E4 - Storms on the Horizon - Technical Dialogue

Jan 19, 2016 | by RSA

On the surface, the Kingdom appears generally calm and safe in Episode #4 of Defend the Kingdom "Storms on the Horizon". The massive siege from Episode #3 "Hordes at the Gate" has been survived, the alliance with the new trade partner is showing real promise and the Hunter is focused on the mundane task of reviewing the security logs. However, under that serene surface, a real threat boils as the Guild's deadly Siren gathers more and more information. She eventually ends up leaving the Kingdom but not before she has gathered credentials that allow full access to many of the Kingdom's most valuable resources. The episode concludes with the meeting of Kingdom's Council, unaware of the growing threat, and the corresponding assembly of the Guild as it unveils its collaboration with Natiostatia, the Kingdom's mortal enemy.

Much of Episode #4 highlights one of the growing risks companies face today as more and more organizations build relationships with outside parties. Third Party Risk is one of the most pressing topics as complex supply chains, intricate business relationships and outsourced service providers become cornerstones of business strategies. Relationships with third parties have both positive and negative effects. On the positive side, new markets, innovative products and services or improved performance open up as an organization takes advantage of an ecosystem of business partners. However, risks such as compliance, security and resiliency are all shared through reliance on third parties.

Throughout the episode, various elements of managing risks with third parties are address:

  • Financial Viability - Third parties must be vetted for both the financial benefits offered to the organization as well as the strength and viability of the external party to remain a positive contributor to the business strategy.
  • 4th Parties - All companies utilize some external parties. Therefore, as one relationship is built, connections to other parties are inherited simply due to the complex web of business services. A risk could be two, three or four contracts away as one follows the maze of vendors.
  • Contract/Engagement agreements - Each interaction with an external party represents a set of unique risks. Therefore, as the relationships between companies grow, the process of cataloging and assessing risks must be an ongoing, active part of the risk management framework.
  • Security practices and assessments - Episode #4 focuses on both the assessment of security capabilities and the collaboration between the security teams. The business relationship has to flow down to the operational parts of the organization such that the parties work together to manage risk.

Episode #4 also touches on several more core risk management and security principles:

  • The Siren gets information from the Guard (administrator) via social engineering. This scene illustrates the risk when social engineering and privileged users meet. The Siren is able to steal credentials, which lead to more access, which leads to more credentials, in a vicious cycle until she effectively has the keys to the Kingdom.
  • Communication and threat intelligence sharing between organizations is critical today. In the episode, the vNextGen team shares information with Marty about administrative tool usage. Marty shares bad IP addresses from earlier attacks. This communication is critical and within the story, leads to the Hunter identifying a possible low and slow threat.
  • The story infers the use of privileged credentials by the Siren to stay under the radar and bypass security simply by acting like an authorized user. This story line is intended to parallel the fact that many hacking incidents will be executed with the use of administrative and common tools to stay clandestine.
  • The last portion of the story introduces the King's Council as they review the full risk of the new alliance/business partner. It is important to note that all aspects of risk management are part of this discussion. The King's Council, through the characters, is meant to illustrate the entire spectrum of important personas managing risk:
    • Vendor Relationship (the Trade Master),
    • Security (the Wizard),
    • Compliance (the Governess),
    • Finance (the Jewel Keeper),
    • Resiliency (the Eye of the Storm),
    • Technology (Master Craftsman),
    • and Audit (the Inspector).
    • The Advisor, representing the Chief Risk Officer, along with the rest of the council pulls together the recommendations to the King.
  • Finally, the meeting of the Guild illustrates how organized cyber criminals can be as they plot attacks against companies. It is no longer the case today of lone attackers seeking reputational credit when attacking a company. Many of these attacks are coordinated with specific goals in mind. In the story, Natiostatia, representing a rival Kingdom, is introduced highlighting the fact that criminal activity could be part of a much more insidious attempt to undermine a company's strategic plans.

Some final recommendations:

  1. Vendor risk management is critical component of your business strategy and should be a coordinated discipline with your organization. The effectiveness of this program hinges on a multi-disciplinary approach to ensure risks - both positive and negative - are managed appropriately.
  2. Social engineering - especially when related to privileged users - is a real threat. The volume of information available on employees through social sites such as Facebook and LinkedIn is considerable. Education is key to combating this all too common attack vector.
  3. Common administrative tools can be used to manage your network and systems. They can also be used to bypass certain levels of security when coupled with compromised privileged accounts. Ensure your security monitoring includes an analysis of what tools are being used and can identify unusual uses of these tools.
  4. Build a collaborative environment with your risk and security counterparts at key business partners to share threat and risk intelligence. These partners should be viewed as excellent sources of front line intelligence and knowing who is on the other side of the fence will come in handy if there ever is an issue.

Author: RSA

Category: Research and Innovation

Keywords: Advanced Persistent Threats, Advanced Threats, Cloud Security, Enterprise Security, Phishing, Risk & Compliance (GRC), Risk Management, Security Short Stories, Social Engineering, Third Party Risk