When Does An Incident End?
7–10–2023 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, July 10th, and we’re looking at another chapter in the MOVEit saga: new vulnerabilities and new victims.
When Does An Incident End?
Let’s start with the numbers. As of this morning, we’ve got 247 known victims of the MOVEit attack, and 17.7M known impacted individuals.
Over the last week, we’ve seen lots of banks and higher education institutions announcing they’ve been impacted. This shouldn’t exactly be surprising, since those two industries in particular are heavy users of these file transfer appliances.
Interestingly, we’ve also seen at least one large financial institution shown as impacted by the Cl0p ransomware group but not make any mention of it publicly or to their customers. Will be curious to see if it continues to be handled that way, or if they eventually own up to it.
We’re also seeing breach notification notices going out that highlight the complexity of our modern supply chain - for example, Pear Tree Funds has notified victims that their transfer agent was impacted by a vendor, who was impacted by one of their vendors. We’re now at 4th party? 5th party? Regardless, we’re at a stage that’s becoming very difficult to manage the risk this deep into the supply chain.
At the same time, we’ve also seen Progress Software announce three new critical or high severity vulnerabilities in their application. While they’ve made patches available, security researchers are continuing to investigate this application for weaknesses.
Applying these patches is a little tricky, because it depends on the state of the current patch version and other mechanics.
All of this raises a question that I think most companies have not paid enough attention to, which is formally deciding when an incident is over.
For those of you who haven’t gone through an incident - the urgency, the panic, the visceral and emotional elements are not to be discounted. It really does feel like an attack, and continuing to operate in that response mode will wear your team down faster than anyone would imagine. If there’s customer communication at that cadence, too, it becomes very difficult to manage expectations after that initial response phase.
Having clear benchmarks with regards to when an incident is concluded can help your team AND your clients return more smoothly to normal operations, but can also help free up your leadership team to get back to the running their business.
It can also help provide clarity around the sort of issues we’re seeing with MOVEit and multiple vulnerabilities. If, for example, you were impacted by a threat actor exploiting one of these new vulnerabilities, it’s not helpful to lump them all together as the same incident, because they have different root causes, impacts, etc.
You don’t get to choose when an incident starts, but you do get to choose when it ends - and if you don’t choose, incidents have a tendency to hang around far longer than anyone would like. Do yourself the favor of defining what the end looks like, and help your team and your customers understand when you’ve reached that point.
Fundraising
We are starting Q3 fundraising off with quite a bang - turning in more than $25B in new capital commitments on the holiday week. Two big announcements are driving this, including Hellman & Friedman securing more than $20B for their 11th flagship buyout fund, and Atlas Partners putting up $4B for their 3rd flagship buyout fund.
If we pair this with the news around GTCR financing their nearly $20B spinout of FIS’ WorldPay unit - financing nearly half - then those two buyout funds could really go a long way if financing availability continues to become available.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://infosec.exchange/@brett/110690108705896804
https://thehackernews.com/2023/07/another-critical-unauthenticated-sqli.html
https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pack-July-2023
https://www.bloomberg.com/news/articles/2023-07-06/banks-line-up-9-4-billion-of-debt-for-gtcr-s-worldpay-takeover