Squashing malware groups involves imposing steep costs on small ad hoc groups. But those actions are slowly ebbing in favor of going after much more organized actor groups aligned in support of nation-state-aligned ideals. Doing that is slowly changing the face of the defenders, and making what were often solitary operators play nice together in order to achieve the goal of shutting down adversaries. Sort of.
Turns out it can be very hard to get international groups of security researchers, law enforcement, and other government agencies together to fight international threats. Amidst a sea of turf-building and varying perspectives on what the “most important threat” might be, various countries’ digital defenders are learning portions of the new threatscape at different speeds, as well as how to get along with the security industry's researchers in order to protect their own turf.
That requires working with others. And that requires understanding their cultures and methods. Which in turn requires that they have some ethics and methods.
Countries rarely prioritize the same things, and that is apparent in their defensive – and increasingly offensive – operations.
This means that businesses and organizations are both unsure of whom to call and when to do so once they have a breach, ransomware, or other badware event. Even if they know who to call, they’re not sure what to provide, what they can legally provide, and what can be done and who should do it in the investigation.
From attorneys to cyber-insurance to law enforcement groups, it’s hard to know how the playbook should go. One thing is sure: if you have something bad happen, time is not your friend. The actionable data value decreases quickly with time, while simultaneously your costs soar.
One law enforcement group at VB2023 suggested having a tabletop exercise within your organization to play out who should be involved, and at what stage. Law enforcement tends to want to be involved quickly, trying to stem the attack, capture data, and provide assistance. But almost as soon as they arrive, you will be talking to cyber-insurance people, and they attract attorneys. Attorneys slow things to a crawl, especially if they act counter to law enforcement, and often even if they don’t.
At what point during an attack should you call law enforcement? Do they know who you are? Do their local offices have the capacity to actually help you during an active event? Do you know what their rules of engagement are and what they can be expected to do if things go well? And what happens if they don’t?
One way to be proactive is to have these conversations before you get attacked. Trying to explain all the details of an active attack when you first get on the phone with law enforcement is a frenetic exercise at best, panic at worst.
RELATED READING: Cybersecurity: A global problem that requires a global answer
But back to the international aspect. Attacks are typically global. That means local law enforcement is unlikely to be able to handle the brunt of the attack, unless you are fortunate to live in one of the areas they A) are able to be reached, and B) know what to do.
Here at VB2023, there are exercises and conversations to know exactly that. From creating clearinghouses of people who may be able to help, like Europol’s new initiatives, to getting face to face with technical practitioners who have been very involved in real-world attacks, it’s a good time to test potential scenarios with each other without the pressure of an actual attack.
One of the valuable outcomes is to know what people that you expect to help won’t or can’t do, preferably before an attack.
Speaking of digital armies of defenders, do you know who they are in your organization? Law enforcement and global organizations are often hopelessly overtaxed with defending vast swaths of organizations and governments, so if you can offload some tasks internally they will likely not just be grateful, but able to respond more effectively. You have a team, right? If you don’t, you’re not alone, but also not in a great place for weathering an attack. Maybe we should all start with our own armies.