Responding To Cyber Attacks

it's such a pleasure to be here at an event in the north of England and to see so many people here so thank you very much for for having me um I hope you won't need the subtitles um since we're in the north but if you do just let me know um I did say to my son that I was coming to do this talk and asked him if he wanted to come to bsides as well but he told me it was boring to talk about cyber attacks so it's great to be with people who don't think that it's boring so thank you so much for for having me along um this afternoon um so as

mentioned my name is um Heather lry I'm a chief information security officer which means that I look after information and cyber security for the organizations that that I work for um so I work in the higher education sector previous to this um I worked H for Scottish government looking after the census in Scotland um and currently um I help with cyber security in the higher education sector at the University of Manchester just down the road from Leeds so it's great to be here in in leads today with so many fellow cyber and infas professionals and enthusiasts so thank you very much for for having me here um this talk is about responding to cyber attacks but really it's also about

never letting a crisis go to waste which is something that we do regularly in our careers and in our lives as Security Professionals so I'm going to talk to you about my experience um of essentially how I spent last summer with my team responding to a Cyber attack but how we recovered from that and how we made sure that we were building resilience as we came out of that so it's really about the art of recovery attacks happen but how do we recover from them that's the the theme here um so to introduce you to my institution um we are the largest single sight University in the UK and we have one of the largest and most diverse

student populations in the UK and we work very closely with colleagues in the higher education sector including some colleagues that are recognized here um and we are part of that broader sector and that broader Community um within the UK we are a large single sight institution and we have a lot of um sensitive assets to protect and we have a lot of stakeholders and a very large and diverse student population that we work with so higher education faces a number of challenges in terms of dealing with and responding to cyber attacks we are very much on the front line um but the principles that I'll speak about and our experience is shared in other sectors as well but we are and higher

education in the UK is very much at the Forefront um of dealing with um the Cyber threat and attacks on the sector and and learning and building resilience as we recover from such attacks so the the context just to give you some background to the story that I'm going to tell here um last year um I arrived in position in Manchester um so straight off the train um a few weeks when when these events happened um we were subject like many other institutions to a significant cyber incident it's not unique to the University of Manchester or to higher education um but this incident happened a few weeks after I arrived in in post um we worked through that last summer

and we are in the position that we're building resilience coming out of that and that's the the focus of the talk here so that's the context what I'll speak about is a little about the incident itself many of you will have experienced such incidents as well in your own institutions or organizations so you'll be familiar with it um the response strategy so how we strategized our way out of the incident which is the the key Point here um and how we are looking to build resilience um with other partners across the sector and indeed in other sectors um going forward so that's the the structure of um what I'll talk about um I also try to

stay at the lecturn so thank you very much for the reminder on that um and we'll we'll go through I'm very happy to take questions at the end we've got plenty of time for questions at the end as well so the incident itself um not going into the details of the incident um but in Broad context to speak about the reactions so what happens what do you do when you know that an incident like this has happened um so this was my experience um round about um I think it was half past day on a Monday morning I had gone into work and I was chatting with um my head of cyber security operations fantastic colleague um who

had just been promoted into the role as part of building the the new function in the University um and he sent me a message on teams we were just preparing for the week ahead he sent me a message with a bright red exclamation mark I think we've got an incident um so what do you do when you get that message on a Monday morning how do you react and it's really the immediate reactions that are critical and are important and being able to deal with incidents such as this and many colleagues will will recogn this scenario um so we received a report that um or a claim that um a cyber criminal threat actor had claimed to

have exfiltrated data such um reports happen there's a lot of signals in this kind of environment but within 30 minutes we had assessed it to be a credible um a credible claim although it's important to note that systems and data remains available at all times to the university throughout this this incident the important thing is that the cl response plans were immediately enacted so having a crisis response plan not just a cyber incident response plan but that crisis management structure and a crisis response plan in place was really important for us to be able to deal with the fact that this this may be a cyber incident and there are technical aspects to that but really it's a crisis

and it's how you respond to a crisis that counts so back to the point about never letting a crisis go to waste um we had support from many many partners as part of this response um so from the national cyber security Center and from NCA from J and in the higher education sector from the Northwest Regional organized crime unit and and others um internally and externally and that Coalition of support was really important to us as well because we ended up working through this with a very small team for several months so knowing that you had that external support and you had those Partners in the broader Community to help was really important for us to be able to maintain our morale

and to work through what was quite a complex um and you know it was a marathon not a Sprint essentially so that that Coalition being in place from the start was really really important to the team um we also had support from suppliers with forensic capabilities and Technical advice so universities may not have um you know it's not cost effective necessarily to have every skill internally but knowing when to work with partners and when to reach out for that support was critical to us as well so those immediate reactions stood Us in very good stead and we were able to um relate back to other crises that had happened and to draw on that muscle

memory and that institutional memory so this may be a cyber incident but it's really how you deal with a crisis situation the attack itself um not particularly noteworthy um there was reconnaissance and privilege escalation um and a level of sophistication in terms of persistence and and covering tracks important to note it was scripted and not targeted access but such attacks happen the fact that attacks happen is is not the key Point here it's how we respond to them and how we recover from them and build resilience going forward and continue to operate during the incident period so how did we respond and this is really the the the key Point um the immediate reactions meant that we were

able to stand up a crisis response team and we had that full institutional support but we also thought about our strategy so not just the you know the incident response phases and that all of you will be familiar with from nest and and other Frameworks but how were we going to strategically respond to this and crisis situation cyber incident and what we did was to put together a road map and to use this to communicate throughout the institution and more broadly with our stakeholders so there were really three phases that we worked through stabilization was the first phase and that went on throughout last summer so that was really after the you know after the immediate um event it was helping us

to complete containment and eradication so the contain and eradicate phases of the security um instant handling Frameworks um and that was really about making sure that we were able to contain eradicate and move towards recovery and that phase was in place for until the end of August so that's that's the first phase the stabilization and really the the kind of the emergency surgery part when an incident has just happened but then moving out of stabilization we had an assurance point that at that point we said we are now ready to move forwards into restoration so looking to restore some of the key services that had been impacted so in the initial phase um it's very much

about locking down and having additional controls in place while you're dealing with an active threat but then mov into restoration being able to open up a bit more in a controlled Manner and restore key services so that was the next phase that we worked through and this helped us to communicate across a very large institution with many stakeholders internally and externally what we were doing and really during the restoration phase that was about recovering services and connections and having greater confidence across the estate to enable us to open up further but we knew at that point when we went through the next assurance checkpoint we knew that the work was not done so we were then moving in to a

security Improvement phase so a transformation phase and this is really about a future prooof and sustainable Target State and the key Point here is not just dealing with the immediate incident but also not letting the crisis go to waste and thinking about the improvements that need to be made to ensure that we are more resilient against future incidents so continually improving the security system situation so that we can deal and we can minimize the impact of future incidents because such such incidents happen attacks occur but what we want to be able to do is to build resilience to reduce the impact of them so that we can continue to operate and we can move forward with an improved

um posture so this was the the third phase that we worked through and at this point the the target here is to have you know a frictionless and supportive user experience so to the end user there is less impact working through this this phase of the the strategy now throughout all of this it was really critical that we had agile and dynamic risk management in place and we had support across the institution to help us with that risk management so we could not predict all of the immediate and emerging risks that we were dealing with in such an uncertain and dynamic environment but what we could do was to make sure that we had tight control over

all the risks and issues with our business partners with our risk and compliance partners with professionals across the university so not just the Cyber incident response team but the partners in other areas of the institution that could help us with the dynamic um and agile risk assessments that we had to do we had to balance security and business needs so being able to continue to operate when there's an active threat when you're dealing with a cyber security incident it's a very delicate balance between the security needs the reaction is often to shut down and that is the easier situation to deal with for Security Professionals but we had to continue to operate and to support critical Services

during this period as well so it was about balancing security and business needs and that was key having partnership with business areas who understood their risks enabled us to do that as we dealt with this uh situation and fundamentally it was about being pragmatic in the way ahead and adopting an architectural view so having a view of our security architecture of our Enterprise architecture of how we could move forward from the crisis situation and build back better so that we were recovering and but also we were more resilient going forward and key to all of this was having the governance and coordination in place so executive engagement from senior leadership within the institution delegated accountability to the lines of

business where business owners could make decisions about their areas so having business continuity plans in place having Contin gency plans in place so that if we did have to take Services offline users stakeholders were not impacted because our business teams had thought about contingency plans and workarounds and we don't know that essentially as cyber Security Professionals we don't have full visibility or understanding of contingency plans in business areas but delegating accountability to people who do understand and who are close to Services enabled us to continue to operate through this period and the coordination of the response was critical so going back to the point about thinking about this as a crisis response a crisis situation

having that coordination and governance across all of this was absolutely critical so that was our response and then going forward what are the impacts of such an incident and how can we build resilience and this is not just about this incident this is for all of us to think about what are the impacts and how do we build resilience as we come out of these attack scenarios so the impacts are often felt um across the um you know communities that we work with it's not just about security recovery it's about needing to deal with the incident and also deal potentially with technology and security debt um there are many organizations that have to not just recover but also rebuild

coming out of these kind of um incidents working with partners and collaborators so Partners collaborators are impacted um people can you know move from an abundance of caution they can isolate their networks from yours Partnerships are impacted so working with stakeholders Shing as much information as you're able to communicating openly and transparently is critical in dealing with the impacts there are regulatory impacts to work with so having legal and Regulatory teams involved in the response as well as other professionals is absolutely critical and then in the case of um you know universities research and operations so making sure that we're able to continue to support critical research Partnerships critical operations is really vital as well

because they are all impacted after such incidents and very importantly the human impact so I mentioned this was quite a small cyber security incident Response Team there is a lot of and it incident response teams there it's not the kind of situation where you can just throw additional people at the problem um it's about protecting that the impact on that small core team so that they can deal with incidents over an extended period and also being aware of the fatigue the fear the concerns that are generated in The Wider organization and also in you know the wider sector and The Wider communities that um that we serve so very important that we recognize that such incidents have a human impact and

that is you know as as leaders in our organization that is our primary concern is to deal with the human impacts um because it's the people that help us to recover and to build Ians going forward so I can't overstate that that point enough um just to restate that point it is real for people so when such incidents happen it's real for everyone involved um very technical there's very you know there's there's a lot of technology and the technical expertise involved in the incident response but it's people who are affected and business is affected and and and it's you know that single team working that is needed um to grip the situation and to deal with it to the

cover so in terms of how we turn a negative into a positive so taking a a crisis situation thinking how can we turn this around how can we mobilize to come out of this the way that we dealt with this was to think about how can we create a shared Vision that everyone can get behind that you know we're thinking positively about the road ahead not just the crisis situation that we find ourselves in because that that lasts for a finite period of time but what's the vision where do we want to get to so the values that we wanted to work around we spoke to our stakeholders about and we we wanted to collaborate we wanted to

collaborate across the institution externally internally um and we wanted to improve our security posture so that was a value that everyone was aligned around and increasing our capability and capacity was important to us and rationalizing as well for efficiency so that was that was key and fundamentally it was about embedding architecture and Assurance into everything that we do so building that culture of assurance and having security architecture embedded that every in everything that we were doing as part of our um our rebuild and Recovery effort was was fundamentally important to us so our vision is that we want to be World leading in securing our University we want to enable sustainable collaborative and frictionless safe and

secure teaching learning and research so fundamentally we are here to support the business goals and the business Mission and that is about teaching and learning research and Discovery and social responsibility so having security completely aligned to the business goals and supporting the business mission was critical for us and finally we've built a security strategy off the back of all of this we've published it last week and what I want to highlight here is the principles that we're building on and these principles apply across the sector so this is across higher education it's University's UK guidance but it also applies I think more broadly to other organizations which is why I want to share it here as well so we are not just

looking at this as a technology issue or technology solution technology is fundamental but there are four pillars that we're working across from a strategy perspective and it's about governance Assurance Technology and culture so governance having an embedded approach to identifying and managing cyber security risks is fundamental for us and for many of the organizations that we work in so security governance will be different in different organizations but fundamentally we need appropriate governance in our organizations to enable us to manage cyber security risks Assurance is fundamental as well encompassing both internal and external review so building that culture of assurance where we are not only secure but we are also seen to be secure and we

working in partnership with teams internally and externally and it may be a three lines of Defense model it may be whatever model you have in your organizations but having that culture of assurance openness and transparency is critical technology I mentioned um there's a broad range of systems services and infrastructure to deal with um in the environment that I work in um it's a very complex technology estate and I'm sure many of you also have very complex technology Estates so rationalizing and simplifying for efficiency is fundamental there as well but just finally I want to highlight the importance of culture because although this is the last point on the slide I think in many ways it is the most

important pillar here so having that culture where we encourage open honest and transparent consideration of security issues where colleagues are supported to report issues they know that those issues will be dealt with with advice guidance support and everyone will benefit from the learning that's the kind of culture that we want as universities we are well positioned to build that kind of culture but I would also commend it to all of you and your organizations to have that open transparent culture and to build that that risk insecurity culture that everyone can share learnings from such incidents we can speak to each other we can take advice we can learn how to rebuild and recover and be more

resilient going forward that is absolutely critical both organizationally and across I I would suggest across the whole of society as well as we look to recover from such attacks so thank you very much I am more than happy to take any questions that you may have I think we've got about five minutes before the next speaker [Applause]

how did you get you see got comping event that should starting now get bu of the organiz really difficult to get people to take off challenge security yeah it's a really good question and and it I think it goes back to having a strategy that everyone can get behind so a vision that everyone is align to um having a strategy and then how we execute on that strategy so um in in the case that I'm talking about here there was already investment and planning in place for initiatives so it wasn't just as a result of a compelling event but having that clear strategy that you can build business cases and investment around is is how I would um approach

that how did you manage the communications to your [Music] all the different aen University students probably known very active on socialia yeah the last thing you want is them saying something they shouldn't so how how did you manage different Communications yeah it's a really good um point and I think it it speaks to the importance of having Communications teams completely embedded in the response team so in this case we had um it wasn't just the cyber security incident response team I mentioned that we had other professional areas involved as well so we had our corporate Comm Communications team fully embedded in that response structure so the response team at the the um you know we spoke

about gold silver and bronze command at the silver command level the communications team was working hand inand with myself and other colleagues with other areas of professional expertise and that's so important in in any cyber security instant response to have comms fully working alongside the the technical instant Response

Team an institution like a university obviously students come some for a short period of time some for two three years how do you keep build yeah yeah I think it goes back to the point about values so you know any organization universities others that we we have shared values and it's about you know that that kind of culture car so the tone at the top is fundamentally important um in in that case clearly cost M yeah think resources Financial the inci how change yeah so it's a good question so such such incidents do C money they have an economic impact and there's work going on to to model what those impacts are and to the question on shading

across the sector um some of this building resilience is actually about building share capability and infrastructure so I think that's working progress to think about the the equities there um but such incidents do have a financial impact and that is Quantified um and then it's about the prioritization and the investment you know the back to the the other question that was asked um building investment priorities aligned to the strategy going

forward yeah yeah so so internally um if you have a cir provider you're still very much reliant on the expertise and experience and a a small internal team um so two ways that we dealt with that fund fundamentally it's about um you know leadership and having strong leadership in place to support the team and thinking about protecting the team first and foremost um having Partnerships and collaborations in place so that the team never felt that they were dealing with this on their own um and then back to the point about you know approaching it as something that we could we could turn into a positive so you know the fact that events happen is not the point it's about how we you know

how we move forward positively and constructively so having that shared Vision that we were working towards and so plans very rarely survive execution them you'd obviously just go into the organization plans are in place already I'm guessing in a lot of those areas how did you handle changing things in real time as you through the situation as really evolved yeah so to me it's a b empowering the teams to deliver so that that's the key point in terms of execution so having um in in this case empowering um small teams very expert in their areas giving them the resources and the delegated accountability responsibility to to do what they had to do so fundamentally it was about

impowerment is there anything that you wish you [Music] um it's always possible to look back and think there are things that I wish had been in place um but I couldn't have asked for better people to work through and that that that's the key Point here so having a strong team great people that can help to work through these incidents um so I you know I wouldn't say there was anything that I would have wanted that such things happen it's about how you respond to them looking forward but that's my perspective on it sorry apologies and I'm more than happy to chat afterwards if anyone wants to ask any further questions um thank you very much for your time