In 2012, American agencies under the lead of SIFMA where running the first cyber-attack stress test on financial institutions on Wall Street.
One year later, it was repeated in London, with a broader approach and more detailed preparation. This stress test and the results are stunning. Everyone who has to do with security should look at the scenario and should ask if their organization has an answer to the raised question:
How would we behave, how would we address all the issues that where surfaced during the organized cyber-attack?.
This is nothing that only affects Wall Street or London City’s financial district. This scenario can hit every company in the world.
Since I recently won a price in Germanys largest IT magazine, CT, in a storytelling contest, let’s recount the tale of a cyber-attack war game in a novel way.
And since I am German, (as SAP is), let’s assume the story does happen in SAP Homeland, in Germany and Carl B. Max, the CEO of AUTOBAHN AG, (“Fast is GOOD”) is still asleep in his home near his headquarter in Frankfurt am Main, Germany’s financial district.
The Sequence of events that lead to the dissapearance of the German Autobahn AG:
At 6:00 AM in the morning, Twitter, Facebook and the German Autobahn-Forum “The Fast and the Faster”, are showing up first posts: How bad the German Autobahn is, full of potholes, governed by too much speed limits, too much traffic jams.
At 6:30, more serious posts and accusations are added: Pictures of deadly accidents because of potholes on the fastest parts of the autobahn. The idea of a class action lawsuit is mentioned.
At 8:00, the posts have piled up to a veritable shitstorm.
At 8:30, the Twitter and Facebook accounts, maintained by the PR-Department of Autobahn AG have been hacked and are posting strange and bogus replies to the accusations. The impression of ignoring and downplaying the accusations are immanent.
At 8:45, Carl B. Max, CEO of Autobahn AG, is arriving at the office.
At 9:00, rogue High Frequency Trader are starting an attack on the stock of AUTOBAHN AG. They are short trading the stocks within seconds to a level, where regular trading algorithms, due to the high trading volume and dropping values, are suddenly releasing stop loss orders. This is generating an automatic trading avalanche, resulting in a landslide on the course of the AAG stock.
At 9:30, Social Medias are full of speculation on bad financial deals that are threatening the future results of Autobahn AG. The PR-Account of the company speaker is hacked and false PR statements are send to the world wide press. Since nobody knows, who was adressed and what was published, counteractions became difficult.
At 10:00, Carl Max is calling for a press conference at the headquarter in the office Tower at the “Frankfurter Kreuz” near the Airport. He demands actual financial statements from his CFO that he can present as a testimonial to the press, that everything is good.
In the middle of his calls, the telephone became dead. A massive DDoS attack is driven on the VoIP based telephone center. A special VoIP virus, dedicated to this equipment eats its ways through the Ethernet based phone infrastructure. Only calls via mobile can be done. “Can’t be reached for comments” was the phrase for the hour.
At 10:15, the SAP system crashes. Restore of the backup is necessary. The IT is detecting, that all tapes from the last 4 weeks are damaged, due to an error in the backup procedure. The SAN stopped working with a damaged hardware.
At 10:30, the CFO finds out that all numbers in the SAP Business Warehouse systems are corrupt. It is unclear, if the backup does contain non-manipulated figures.
At 11:00, the rogue high frequency trading continues in London, after the London exchange opened. The landslide of the courses goes on
At 12:00, Carl Max can’t present any reliable numbers to the press. The attack is not mentioned.
The plea to the large stock exchanges for suspension of their stock trading is not granted, since AUTOBAHN AG can’t present any figures for proof and no one can’t be reach to comment on the incidence.
At 15:00, NYSE in Wall Street is opening. The rogue trading leads to a suspension of trade, when the company value was hitting one cent and the stock was rated as a penny stock.
At 17:00, when the German Stock Exchange in Frankfurt closed, Deutsche Autobahn AG is “pleite”, bankrupt.
Do you think this is not for real?
Fiction? You wish, but it is real life truth. Every single point of this cyber-attack already happened. Some of them are even common threads, like manipulation of social media or high frequency trades. Ever thought about how reliable a VoIP or how vulnerable a Microsoft Lynx Server is? And especially in a corporate Environment?
Some of them are recent developments, like the new “attack vector” of manipulating BI-cubes with the intent to lead the hacked co to false decisions.
And the backup? Guess how often I have seen this happen in 20 years? More than you would think, and it was always an internal problem of slobby backups, not even a hackers attack.
At the end, Quantum Dawn recommended at first and foremost, to establish a fast,, clear and direct communication on attacks. Don’t keep such attack secret. There must be internal and external (governmental, if this is a broad attack) communication ways that will react within minutes. These attacks are maybe criminal, but given the world wide state of politics, this attack can even be initiated by governments as part of a global warfare.
And you need an alerted IT who can countermeasure this thread in unison.
Really, think of your company you are in: Who would you call if you see an attack on a SAP system? And who can respond immediately?
Deloitte as audit company was part of the cyber trial, Here are their findings
And some great video for it also from Deloitte: Cyber Security. Evolved.
And also check my first blog in this series of security papers: THINK Security: Towards a new horizon