Companies frequently call me to assist them after they’ve suffered a big hack. Often, the company turns out to be a major corporation, with the hack resulting in a big leak of customer information -- which may even surface in news cycles for a week or two. Usually, several security teams are involved, but everyone's goal is to make the company more secure and reduce risk of another, similar compromise.
I always ask, "How did the hack occur?" I'm astounded by how few of the project team members know and how many hacked companies don't want to share the answer. I'm here to tell you that secrets don't help defenses. How can anyone really help you reduce risk if your biggest risks are unknown?
In an earlier life, I was an EMT paramedic. Every good emergency care provider learns to ask the patient what's wrong or what hurts -- even when the illness or injury appears obvious. For example, I once arrived on a scene where a 17-year-old teenager had driven her car into a stationary vehicle. She was sitting in the front seat with her legs dangling out of the open driver's door. As I walked up, I could see a fractured femur bone sticking up through her jeans.
Still, I asked her the question, "Where does it hurt?"
A few of the firemen behind me laughed, and one said, "I can tell where it hurts!" Actually, I too fully expected her to say that her leg hurt, but she didn't. Instead, she said, "My stomach hurts." With that, I got her into the ambulance as quickly as possible without spending a lot of time splinting the leg and started an IV. I told the ambulance driver to hurry.
She began to cough up copious amounts of blood. Her blood pressure dropped and she became unconscious, due to internal tears and bleeding. They were able to save her life, thanks to the early IV, a fast trip to the hospital, and emergency surgery.
Even though you think you know the answer, asking the obvious question is key to saving the patient. The same applies to cyber forensics and defense: I can’t do my job to the best of my abilities if I don't know what hurts the patient the most.
Most companies are compromised because of unpatched software or social engineering. Yet you'd be surprised how many of these same companies focus on other factors. Instead, they spend most of their energy and money installing better event monitoring tools, hardening computers, deploying better firewalls, and adding stronger authentication.
When I ask if any of these actions would have prevented the hackers from breaking in, the question is often met with stony silence -- for good reason. Those measures would not have helped.
Unfortunately, more than likely I won't have a clue about which countermeasures will or won't work because the company wants to keep the details of the hack a secret. Usually, they tell only a small, select group of people. Everyone else is on a need-to-know basis, with the presumption that they don't need to know.
I'm not sure why this attitude is so prevalent in companies that have been hacked, but I suspect it's an attempt to limit public outcry and to keep the details from reaching other potential hackers. I get that; it's a laudable goal. But when the people trying to help you don't know the biggest problems, they can't assist you beyond a certain point.
If I don't know the reasons why a company was hacked, the best I can do is look at all the risks, take my best guess as to what the biggest risks are, and ask the company to fix them. But I have no way of knowing if my recommendations will help repair the vulnerabilities that were exploited.
Sometimes such secrecy is so pervasive that even the people supposedly in the know don't really know. I was at one company that recently discovered it had been hacked, but no one had the authority to tell me how the hackers did it. I asked to the point of annoyance. I was eventually referred to the CIO, and although he was resistant to sharing, he eventually relented and said I could talk to two of his project heads and learn the details.
I talked to them individually and got two wildly different stories.
The first guy I interviewed said the hackers were run of the mill. They did nothing to differentiate themselves from every other hacker group he had ever read about. The second guy, the head of computer security, said these were incredibly sophisticated hackers, using techniques he'd never heard of before. He said they moved about and did things without making a mistake. He said they typed in long, complicated directory names like they did it every day. He said it was obvious that they had been in the system for years.
Two of the people with a supposed common set of facts were living in totally different realities. How can you most efficiently address the threat if you can't agree what the threat is? This company was keeping a secret from itself.
I'm sharing these personal stories for a nonpersonal reason. If you're trying your best to recover from a big hack, refusing to share information isn't helping you. More likely, it’s hurting your recovery and future defense. Conversely, if you're asked to participate in a project to reduce the risk of malicious hacking after the fact, make sure your first question is, "How did the company get hacked?" The answer quite often makes all the difference.