Think like the National Defence: Be prepared for cyber attacks

In the Danish Defence, it is possible to enlist as a cyber soldier. The mindset behind the initiative can be used to inspire companies, as there always is an attack lurking, it is crucial to have the strategy in order. IT security specialist Kenneth Demskov suggests companies have a robust contingency plan with frequent training.

The first cyber soldiers have been recruited to the Danish Defence and are undergoing four months of basic training in Fredericia and Karup in Jutland. After the basic training, they must attend a 5-month IT course before they complete the training with further job practice in one of the three branches in the Danish Defence: Army, Navy, or Air Force. Now, it is a 3-year test program referring to the Center for Cybersecurity in the Danish Defence.

What does the above have to do with IT-security in Danish companies and organizations?

Civilian life does differ from the military. However, the contingency plan, attention, and the thorough preparations of an attack might inspire to take the IT threats seriously. Today, it is not a question if a company will be attacked but when. Therefore, we need people on the front lines who are trained for a cyberwar, excelling their drills, and ready at their posts when the attack will happen.

ISS exposed to a targeted cyber attack

The most noteworthy attacks today are exceptionally targeted. When ISS was attacked in February, there was talk of ransomware of the Ryuk type with the aim of extortion¹⁾. An example of how cybercriminals handpick specific targets.

The attacks can be reflected in the choice of weapons, and cybercriminals are becoming more and more effective. They can send ransomware that drifts around in the IT system before it wakes up and encrypts in the company's data. This delay makes the attack more extensive and potentially more destructive.

Intel is essential in the IT-war

Denmark is a country characterized by high levels of trust, which is problematic when an attack is occurring. In traditional warfare, any intel on movements behind enemy lines is essential.

• To stay updated on enemy tactics, follow, e.g., some of the many blogs written by security experts.
• Lean on the experts. The established security experts and companies have useful information on the latest cyber weapons.

High-quality intel makes it possible to be better prepared for taking precautions and predict where the next attack will come from. Some security companies work with the so-called "honeypots" as bait, where they lure the criminals out from the bushes to understand the new methods of the cybercriminals. In this way, analyzing how they attack handpicked targets provide valuable intel on the cybercriminals' methods.

Practice makes IT troops ready for action

One thing is reliable intel; another thing is the heat of battle. Which areas of business can a company continue to operate if the IT-systems are down? Who does what? Do we have the phone chain in order, and how much of our data is compromised?

Those who are responsible for security need to be kept in the loop through practice, and the whole organization needs training in operations with or without limited IT. It is a good idea to perform a half-yearly tests, but one should not fall asleep behind the wheel. In the worst-case scenario an attack might, put the company out of business entirely.

Enter the contingency plan. A detailed list with an escalation procedure and clearly defined roles can make the difference. An example:

Following a major IT migration, a large company experienced network outage stunning thousands of workplaces. . On the shelf in a ring binder, there was a detailed, updated, and thoroughly tested contingency plan that could be executed step by step. The established emergency response plan contributed significanly to minimizing the overall consequences.

Unfortunately, it is my impression that many of the Danish companies do not have an updated and thoroughly tested contingency plan. It can't be expressed clearly enough; think like the National Defence! An unprepared military is not useful, and the same goes for an assessment of when the damage is done if a company has been attacked. Detailed logging can ease the cleanup and help to strengthen the defensive structure in the future.

Capture The Flag is useful to simulate an IT war

In Denmark, frequent capture the flag (CTF) events are held as hacking competitions. Academies and unions like PROSA²⁾ are hosting these events to simulate cybercrime scenarios. During the event, you need to protect your server as well as attacking other's servers to learn about security breaches and the specific methods, and patterns cybercriminals follow.

The flag is 64 characters that the gaming server generates and places randomly onto the team servers. The rules are that you must defend your flag, keep your servers running and catch the other's flag. It makes CTF-events useful as training for the elite troops in the company within IT-security.

Strong intel, a contingency and emergency response plan, training for IT personnel, and competitions for the elite troops are altogether rules of conduct and precautionary measures, we can learn from to become a bit more like the Defence.

Get updates on cybercrime and sign up for our newsletter if you would like to receive future articles posted on our website and LinkedIn.

^{1) DR: ISS target of a hacker attack: purpose was extortion.
2) PROSA:  Train your hacking skills with Capture The Flag}