As the simulated cybersecurity attack concluded Tuesday at Columbus State University, one of the facilitators summed up the real-world challenge for the good guys against the bad guys in these computer confrontations:
“We have to be right every time; they have to be right only one time,” said Dee Spivey, CSU’s chief information security officer.
Approximately 60 people attended the morning session that featured four speakers: Stanton Gatewood, chief information security officer for the Georgia Technology Authority; Tera Ladner, director of information governance for Aflac; Stephen McCamy, threat management consultant for Aflac; and an agent from the FBI’s field office in Atlanta.
Three dozen participants — mostly information technology and security professionals, plus some students — were in the 90-minute afternoon simulation.
Collaboration from local companies such as Aflac and TSYS and other universities such as Fort Valley State and Clayton State made this inaugural event, hosted by the Columbus chapter of the Technology Association of Georgia, “a huge, huge success,” Spivey told the Ledger-Enquirer.
Spivey also praised the simulation’s participants.
“Answering the questions and collaborating among themselves, I just think they did really, really well,” he said. “We stayed on time. We didn’t have those lulls you sometimes have. They stuck to the narrative. There wasn’t any arguing. Everybody took it in good faith, and we had some really, really good people that had a lot of information.”
The participants were divided into seven teams, each with a different job description: vice president for human resources, chief executive officer, chief information security officer, chief legal counsel, security operations director, public relations director and vice president for infrastructure.
They were tasked with responding to the following scenario:
A company named Acme receives a call from a Georgia Bureau of Investigation agent who says one of the company’s files was posted last night on the Darknet, where malicious users send and receive files anonymously. The file is related to a GBI case that Acme’s legal department was assisting. The filename is BatmanvSuperman.txt. No other information is available.
In this tabletop exercise, the participants answered questions from Spivey that required them to say how they would respond and what the next steps should be.
Initial suggestions included verifying that the call from the GBI is legitimate and informing only those in the company who need to know.
“The tighter you keep that loop, the less chance of leaks and bad publicity,” a participant said.
The scenario continued:
The incident response and legal teams meet to discuss the GBI call. A scan of the file server shows the file still is on the ACME network and has been accessed by only the chief legal counsel, Donald Johansson, and another user, Bruce Wayne. Johansson is the only person authorized to read, edit or modify the file. Johansson has been on vacation for the past two weeks. Nobody on the incident response or legal teams knows anybody in the company named Bruce Wayne.
Spivey asked the participants what other information they need to know and what their next steps should be. Their responses included: determine whether Wayne is an employee; determine whether this is an external attacker who created an account on the company’s network or an internal attacker who created a dummy account; examine the computer activity of Johansson.
The scenario continued:
At the morning status meeting, Acme’s tech team updates management on its findings. Johansson has been accessing the file regularly since it was created a few months ago. Wayne started accessing the file a few days ago, and his account was created a few minutes before he first accessed the file.
“We’re clearly thinking this is a rogue actor now,” a participant said.
Spivey countered, “I don’t think we can actually rule out Mr. Johansson. Could there be a double identity here?”
The scenario continued:
At the afternoon status meeting, forensic analysis shows malware infected Johansson’s computer two days before he went on vacation.
Johansson doesn’t appear to be a suspect anymore, Spivey said, just a victim. But the question remains: Where is the company’s vulnerability?
A participant suggested that if Johansson’s antivirus software were functioning properly, the problem could be simply “user training, not clicking on suspicious emails.”
Spivey noted CSU has professors who travel all over the world, “and we need to do a better job” of scanning possibly infected laptops when they return.
At the end of the simulation, Spivey revealed the story behind the scenario: Johansson mistakenly opened an infected PDF file in an email that looked like it came from another department in his company. It was disguised as a legitimate case the legal department had been working on, including the case number.
“Once he clicked on it, it started installing on the registry inside his machine and downloaded that malware without him even realizing it,” Spivey said. “It took that file and sent it to four IP addresses that were out on the Internet, where threat actors were hiding behind those IPs that were untraceable.”
The event, part of National Cybersecurity Awareness Month, is another example of CSU’s increasing recognition as a source for cybersecurity education. Last year, the National Security Agency and the U.S. Department of Homeland Security designated CSU as a Center of Excellence in Cyber Defense Education. Also last year, Columbus-based credit card and electronic payment processor TSYS donated $4.5 million to CSU to establish the TSYS Cybersecurity Center and Endowment in the TSYS School of Computer Science at CSU’s Turner College of Business.
Navy Adm. Michael Rogers, director of the National Security Agency and commander of the U.S. Cyber Command, spoke at Columbus State last week.