Geneva Manual exercise group 1
27 May 2024 13:45h - 14:15h
Table of contents
Disclaimer: This is not an official record of the session. The DiploAI system automatically generates these resources from the audiovisual recording. Resources are presented in their original format, as provided by the AI (e.g. including any spelling mistakes). The accuracy of these resources cannot be guaranteed.
Knowledge Graph of Debate
Session report
Full session report
Simulated workshop tackles cybersecurity crisis at Lumina Teleinnovations
In a simulated workshop setting, participants engaged in a critical dialogue to address the cybersecurity challenges faced by a fictitious telecommunications company, Lumina Teleinnovations. The company had suffered a data breach at its cloud computing provider, which was later confirmed to be part of a sophisticated supply chain attack. This was followed by a ransomware attack on Lumina’s own infrastructure, resulting in encrypted data on local servers and disrupted services in an adjacent jurisdiction. The participants were tasked with assessing the security situation, determining the appropriate response to the cloud provider, and deciding on immediate actions to mitigate the crisis.
Anastasiya Kazakova, the facilitator, set the stage for the discussion by providing the context of the breach and its implications for Lumina Teleinnovations. She invited participants to consider the security implications, the company’s response to their cloud provider, and the immediate steps that should be taken in terms of public relations and security measures.
Linda Karcanaj, a participant, highlighted the importance of a zero-trust architecture and discussed the division of responsibility between the cloud provider and the client. She argued that if Lumina was merely hosting its systems with the provider, it retained full responsibility for the security of its hosted content. Karcanaj also stressed the need for a detailed security assessment to understand the scope of the breach and the impact on Lumina’s data. She advised against making public statements without comprehensive forensic reports and cautioned that premature communication could lead to misinformation.
Karcanaj further elaborated on the role of a security operations centre, advocating for continuous monitoring of systems, whether hosted on-premises or in the cloud. She suggested that immediate countermeasures, such as isolating affected systems, were imperative to halt the spread of ransomware. If Lumina lacked the internal capabilities to manage and monitor its systems, outsourcing to a third-party firm was presented as a viable option.
Anastasiya Kazakova probed the participants for further clarification on the proposed countermeasures and their appropriateness. She inquired whether shutting down the infrastructure of the ransomware actor could be considered a suitable response within the scope of countermeasures that Lumina could undertake, either independently or with the assistance of a third party.
Peter Marlen from the European Commission contributed to the discussion by emphasizing the importance of both technical and communicative responses to limit the impact of the attack and work towards recovery. He pointed out the delay in the company’s response and questioned whether any preventive measures were taken in the interim.
Rozalinda Stojova, another participant, underscored the necessity of a comprehensive security assessment, raising questions about the value of the compromised data, the existence of backups, and whether Lumina had data insurance. She suggested that the answers to these questions would guide Lumina’s response to the cloud provider and inform the third party tasked with managing the crisis.
The conversation concluded with a consensus on the need for immediate and thorough security assessments, the importance of continuous monitoring, and the potential engagement of external experts for incident response. Communication with customers and authorities was recognised as a crucial step, but it was agreed that it should be based on detailed information and forensic analysis.
The dialogue demonstrated the collaborative nature of the discussion, the sharing of best practices, and the emphasis on the complexities of cybersecurity in the context of critical infrastructure. It highlighted the multifaceted approach required for effective incident response, encompassing technical, communicative, and strategic considerations.
Session transcript
Anastasiya Kazakova:
So, you will be able to read the messages. So, hopefully you could see it now. Once again, let me briefly explain the context. So, we all play in as a one group, as a one participant, collective participant. And our role is a company which is called Lumina Teleinnovations. It’s a critical infrastructure operator, telecommunications company. It’s a fictional company. And we have a message. So, here’s the message. We found out about the recent news that have been reported by experts in social media and several media outlets about possible data breach at the major ICT provider. This company is based in another country. And they are our cloud computing provider. The breach hasn’t been confirmed by the company, by our provider. And they haven’t provided comments yet. So, we don’t really have further details. Several days later, we received a notice from them that their security teams have confirmed the data breach as a result of a sophisticated supply chain operation, which exploited a backdoor in the open source library. Highly likely, the data that we have on the service that provides by this company is compromised. And our system might also have been targeted in the context of the supply chain operation. In two days, our infrastructure was further hit by ransomware, which encrypted data on local servers. The infrastructure in our facility located in a neighboring jurisdiction, which also has been targeted as well. And some services are not responsive. So, our security team suggests hiring a third party, third company, to deploy countermeasures against the ransomware threat actor. So, this is the situation that we’re in. I would say not a really easy situation. But we have several questions to discuss. So, I see that some of you entered the document. Feel free also here to type your responses. I also actually invite you all to share your views here, raising your hand. So, the questions are, what is your security assessment of the situation? So, you’re in the shoes of this critical facility. Your provider has been hit with a supply chain operation. And later, your services have been hit with the ransomware. How do you assess the security? How do you assess overall the situation? And in terms of what is an operation, what is a critical attack, please identify the main points, what are the main factors you see here. The next question, what could be the response to our cloud computing provider, ComputerSoft, if any? And the third question, what could be our immediate actions response to this news? In terms of the PR, security measures, any measures that would be the next steps that we do? So, anyone has any ideas?
Linda Karcanaj:
We have a lot of ideas, but I want to understand better the scenario. So, you’re talking about a service provider, which is tech fair solution. Is this company offering software as a service services? Because in that case, yeah, they’re responsible, and the security assessment should be done by the proper task forces, which are experts in forensics. If they are software as a service provider, if you are hosting your system in their infrastructure, you should be responsible for a zero trust architecture, which has to be built on top of your solution. So, you are responsible for the security of whatever you’re hosting in their cloud. And if you have taken proper measurements regarding that, you are not going to be affected from the ransomware attack that they suffered. And I wouldn’t go in the response to the news without clearly having all the reports of the forensics first. Because if you go in the press first or second date after a cyber attack, the only thing that you can say is that, yes, we had an attack and we are investigating. You cannot come to conclusions without having proper information regarding the forensics and the attribution. This is my stance regarding this situation. Thank you.
Anastasiya Kazakova:
Thank you so much, Linda. I would have a follow-up question. We are in a situation where we should be developing the zero trust approach, but we haven’t done so. Would our assessment of the situation and our response be different in this regard?
Linda Karcanaj:
Sorry, can you repeat the question?
Anastasiya Kazakova:
Yeah, sure. So, you said that there might be two scenarios at the very beginning. And I’m interested if there is a second one, when you said that we actually should be responsible and we should have implemented the zero trust approach, but we haven’t done so. And whether the fact that we haven’t done so, but we are still responsible for a further cleanup, would our security…
Linda Karcanaj:
If they are not offering software as a service services, where they are responsible for the security of the system, if we are just hosting in their cloud, we are 100% responsible for what happened to us. And the security assessment should be very detailed, mentioning if the system had proper utilization, if the administrative accounts were used. And in that case, were they used properly, using a power in the middle, or based on other security protocols, if they did have two-step authentication. So, there are a lot of security assessments that should be done in that case. But if we are hosting in their environment, we are 100% responsible for the attack. I mean, for consequences of the attack, not the attack itself.
Anastasiya Kazakova:
Yeah. And I wonder what you think about this point that, once we know about the ransomware, our security team suggests hiring a third party firm who may help to deploy countermeasures to avoid being ransomware to the ransomware gang.
Linda Karcanaj:
Okay, I’m talking from the point of view of one, a lot of, actually not just one, critical infrastructure that were attacked in 2022, with a very sophisticated nation sponsor attack. So, we are targeted in that time with ransomware decoy, and then this process was associated with malicious wiper. So, my idea is that, if the company had the notice that they had a ransomware, they should give that notice immediately to all the clients that they are offering services for, because in that case, they should isolate all the users and the systems that are hosted from the company. If you don’t shut down immediately the systems, the active directory and the end users, you could be affected very, very severely from ransomware. As I said, we had a ransomware decoy and only 100 computers were affected with ransomware from 12,000 endpoints that were targeted, because we isolated and we shut down everything right away, as soon as we noticed that we were under a ransomware attack.
Anastasiya Kazakova:
Thank you so much. Noted that you mentioned that contacting the customers would be one of the first steps, and I wonder, one more follow-up question to you, whether the communication or any notification to the competent authorities should be also among the first steps for the critical facility?
Linda Karcanaj:
This is why I mentioned in the very beginning, it should be very clear what the company is clearly doing, is offering the services or is just hosting. Because in any case, the responsibility is of the institution which owns the critical infrastructure or the company which owns the critical infrastructure. So they should be responsible to take proper measurements, because in the very end, it is their responsibility. Even if they are hosting in a company like the one that we have as an example, which is offering services, is the responsibility of the client which owns the critical infrastructure to make sure that the hoster has followed the proper security guidelines and the protocols of the possible attack. So it’s very complex. It’s not the hosting company responsible for everything. It’s everybody which owns the critical infrastructure which should take the proper measurements in order to safeguard them.
Anastasiya Kazakova:
Thank you. Thank you, that’s clear. Thank you so much. Any other views?
Peter Marlen:
Can you hear me?
Anastasiya Kazakova:
Yeah.
Peter Marlen:
Hi, I’m Peter from the European Commission. I just wanted to say, I’m not going to say much because I’m learning in this space, but I’m happily listening. Of course, I’m happy to hear everybody talking, but just to say there’s a bit of silence, but it’s also because I think I’m not the right expert to say much. Just to play the game, I would say, of course, the reaction would probably be on the one hand technical, to limit the impact and work already maybe on recovery, and on the other hand, communication. But I think Linda also mentioned that as well. There’s also communication to other stakeholders. stakeholders in the sector, your clients, maybe authorities, depending on where you are, and, you know, what you think is necessary, but of course, you want to do also reputational damage control and also damage control to your clients. On the assessment, I don’t know what what your question really is about what is your security assessment, but what strikes me is that it took four or five days. If I calculate correctly, it takes multiple days before this company is then hit, as well as the neighboring jurisdiction. And the question is, was anything done in the meantime, but okay, that’s a discussion for later, maybe. Thanks, I’ll stop there.
Anastasiya Kazakova:
Thank you so much. Yeah, we specifically put them in different jurisdictions, just to also hear your views, whether those would have any sort of the impact on assessing how further the company, the critical infrastructure facility should act. Any other views?
Rozalinda Stojova:
Hi, can you hear me? Yeah. Thank you. I’m Rosalinda from North Macedonia. Well, the first question is, if, if I can see, can you just a little bit think, what is your security assessment of the situation? So I think that the assessment of the situation is very important. And we according to what was presented to us the case for which we are considering now is not very much presented in detail. So we can the assessment itself should be a very wide and very detailed. So we don’t know if how much our value of the data for us are the important data or not important data? Do we have a backup or not? Do we have some kind of insurance for the data that we are, we have lost or not? And there there is, I assume that there there are, or there could be a list of questions that we might ask during this assessment that we should do. And according to the answers for those questions, the our response to the company that you say it’s computer soft, which I don’t know which companies that I think you, you meant on tech squared solutions might be. And according to that our response to to the situation, and all this data should be provided to the third party that we try to or we have already hiring a third party for this kind of for this, for this situation that we’re in. So firstly, we have to do the well done assessment. So after the assessment, we know well what to do next.
Anastasiya Kazakova:
Mm hmm. Thank you.
Rozalinda Stojova:
I think many questions that we should ask, we should ask ourselves and maybe the, the cloud company. So this is very important for us. Okay.
Anastasiya Kazakova:
Yeah, thank you. I think you highlighted some of the immediate questions in data we as a critical facility should ask should raise. And I wonder as well if you have any views, particular on this part, in the context, but we’ll say the hit by the ransomware. What are your feelings about the possibility of deploying condom measures to avoid being ransom? Whether it would be an appropriate sort of response appropriate sort of response from us or response that would be considered as off limits not appropriate. Any other views, maybe to the colleagues that mentioned earlier, the understanding of the situation. Something maybe you agree or disagree.
Linda Karcanaj:
Sorry, I cannot stop talking. Again, if you are responsible for a system and the infrastructure where the system is hosted, very responsible also for monitoring with your security operations center, everything that is happening in your, in your system to make sure that you are monitoring your system. So, I your security operations center, everything that is happening in your, in your systems doesn’t matter if they’re hosted on prem or if they’re hosted on cloud, which means your security operations center will have to monitor 24 seven, all the malicious attacks that are being done towards your endpoints or towards your servers or active directory, which in this case should be active directory on cloud. So, all the counter measures are being done right away from the security response department of the institution or company which is responsible for that. And they should isolate the situation and stop the ransomware with the capabilities they do have to interact and isolate the endpoint or which can be users or servers where you notice the ransomware and if the ransomware is spread using your active directory, that one should be isolated right away. So, in case you are giving away everything, the managing of your system, the monitoring of your systems, yes, you should hire somebody else. So, you give everything away. In case not, you should be the one taking proper counter measures and stopping the ransomware. Thank you.
Anastasiya Kazakova:
Thank you very much. Any reflections from the others? Linda, if I may, that was really helpful also to hear your view with regard to the counter measures that you, first of all, named and then you described in your presentation. So, I think it’s really important for us to understand what the counter measures are and how they are being used and how they are being used. And how they are being used and how they are with regard to the counter measures that you, first of all, name as the separation of the affected service. That’s one of the actual concrete steps within the counter measures. And I wonder whether shutting down the infrastructure of the ransomware actor would be also an appropriate response within the scope of the counter measures which critical facility may do either solely or with the help of the third party.
Linda Karcanaj:
Okay, so I’m telling the story of what really happened in in our country. We shut down everything because by the moment when we identified the attack, we didn’t know which was affected and which wasn’t. So we did all the analysis with the system. I mean, shutting down, I don’t mean shutting it down totally. Isolating and not having them live and published in the Internet. In our case, it was a detection and prevention team of Microsoft, which helped with the analysis of the situation. And the CRIS team of Microsoft, which is a safe recovery team, which helped us to build from the very beginning the active directory to do proper scanning for the indicators of our attack in our environment. So we analyzed every single system. We analyzed and cleaned every single endpoint before going back live. So we shouldn’t be target of another more destructive attack, but to make sure that we are back very, very safe and with everything 100 percent under control.
Anastasiya Kazakova:
Many thanks. Anybody else? We have a few minutes before going back to the plenary. Maybe you would have also the inputs or ideas to what first kind of the stakeholders beyond the customers that we heard from Linda, but also from the rest of Linda beyond the supplier, any other type of the actions that we need to keep in mind to conduct first. Whether after we know a possibility that our supplier has been tagged with a supply chain operation or after they run somewhere, hit our own infrastructure. All right. I see no further comments. We will be going back to the plenary in less than a minute. So see you soon. And you may have time to take a coffee or tea. So just for the short break. See you soon in almost 40 seconds. Thank you very much.
Speakers
AK
Anastasiya Kazakova
Speech speed
148 words per minute
Speech length
1240 words
Speech time
503 secs
Arguments
Understanding of counter measures for ransomware attacks is important
Supporting facts:
- Linda Karcanaj emphasizes responsibility in system and infrastructure monitoring regarding security
- Anastasiya acknowledges the mention and description of these measures presented by Linda
Topics: Cybersecurity, Ransomware Response
Separation of affected service is an actual concrete step within ransomware counter measures
Supporting facts:
- Linda Karcanaj suggests isolating the situation and the ransomware as part of immediate response
- Anastasiya mentions separation of services as a concrete step in combating ransomware
Topics: Ransomware Mitigation, Incident Response
Shutting down the infrastructure of the ransomware actor might be an appropriate response
Supporting facts:
- Anastasiya is inquiring about the effectiveness of shutting down a ransomware actor’s infrastructure as a counter measure
- The questioning suggests a proactive approach to dealing with critical cybersecurity threats
Topics: Ransomware Countermeasures, Cybersecurity Defense
Report
Linda Karcanaj and Anastasiya underscore the critical importance of implementing stringent cybersecurity measures to effectively combat ransomware threats. They mutually acknowledge the integral role of knowledgeable oversight in system monitoring and the necessity of swift responses to cybersecurity incidents to safeguard systems and infrastructure.
They place a spotlight on the importance of understanding countermeasures for ransomware attacks, affirming that the comprehension of defensive strategies is paramount. Linda Karcanaj emphasises the necessity of isolating an incident as part of the immediate response to a ransomware attack, suggesting that containment is critical in limiting the spread and impact of malicious software.
Anastasiya echoes this sentiment by discussing the significance of service separation as a tangible step. Moreover, she aligns with Linda’s stance on countermeasures, reinforcing the concept that segmentation of affected services is an effective tactic in ransomware mitigation. Their discussion also explores proactive measures against ransomware, with Anastasiya specifically inquiring about the feasibility of shutting down a ransomware actor’s infrastructure.
This suggests a forward-thinking stance on handling cybersecurity threats, although it maintains a neutral position on the conclusiveness of such actions. Both experts express the stance that continuous monitoring and rapid response mechanisms for ransomware are indispensable, whether managed in-house or outsourced.
Linda Karcanaj highlights the importance of around-the-clock security operations centre (SOC) monitoring and incident management, underscoring the necessity for vigilant surveillance and incident handling. Anastasiya agrees with the need for countermeasures and management strategies, demonstrating a positive sentiment towards these practices and implementation.
Regarding resource capabilities, outsourcing security operations is discussed as a viable option. Linda Karcanaj broaches the possibility of engaging external parties to manage and monitor systems when in-house capabilities are insufficient, with Anastasiya indirectly recognising this as a potential solution.
Although the sentiment towards outsourcing is neutral, it is considered a vital topic, reflecting the diverse cybersecurity strategies organisations might pursue based on their operational abilities and strategic preferences. In summary, the discussion between Linda Karcanaj and Anastasiya reveals a comprehensive perspective on the proactive and responsive strategies necessary for ransomware defence and the organisational frameworks that can be deployed to enhance cybersecurity resilience.
Their exchanges not only highlight the technical and tactical aspects of ransomware countermeasures and cybersecurity monitoring but also the operational choices facing organisations. They advocate informed and adaptable approaches in the ongoing battle against cyber threats. The positive tone in their exchange indicates an appreciation for well-structured cybersecurity frameworks, with an overarching consensus on the need for robust measures to protect digital assets and infrastructure in line with SDG 9’s goal of building resilient infrastructure and promoting sustainable industrialisation.
LK
Linda Karcanaj
Speech speed
119 words per minute
Speech length
1186 words
Speech time
599 secs
Report
The summary provided is articulate and observes UK spelling and grammar conventions. However, there’s an opportunity to fine-tune certain elements to enhance clarity and incorporate relevant long-tail keywords that reflect the complexity and strategic response to ransomware attacks in a SaaS hosting environment.
Here are the edits for improvement: In the convoluted landscape of a ransomware attack targeting a SaaS provider, the demarcation of cybersecurity duties is contingent upon the nature of the services rendered by the host. The scenario envisages two main roles for the provider: active SaaS delivery or merely hosting client systems on their infrastructure.
The discussion advances the premise that clients should bear the ultimate onus for securing their systems hosted by the provider. It underscores the importance of adopting a zero trust security architecture, where verification is mandatory for all seeking access to resources.
This strategy is imperative, especially when clients utilise the host’s infrastructure, as the responsibility for robust security practices falls squarely on the clients’ shoulders. It advocates for rigorous security assessments including the robust use of hosted services, strict controls on administrative account access, and the deployment of multi-factor authentication.
While clients are liable for the repercussions of an attack, they are not responsible for the cause of the attack itself. The summation conveys a critical incident management plan underscoring the necessity for the SaaS provider to communicate effectively with clients, enabling them to enact immediate isolation procedures to mitigate ransomware damage.
Drawing from actual incidents, the effectiveness of swift decisive actions, like system shutdowns to halt the spread of an attack, is highlighted. A vital point is the strategic function of Security Operations Centres (SOCs) in monitoring both on-premises and cloud-hosted systems to detect and counter all cyber threats.
The summary depicts SOCs’ active role in swiftly isolating ransomware infections to prevent wider infection, particularly through vulnerable directory services. Post-attack, the summary denotes the importance of forensic examination and recovery, showcasing successful collaborations with bodies like Microsoft’s cybersecurity teams.
It recommends exhaustive system reviews and clean-up operations in partnership with cybersecurity specialists to confidently reinstate secure services post-recovery. In summation, the text emphasises the paramount importance of robust cybersecurity protocols and the delineation of responsibilities between SaaS clients and providers.
It accentuates the implications of zero trust policies, the critical nature of timely communication during cyber incident responses, and the indispensable role of SOCs. This narrative stands as a testament to the intricate balance of accountability, vigilance, and expertise needed to safeguard digital infrastructure against ransomware threats.
PM
Peter Marlen
Speech speed
179 words per minute
Speech length
251 words
Speech time
84 secs
Report
Peter, voicing a prudent stance rooted in his relative inexperience in the field, opts for observation and attentive listening over leading the conversation. Nonetheless, he is prepared to contribute modestly with a perspective founded on a rational response approach. Peter highlights two fundamental responses to crisis management: technical and communicative strategies.
On the technical side, he emphasises the necessity for immediate, decisive action to contain unfolding adverse effects and to initiate recovery mechanisms. He implies that such responses are time-critical and rely heavily on the swift and resolved actions of those accountable.
Communicatively, Peter stresses the importance of transparent, strategic communication with all stakeholders, including different sectors, clients, affected authorities, and related parties. He infers that the level of communication can directly impact the control of reputational damage, presenting proactive engagement as a key strategic endeavour to uphold organisational integrity and maintain client trust.
Further, Peter examines the timeline of the crisis, signaling concern over a noticeable delay in acknowledging the problem, which spanned several days. He critiques the efficiency of the measures taken during this period, suggesting that it points to deficiencies in monitoring or a reluctance to respond—a notion that raises questions about the organisation’s crisis management and readiness to act.
In conclusion, Peter prompts a deeper conversation on the noticed delays, choosing not to delve further himself. Through his observations, he contributes to an essential discussion on proactive versus reactive responses in managing organisational crises. The connection he draws between the magnitude of a crisis’s impact and the organisation’s reaction highlights the importance of early detection and rapid response as indicators of strong security frameworks and crisis preparedness.
RS
Rozalinda Stojova
Speech speed
148 words per minute
Speech length
318 words
Speech time
129 secs
Report
Rosalinda, speaking from North Macedonia, underscored the importance of conducting an intricate security assessment amidst what appears to be a complex data-related complication. She pointed out the current lack of specific information regarding the situation, which hinders the ability to evaluate the significance of the potentially compromised data.
Emphasising the necessity for clarity, Rosalinda highlighted several critical questions to determine the severity of the issue: the intrinsic value of the data, the availability of backups, and the existence of an insurance policy to cover data losses. She suggested that a comprehensive assessment should incorporate a range of incisive queries to develop a thorough understanding of the threat landscape and the nature of the incident.
Rosalinda indicated that establishing a complete picture of the security stance is crucial for the creation of a bespoke response plan for the company in question, which she tentatively identified as either ComputerSoft or Tech Squared Solutions. The ambiguity surrounding the company’s identification underscores the need for precise confirmation to ensure accurate communication and appropriate action.
Furthermore, Rosaldina impressed upon the need for sharing extensive data and insights with any third parties involved or those who may be contracted to assist with the situation. Her view promotes the significance of transparency and asserts the value of outside expertise in resolving the data security incident.
She concluded by emphasising the chronological order of actions: conducting a comprehensive security assessment is the initial and vital step before progressing to subsequent strategies. Such an in-depth review is necessary to inform the direction of subsequent measures, highlighting the strategic nature required in response to the incident.
Rosalinda’s insights suggest an acknowledgment that the quality of the assessment, including the pertinent questions and their respective answers, is as vital to internal teams as it is to any involved cloud service providers. This notion exemplifies the complexities inherent in security assessments and the meticulous attention they require.
In summary, Rosalinda provided a lucid exposition on the need for a sophisticated security assessment in the face of a data issue that may potentially be grave. She underscored the necessity for a thoughtful and strategic preparation process, reinforcing the objective to manage data security risks and to implement a robust plan for data breach mitigation effectively.