Akamai Diversity

The Akamai Blog

Quantum Dawn and the Need for Testing in Security Incident Response

Last night I watched an On Demand episode of The American Experience titled Blackout, which recounted the 1977 power failure in New York City and its lasting impact on city due to widespread looting and destruction. With the power completely out, the operators at Con Ed got to work restoring power using a manual that was last updated after another massive blackout - in 1965.

Of course that 12 year old manual didn't work, and the power operators had to improvise on the fly and restored power late the next day.  But the damage was done.

This got me thinking about Quantum Dawn 3 and the need for regular testing of cyber security incident response plans, especially in financial services.

What is Quantum Dawn?

Quantum Dawn is a series of cyber attack exercises organized by the capital marketing industry in the U.S. over the past few years.   The objective is to test crisis response and communications in the event of a cyber attack against the industry.  Quantum Dawn 1, in 2011, was a pure tabletop exercise involving 30 firms.  In 2013, Quantum Dawn 2 expanded to about 50 firms.  And this year, Quantum Dawn 3 will be held, with an even a greater number of firms expected to participate.  These Quantum Dawn exercises are perhaps the largest cyber attack simulations of their kind within the industry.

And for the first time this year, Akamai will be participating in Quantum Dawn.  We will be playing with some of our banking customers, simulating cyber attacks such as denial of service attacks or other scenarios.

Why Test?

Testing cyber incident response with our customers is not new - we do it frequently.  And we encourage our customers, and others in the financial services industry to do likewise. 

  • Attacks getting worse.  Akamai reported a 117% increase in the total number of DDoS attacks in its Q1 2015 State of the Internet Security Report.  
  • Attacks are getting easier.  Also reported by Akamai, "Just as concerning, the menu of easy-to-use attack vectors found in the DDoS-for-hire market makes damaging attacks available to inexpert attackers."
  • DDoS extortion is on the rise.  The FBI's Internet Crime Complaint Center (IC3) has reported a sharp increase in the number of extortion campaigns against companies, and financial services firms are popular targets. Akamai has been tracking and reporting this threat since 2014.
  • Your Run Book is out of date.  Organizations undergo continual change.  InfoSec and Incident Response teams, as well as IT operations and application owners, are continuously changing in most companies.  Computer security incident response playbooks likely have incorrect contact numbers and other out-of-date information.
  • Your Board expects it.  You've made the investment in DDoS and cyber security defense technology, and your management expects that it will work.  But we all know that there is no perfect cyber security defense.  Periodic testing demonstrates that you are always working to improve your defenses, your response, and your technology.

Are you Ready to Play?

How would you firm respond to the following incidents?

A reporter from Bloomberg just called your company.  They have a verified source stating that your company had a data breach, exposing the personal information of over 20 million customers.  They will be running a story in 20 minutes and are asking you for a statement.  How will you respond?

Your call center is receiving a large number of calls from customers reporting that your web site has been defaced.  Others are calling in reporting that your mobile banking app is not working.  Both the web site and mobile app seem to be working fine from within your bank.  What is your incident response?

These are the types of scenarios that attacks simulations such has Quantum Dawn can exercise. For the above examples, think of how many people, in how many departments, in offices and time zones perhaps around the world would be required to respond to these.   It's not just a matter of restoring your services, but how will you properly respond to you customers, your employees, your board, and your regulators.

Like disaster recover drills, cyber security exercises are not simple, but they are necessary.  Regular testing and exercises will improve your odds and help your firm avoid that next blackout.

1 Comment

Very nice blog.Security always needs to be considered in relation to a specific threat. Depending on the who you are trying to hide from, and how much they want to find you, achieving anonymity may be fairly simple or incredibly difficult.