The IR Global blog and newsletter highlighted the cyber efforts of its partner during the Winter Olympics in Pyeongchang, South Korea. In the business landscape, the increasingly risky threat of cyberattack is a focus of IR Global for our members. Much can be learned from cyberattacks at the Olympics, and IR Global partner, eosedge Legal, provides the following insights.
According to Doug DePeppe, Founder of eosedge Legal, “One reason we established an interdisciplinary cyberlaw and services practice group was to bundle services in the cyber vertical because integrating solutions has become so important with these sophisticated threat actors.” During the Winter Games, a partner in the eosCyber Alliance, which is the network of providers offered by eosedge Legal, provided cyber threat intelligence and information sharing services to various commercial and government stakeholders. This service was provided by Sports-ISAO, a program office of the Cyber Resilience Institute. eosedge Legal also participated in these activities with Sports-ISAO.
The following lessons learned from the attacks in Korea are provided to IR Global members.
- Security and IT vendors themselves have become targets of attack. This is likely because attackers have learned that attacking the supply chain or a central provider enables the attacker to multiply its success into new networks. Atos, the official IT Integrator of the International Olympic Committee (IOC) architected an integrated private cloud – public cloud platform for Korea, intending to create an extensible service offering across IOC business operations and scalable for Olympics operations in host countries. Attackers spotted this convergence point and succeeded in compromising Atos (Atos publicly acknowledged its compromise).
Next, during the malware attack on the Olympics Opening Ceremony – the Olympic Destroyer malware – researchers found that the malware’s design included the credentials of certain Atos staff. Though still not definitively announced, many researchers believe that these credentials were obtained as part of the Atos compromise, which happened much earlier.
Lessons Learned: Cloud services and IT providers present a possibly new attack vector into their customers.
Solutions: Customers should review the terms of providers’ services and consider contract clauses that mitigate risk; consider the scope of insurance coverage; consider micro-cloud relationships that may offer greater options to negotiate terms of service.
- The response of the organizing committee in Pyeongchang was immediate. The Olympic Destroyer was a “wiper” malware – meaning that it was designed to destroy data and operating system functionality. It also had aggressive propagation properties. Fortunately, detection and response actions during the Opening Ceremony were swift and decisive. While systems were taken offline, propagation across networks to cause greater damage did not happen.
Lessons Learned: Worst case scenario planning is not just for the Olympics. Organizations should have their “Play Books” ready to go – namely Incident Response Plans. Just like employee manuals, business continuity plans and the like, an Incident Response Plan has become a business imperative to address cyberattack.
- The cost associated with business risk from cyberattack should also be analyzed.
Lessons Learned: Insurance is a viable option, as part of Incident Response planning. However, carriers do not blindly accept risk transfer these days; so insurance is usually coupled with security controls that prospective insureds must implement.
- Part of the attacker’s modus operandi against Atos, once again, involved Phishing. Hence, even with a sophisticated attacker (most believe the attacker at the Opening Ceremony was a state actor), the weak chink in the armor remains the human factor. In this case, a global IT provider with sophisticated capabilities was undone by a staff member’s actions. Most likely it was this: a Click on an email – containing malicious code.
Lessons Learned: Solving the human factor requires both training, email security, and detection capabilities. Moreover, management must get a better understanding of cyber risks. Cyber risk is no longer just an IT problem. Leaders need to be more informed about risks and methods for reducing risk.
- Sports-ISAO deployed a cyber threat intelligence and information sharing solution for the Games. Like the recommendation of being prepared via an Incident Response Plan, today’s modern cyber preparedness includes the need for instituting situational awareness. Information sharing environments and solutions have become more and more common.
Lessons Learned: Business organizations should look to improving situational awareness, and incorporating commercial intelligence as ways to stay abreast of the dynamic attack landscape in the cyber domain.
IR Global and eosedge Legal are increasing the ability for members to inquire about and obtain cyber services. The Lessons Learned noted in this information paper are areas of focus. Please continue to monitor the IR Global site for service offerings, and contact IR Global for any specific needs. More information about these lessons learned will be provided soon.