/span>1<\/span>, or core of trust. This section will be supplemented with <\/span>additional documents in the future<\/span><\/b> to enhance its content.\u00a0<\/span>\u00a0<\/span><\/p>\n

The approach proposed by ANSSI (E3R) is divided into 3 stages:<\/span>\u00a0<\/span><\/p>\n

    \n
  1. Containment<\/span> of the <\/span>attacker<\/span>\u00a0<\/span><\/li>\n
  2. Evicting the intruder from the heart of the IS<\/span>\u00a0<\/span><\/li>\n
  3. Eradicating<\/span> the <\/span>adversary’s<\/span> strongholds<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

    These stages are illustrated by <\/span>3 typical remediation scenarios<\/span><\/b>, each with increasing ambition levels based on the <\/span>urgency of the restart<\/span><\/b> and the <\/span>costs incurred<\/span><\/b> by the long-term damage resulting from the attack:<\/span>\u00a0<\/span><\/p>\n

      \n
    1. Restore vital services as quickly as possible<\/span>\u00a0<\/span><\/li>\n
    2. Regain control of the IS<\/span>\u00a0<\/span><\/li>\n
    3. Seize the opportunity to prepare for long-term control of the IS<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

      The publication of this corpus is a timely step in the <\/span>reflections and projects currently being carried out<\/span><\/b> by <\/span>many public and private players<\/span><\/b>, with a view to <\/span>strengthening their resilience<\/span><\/b> in the face of a <\/span>successful cyber-attack<\/span><\/b> that would compromise or <\/span>even destroy their Information System on a massive scale<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

      In practice, the time required to establish a proven remediation system extends over several years for most players, rather than just months. This timeframe may be out of sync with the evolving threat landscape and the regulatory deadlines imposed on certain entities.\u00a0<\/span>\u00a0<\/span><\/p>\n

      There are several reasons for this, which vary from one player to another. <\/span>However, there are three key factors which contribute to this variation:\u00a0<\/span>\u00a0<\/span><\/p>\n

        \n
      1. Awareness of cyber risk is growing<\/span><\/b>; however, many <\/span>decision-makers<\/span><\/b> still <\/span>lack<\/span><\/b> adequate understanding. Balancing immediate priorities with long- term preparation in the face of potential compromises often leads to difficult decisions regarding the allocation of valuable human and financial resources.\u00a0<\/span>\u00a0<\/span><\/li>\n
      2. The interruption of an <\/span>organisation’s<\/span> activities following an IT disaster has historically been dealt with using <\/span>Disaster Recovery Plans<\/span><\/b>. Their advantages and limitations in terms of remediation are still poorly understood within <\/span>organisations<\/span>:<\/span>\u00a0<\/span>\n
          \n
        1. Depending on the recovery principles adopted, they may offer <\/span>advantages in terms of IS recovery sequencing know-how <\/span><\/b>(similar to an electrical shutdown\/restart), capabilities for unitary and grouped reconstruction, restored data <\/span>resynchronisation<\/span> and reconciliation, among others.<\/span><\/li>\n
        2. Remediation efforts can leverage this know-how, provided it has not been lost because of the adoption of new solutions (e.g., active\/active backup) or when a ‘debt’<\/span><\/b> in terms of maintaining operational conditions and <\/span>DRP exercises<\/span><\/b> has built up.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n

          Nonetheless, these plans also have <\/span>significant limitations<\/span><\/b>. Their architecture relies on technical interconnections and data replication with backup infrastructures, which can inadvertently <\/span>propagate compromises<\/span><\/b>. Furthermore, while their relevance is proven in a deterministic context (where a given disaster corresponds to a given solution and plan), their effectiveness becomes much less certain when confronted with the diverse characteristics and possibilities of <\/span>evolving cyber attacks<\/span><\/b>\u00a0<\/span>\u00a0<\/span><\/p>\n

          This calls for a <\/span>hybrid approach<\/span><\/b> involving operational, <\/span>DRP and cyber resilience players<\/span><\/b>. This can be facilitated or hindered depending on the <\/span>governance<\/span><\/b> that has been put in place between these populations.<\/span>\u00a0<\/span><\/p>\n

          To <\/span>accelerate the necessary rise in maturity<\/span><\/b> of players on the subject of IS remediation following a cyber-attack, <\/span>several approach<\/span><\/b> can be considered. Outlined below are <\/span>four potential strategies<\/span><\/i>, and the subsequent information will provide a more detailed explanation and elaboration for each approach.<\/span>\u00a0<\/span><\/p>\n

            \n
          1. Helping decision-makers to understand the specific nature of cyber risk;<\/span>\u00a0<\/span><\/li>\n
          2. Anchoring “compromise by design” in everyday life;<\/span>\u00a0<\/span><\/li>\n
          3. Have several remedial options at your disposal;<\/span>\u00a0<\/span><\/li>\n
          4. Sharing and <\/span>capitalising<\/span> on feedback.<\/span>\u00a0<\/span><\/li>\n<\/ol>\n

            \"Is<\/span><\/p>\n

            \u00a0<\/span><\/p>\n

            Helping decision-makers understand the specific nature of cyber risk<\/span>\u00a0<\/span><\/h2>\n

            \u00a0The <\/span>vast majority of players<\/span><\/b> do not totally rule out the <\/span>possibility of being vulnerable<\/span><\/b> to a successful cyber-attack that would <\/span>paralyse<\/span> their activities through the <\/span>logical destruction of their IT assets<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

            On the other hand, a significant proportion of players have not yet grasped the fact that their existing IT backup resources are <\/span>rarely adapted<\/span><\/b> to the specific characteristics of this type of attack. A cyber-attack can <\/span>jeopardise<\/span><\/b> the availability<\/span><\/b> and non-compromise of operating and administrative <\/span>resources<\/span><\/b>, right down to the <\/span>workstations of those involved in IS recovery<\/span><\/b>. The timeframe for remediating an Information System (IS) that has suffered extensive destruction due to a cyber-attack is typically considerably longer compared to the recovery time communicated to the business in the event of a physical disaster.<\/span>\u00a0<\/span><\/p>\n

            A number of players have not yet fully assessed the impact of the <\/span>cyber threat on their ecosystems<\/span><\/b>, for example:<\/span>\u00a0<\/span><\/p>\n