By Matthias Maier, Security Evangelist, Splunk
It’s usually wrong to judge people by their names, but an organisation that calls itself “Snake” probably isn’t up to much good.
Citing unidentified security sources, DPA reported that Snake is the group suspected of carrying out a sophisticated and successful attack on the government’s computer network. As always, it’s difficult to be completely certain who exactly is behind a well-executed cyberattack, but this is believed to be connected with Russian intelligence, which has targeted government organisations in Ukraine, Europe and the US for most of the last decade.
What does this new attack tell us, other than confirming Russian hackers’ penchant for infantile names? The most important lesson is that no organisation is safe from a well-resourced and determined adversary – not even the government of one of the most developed nations on earth. If the German Interior ministry can’t protect themselves from hackers like Snake, then what?
Acknowledging the inevitability of a successful breach is the first step towards forming an effective response to cyberattacks. In the long run, what matters is how prepared an organisation is to detect, analyse and respond to an attack, when prevention techniques have failed.
Snakes and foxes
While it might help to give its operatives a sense of malevolent derring-do, “Snake” is a poor choice of name for a hacking collective. In most cases, serpents only attack when threatened – and only as a last resort. A more appropriate animal would be a fox, which returns again and again to a well-protected chicken coop, sniffing for weaknesses and probing the chicken wire for holes that it can creep through.
Foxes are both cunning and persistent, and practically impossible to guard against. What we must do is to study each successful intrusion, and learn how we can improve our defences, minimalise loss and in some cases, stop them at source.
What, then, can other organisations (and, indeed, the German government) learn from attacks like these?
Outfoxing the hackers
Organisations that find themselves in a similar position to the German government should immediately begin an investigation to find out how the attacker entered the network, where the weak point was, what systems or data was accessed, and how far the malware has spread.
This is no easy task – Snake’s attack is reported to have occurred in December, and it is still being investigated. This task is only possible if the organisation has collected and stored all log data from its entire digital ecosystem to put these pieces of the puzzle together – ideally in a centralised platform where it can be searched and analysed quickly by multiple stakeholders.
Clearly, having easy access to this information is crucial to understand what went wrong, what the damage was and fix the vulnerabilities that you uncover. But there are other important reasons for organisations to have a holistic view of their digital infrastructure and data. One of the most-neglected factors in a breach is the organisation’s communications strategy, and this depends on having as much accurate information to hand as soon as the organisation makes the hack public.
If an enterprise release erroneous or inaccurate information, it compounds the problems caused by the initial attack, making the organisation look incompetent. If, however, it takes too long to gather, verify and release information, organisations create a news vacuum that leads to speculation, which only leads to greater mistrust and loss of confidence. This, in fact, is one of the key goals of groups like Snake – to delegitimise national institutions such as governments, to spread fear, doubt and distrust, and so to undermine the very fabric of a nation’s democracy.
The attack on the German government provided us with other lessons, too. For example, their response showed the importance of developing collective security intelligence, where organisations share information with each other about potential attacks and threats. In this instance, the page first hacked belonged to an eLearning website. The attackers used this to gain access to the government digital ecosystem.
Organisations cannot face these threats alone, but rather cultivate a connected security network with their partners, which includes facilities to communicate on new threats as soon as they appear. This ecosystem will also be crucial in pulling together the historic data required (often stretching back years) for understanding a breach, where information on past interactions with other organisations can be so helpful in understanding how the attack developed.
Above all, any organisation that has suffered a breach is to use the experience as an opportunity. Of course, they should focus their immediate efforts on identifying, isolating and removing the intruder – but they should also learn from the attack. By having full oversight of their historic and real-time data, organisations can much better understand how the fox (or, if you like, the snake) has slipped through the wire, and so learn how to fix the fence more securely against future attacks.
