Seated at a row of computers inside IBM’s new office in Kendall Square in Cambridge, Mass., an unsuspecting employee has just clicked a malicious link in an email that has turned him into the latest victim of a pernicious phishing attack.
It’s an old story. The details are the only thing that change. Sometimes, the outcome is big enough to swing a presidential election (the DNC attack). This time, though, the damage is contained, because the attack was a controlled experiment.
The company it hit isn’t a company at all — it’s a simulated Fortune 500 environment inside the company’s new X-Force Command commercial cyber range.
Comparable to something like a gun range, where marksmen go to sharpen their skills and improve their aim, IBM built this — as well as an affiliated data center with almost a petabyte of data running there — to make a point. Even as we bring 2016 to a close, a year that’s seen not just a wave of high-profile cyber attacks but attacks unprecedented in scope; with no less than the president announcing sweeping actions in recent days in response to Russian election-related hacking; the eye-poppingly large numbers of victims associated with massive hacks at Yahoo; and on and on it goes — even still, says IBM Security vice president Caleb Barlow, too many security professionals and business executives remain woefully unprepared to deal with a breach.
For context: an IBM analysis released in recent days found that the volume of spam emails containing ransomware exploded this year, with a 6,000 percent increase over 2015. And that in 2015, less than 1 percent of all spam included ransomware, while this year, that figure jumped to almost 40 percent, according to IBM.
“Most organizations aren’t prepared to respond, to be resilient in the face of a cyber attack,” Barlow tells BGR. “Most don’t even have a base-level plan.
“This isn’t any different to how you plan for a fire. Not only do you need fire hoses and a fire alarm to prevent one in the first place, but when it does occur, you need a plan for evacuation routes and how the fire department will respond. We need that same virtual binder on the shelf for what to do in the event of a cyber attack.”
Thus, IBM’s launch of its test center of sorts, where external professionals and executives can be brought in and sat down at work stations resembling a real office environment.
It’s got room for 36 operators. Activity happening around them includes normal office hubbub. Emails are being exchanged. Customer orders are being processed. (All of it fake).
“Think of it this way,” Barlow says. “Much like a pilot would train in a flight simulator, it is a full-simulation environment to simulate all aspects of a cyber security breach. And that includes everything from the technical aspects of trying to prevent the bad guys from breaking in to identifying where they’re coming from and what tools and techniques they’re using to the softer skills, if you will. The skills of being resilient after your breach and knowing how to respond. How to deal with regulators, how to deal with law enforcement, how to deal with unhappy customers. it’s an opportunity to exercise all those skills including the leadership in crisis skills that are required to respond and keep your business operational.”
It also represents, among other things, a major expansion of and investment in IBM’s incident response capabilities, to the tune of $200 million made in 2016.
Those investments include a new global security headquarters in Cambridge — which includes the cyber range — as well as expanding the capabilities of its global network of IBM X-Force Command Centers.
IBM says those now handle more than 1 trillion security events each month and are staffed by 1,400 security professionals.
In announcing the launch of the cyber range, IBM cited a new Ponemon Institute study on Cyber Resilience, sponsored by IBM, which found that 75 percent of IT and security professionals surveyed say their organization lacks a robust incident response plan. And regulators are waking up to that. In the UK, companies in 2018 must start reporting data breaches to regulators within 72 hours or risk costly fines.
The headlines keep surprising us. Companies keep getting hacked. People keep clicking that email link they may have briefly hesitated over.
And because companies aren’t always prepared when the parade of horribles from those occurrences kicks in, IBM wants to put them through the paces.
“If you think about your average C-level executive, they don’t have many decisions they need to make in an instant that have far-reaching ramifications,” Barlow says. “So this gives an opportunity to put them under some pressure in a very realistic environment and give them the ability to learn new skills and test the ones they have.
“We have a variety of different scenarios we can run depending on the skill level of those in attendance. As an example, it might start with a phishing email and somebody gets infected. The bad guys elevate their credentials, get access to data, exfiltrate that data, maybe it gets posted on the internet someplace, maybe law enforcement finds it and they call in — all these things start to unfold and your objective is to try and stop it. And we’re going to give you some tools and techniques to do that.”
But participants also are reminded that a typical company isn’t being attacked in just that one way. They’re being attacked in multiple ways, so part of the trick is to figure out where to prioritize your time and attention.
Continues Barlow: “One of the most popular things in the range is the interaction we do with media. After the breach has occurred, you’re going to need to issue a statement and get in front of a reporter. And that reporter’s going to ask you some very difficult questions. This is all done in a way that’s so realistic, you’d never know this isn’t a real reporter.”
One day, though, it will be. And so the training inside an otherwise normal looking office setup in a normal Massachusetts city continues, the participants and overseers hopeful of avoiding the inevitable — and, meanwhile, probing their own limitations for when they don’t.