Do you remember the scene from The Empire Strikes Back where the Millennium Falcon is trying to escape an Imperial Star Destroyer? Han Solo says, “Let’s get out of here, ready for light-speed? One… two… three!” Han pulls back on the hyperspace throttle and nothing happens. He then says, “It’s not fair! It’s not my fault! It’s not my fault!”
Later in the movie when Lando and Leia are trying to escape Bespin, the hyperdrive fails yet again. Lando exclaimed, “They told me they fixed it. I trusted them to fix it. It's not my fault!” In first case transfer circuits were damaged, and in the second case, stormtroopers disabled the hyperdrive.
Ultimately they were at fault; they were the captains of the ship, and the buck stops with them. It doesn't matter what caused problems, they were responsible; excuses don't matter when a Sith Lord is in pursuit.
I am seeing a trend where breached companies might be heading down a similar “it’s not my fault” path. Consider these examples:
- Community Health Systems breached by an APT – "The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems." Source: Form 8-K
- Apple iCloud victimized by a targeted attack – Apple released the following statement: "After more than 40 hours of investigation, we have discovered that certain celebrity accounts were compromised by a very targeted attack on user names, passwords and security questions, a practice that has become all too common on the Internet. None of the cases we have investigated has resulted from any breach in any of Apple’s systems including iCloud® or Find my iPhone. " Source: Apple Media Advisory
- Sony's scorched earth intrusion – Much of what we are seeing in the media is highly speculative, but we Sony has made this statement; “The investigation continues into this very sophisticated cyberattack.” Source: New York Times
Stating that you experienced a [Targeted attack, Advanced Persistent Threat, Sophisticated attack, State Sponsored Attack] doesn't absolve you from responsibility for the incident. Let's not forget targeted attacks are only as sophisticated as they need to be. Remember this line from the 2013 Verizon DBIR: "Would you fire a guided missile at an unlocked screen door?" You don't often see companies saying they experienced a commodity breach or script kiddie intrusion do you? No of course not. Could you have stopped the initial intrusion, perhaps not, but when you hear that an adversary was on a year long shopping spree in a company's environment, it raises questions. In some cases, organizations could be seeking to paint a false picture that they were powerless to stop the adversary and somehow less responsible for the attack. This just isn't the case.
When it does come to breach responsibility, be glad that Lord Vader isn’t the Chairman of your Board of Directors. "Apology accepted, CISO Needa."