How IBM X-Force IRIS Prepared for the Ukraine Election

You may not have been aware there was a presidential election in Ukraine last Sunday, but all eyes in the cybersecurity and intelligence communities were keenly focused on this event. In the past few years, cyberattacks targeting elections in democratic countries, including the U.S., have become increasingly disruptive. And in the past few months, international observers have seen disinformation campaigns attempting to influence the outcome of the Ukraine election.

Leading up to the election, the IBM X-Force Incident Response and Intelligence Services (IRIS) team had been preparing to observe and analyze possible attempts of foreign interference in the election. Although it appears that a major cyber disaster was averted, we were ready for the worst.

After the cascading damage of the NotPetya attack in 2017 — which originally targeted Ukraine before hitting organizations and users in dozens of countries, at an estimated cost of up to $10 billion, according to Wired — we recognize that the risk of a major cyberattack on Ukraine could be the bleed-over to the rest of the world. IBM Security has many clients, including some of the largest financial and logistics companies, that need to be resilient in an attack or face potential damages in the millions or hundreds of millions of dollars. We needed to prepare a response to go at a moment’s notice.

Well in advance of the first round of the Ukraine election in March, we decided that we couldn’t afford to sit on our heels until an attack was launched. We began to operationalize a plan for responding to anything that we could conceive of happening before or after the election event. I ordered the creation of an incident command center team, comprised of top experts across the IBM company, that was on alert and could be stood up immediately if needed. This team operated outside of the traditional organizational structure.

Now that we have moved from an alert posture back to a normal readiness stance, I can share a little bit from behind the scenes about how we prepared. I’ll also describe what organizations can do to evolve their security posture from a reactive stance to a more proactive and predictive security posture.

Learning From NotPetya

In June 2017, in the aftermath of the destructive NotPetya attack, the X-Force IRIS team was put to the biggest stress test we had faced since the team was created in 2016. NotPetya led to one of the biggest responses we ever had to help our affected clients with.

What was so unique and alarming about NotPetya was its apparent intent to incapacitate organizations. If you’re infected by this type of “wiper” malware, the consequences would hardly be less damaging than if your headquarters burned down. In an event such as a fire or natural disaster, backups can be restored. But if you can’t access the systems you need to make sales, move goods or manage your company in any way, the losses are measured by the minute.

Given the potential scope of the damage from this self-propagating malware, our people were working around the clock to help organizations mitigate and recover from the attack. By the end of the day we were ordering pizza for the third time and apologizing to our families for missing the weekend. Hundreds of IBMers were involved in the response, but they weren’t complaining — this is what we do. We relish the opportunity to put our skills to use and enjoy being in the fight.

What we learned from that experience, and in the two years since, is that an ounce of preparation is worth a pound of cure. Preparation has two components: building your threat intelligence, security automation capabilities and incident response plan and, just as important, training your teams to respond in scenarios you have gamed out in detailed runbooks that you practice and iterate.

Around the same time that we launched X-Force IRIS, we opened the X-Force Command Cyber Range in Cambridge, Massachusetts. We use this industry-leading command center to help clients not just prepare for a cybersecurity incident, but to actually go through a gamified scenario as if it were the real thing, as a full business response, involving the security team and leaders from HR, PR, finance and lines of business.

What we’ve been able to learn from watching thousands of our clients in the cyber range has been invaluable and informs how we respond to the real thing. We’ve put our own incident response team through the ringer in the range as well, testing our runbooks and putting our people in a pressured environment to boost their decision-making skills and reactions to changing circumstances. We can then bring those learnings and new skills into the field.

Preparation for the Ukraine Election and Predictive Security

In the wake of attacks such as NotPetya, it’s clear that organizations need to go from responsive to proactive, and even predictive, in their security posture. That means anticipating as much as possible what could happen in the future and preparing in advance of events that are likely to be targeted, such as the presidential election in Ukraine.

We attempted to answer the following questions when deciding that Ukraine was a special security event requiring this extraordinary preparation:

  • Is there a credible threat?
  • What is the likelihood of impact to our clients?
  • What is the likelihood of success of an attack?
  • What is the likely action of the adversary?
  • What is the likely worst action of the adversary?

This was the first time we put an incident response team on alert a month ahead of a political event so we could immediately stand up an X-Force incident command center team and make rapid decisions about where to move resources.

We prepared to help our clients in the event of an outbreak by creating custom runbooks, outlining specific steps we would take in various scenarios to contain the threat and help businesses recover normal operations. We ran a full-scale incident response simulation, including implementing a communications plan by writing the communications we would send to clients and prepping blog posts to put up right away to offer our expertise, research and recommendations to the security community.

Plus, for the first time since it’s construction, we had at the ready the X-Force Command Cyber Tactical Operations Center (C-TOC), the industry’s first mobile command center, to assist clients in Europe with investigations and recovery. We had multiple drivers ready to go at a moment’s notice and drive through the night if necessary. The C-TOC gives us unique capabilities in a destructive attack: If a client’s systems go down, we have a sterile platform from which to work, and we travel with our own internet, data center and all the gear we need to accelerate recovery.

IBM X-Force C-TOC convoy outside Hursley House

The X-Force Command C-TOC convoy outside the historic Hursley House in Winchester, U.K.

How to Build Proactive and Predictive Response Into Your Security

Today’s threat landscape means it’s a matter of when, not if, you will face a cyber incident. Here are five essential considerations for becoming a proactive and predictive security organization.

1. Know Your Risks

You need to understand what you need to secure and what kinds of risks you face as an organization. Are there regulatory requirements, such as the General Data Protection Regulation (GDPR), that you need to consider? Perhaps your biggest risks are vulnerable software, third-party breaches or insider threats. As a security leader, you should work with your risk officers to identify the threats with the greatest potential business impact.

2. Have a Plan

The most damaging part of a cyber incident is often not the breach itself, but the response to the breach. Unfortunately, many organizations don’t have an adequate cybersecurity incident response plan (CSIRP), or they have one, but it’s not consistently implemented across the organization. According to new data from the 2019 Ponemon Institute study on “The Cyber Resilient Organization,” sponsored by IBM Security, only 23 percent of organizations have a CSIRP deployed across the organization. To create your own CSIRP, you can look at best practices such as the SANS Institute’s six-step framework.

3. Build a Team

With the cybersecurity skills gap projected to grow to 3.5 million unfilled positions by 2021, recruiting, training and retaining talent for an effective incident response team can be a daunting challenge. That’s why, at IBM Security and other organizations we work with, leadership and resilience qualities matter as much as cybersecurity experience. We often find in our cyber ranges that people with backgrounds in the military or first responder jobs have the best ability to make quick decisions and act decisively in a crisis. Remember that your response team should extend beyond the security team. Leaders from the various departments and lines of business need to be looped into your CSIRP, understand their roles and know what steps to take in the aftermath of a breach.

4. Automate Intelligence

Building a proactive security posture requires quick analysis of security analytics, threat intelligence and dynamic analysis of a threat actor’s maneuvering. This is where innovations in artificial intelligence (AI) and security automation really shine. Organizations with the most extensive use of security automation rated their ability to prevent, detect, respond to and contain a breach significantly higher than other organizations in the Ponemon Institute study on cyber resilience. What’s more, security automation can significantly reduce the cost of a data breach by as much as $1.5 million.

5. Train Like You Fight

Your CSIRP is only as good as your ability to implement it during a real breach, but to be prepared, you need to practice it, update it and build your response “muscle memory.” During a crisis, things aren’t going to go exactly as planned, and that fight-or-flight response will kick in, making it very difficult to react well in a situation you haven’t experienced before. We’ve found that running immersive gamification scenarios in our cyber range and the C-TOC comes pretty close to the real thing. You’re much better off failing in a rehearsal run than during the big show.

Preparing for the Next Fight

There’s a saying that generals always prepare in peacetime to fight the last war. It’s the same in many aspects of our lives, from business to a much more personal level. We all have a cognitive bias that makes us think that because something happened before, it will happen again in the same way and with the same outcome. But it’s not a foregone conclusion that a cyber incident will go exactly as you planned.

We were fortunate that the Ukraine election went off without a major incident. The many hours we spent planning and the resources we devoted to preparing for a worst-case scenario that didn’t come to pass weren’t wasted. Every time you drill your response runbooks, you learn something new. The hotwash and post-mortem analysis from a simulation is incredibly important, as much as after a real-world incident. And even though a major cyber incident didn’t happen this time, we are already learning from our hotwash of the preparation.

Even if you prepare for something that never happens, the response runbook can go back on the shelf, better prepared for when you need it. Most importantly, that response becomes so ingrained in your team’s muscle memory that it’s almost automatic. That way, when something unexpected does occur, you are only pivoting to what’s new. Whatever comes next, you’ll be ready for it.

Download the Ponemon Institute Study on the Cyber Resilient Organization

Contributor'photo

Caleb Barlow

Vice President - IBM Security

Caleb Barlow is an accomplished security professional and Vice President at IBM Security, where he leads IBM's Threat...