Rating the STRATFOR Incident Response

Posted on 25 December 2011 by


Editor’s Note: The following article refers to response to a breach, not to the practices, procedures and decisions which led to the breach itself. 

After hearing my friend Rich talk on Twitter about the incident response by STRATFOR to yesterday’s Christmas Eve Breach, I thought I’d weigh in on what STRATFOR has publicly done. The reason is that, regardless of the problems that got them here  – and as we’ve said before, everyone gets hacked – what they’re doing since the breach is very important.

First, as we stressed yesterday, if the firm had any compartmentalization issues – shoving classified information on public servers – it’s not come out yet. We have no reason to believe it will come out that this happened, but it’s within the realm of possibility.

To summarize, on Christmas Eve, the illegal hacking group AntiSec/Anonymous announced that it had taken down the STRATFOR server, and made claims about some 200GB of email, along with a private list of STRATFOR customers, and credit cards used to pay for the STRATFOR commercial intelligence services. These services are provided to individuals, businesses and government agencies, and the price starts at around $99 annually.

Yesterday evening, STRATFOR put out a quick email to its customer base saying, essentially, “Holy crap, we been Pwnz0r3d!”. But this was really good and fast action on STRATFOR’s part. In fact, they did very well. Look at this part:

We have reason to believe that the names of our corporate subscribers have been posted on other web sites. We are diligently investigating the extent to which subscriber information may have been obtained.

This is great: they took responsibility for investigating and scoping, and the implication is that, regardless of how it happened, STRATFOR was standing behind its customers. It’s cheap to do, but it means a lot and ultimately presents a potentially huge liability – they were clearly aware of this when they stated this.

Stratfor and I [George Friedman, its CEO and founder] take this incident very seriously. Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me. We are working closely with law enforcement in their investigation and will assist them with the identification of the individual(s) who are responsible.

This backs up the first statement, and also states they’re working with the cops. Frankly, the fuzz in this case will likely make some Potemkin arrests (see, Texas Law Enforcement IT Hit by Criminal Attack, Data Breach, and Metric of the Week: Smoke, Cyber Crime Fighting, and the 2012 FBI Budget) but it means that STRATFOR recognizes that the public nature of the breach leaves it with essentially no choice. That’s not the impressive part.

The impressive part is that it wasted no time getting to that decision, something which sometimes stumps even the most experienced executives and corporate counsels in the private sector.

Let’s look at what STRATFOR sent out today, with annotations by me.

On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.

This is pretty good: yes, we admit the obvious, and go further to say that in fact, if you’re receiving this email, your credit card was likely taken along with the personal information you gave STRATFOR when you subscribed.

Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor’s “private clients.” Contrary to this assertion the disclosure was merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription-based publications.

This sets the record straight from STRATFOR’s point of view, and clarifies the differences in tiered customers they have.

We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events. Details regarding the services to be provided will be forwarded in a subsequent email that is to be delivered to the impacted members no later than Wednesday, December 28th.

That’s pretty fast for any firm. Then again, as we said yesterday, if the credit card numbers on their server were (as has been reported) unencrypted, then STRATFOR has some serious liability issues here, and they’d be idiots not to move quickly here. Not encrypting stored credit card numbers is a breach of the First Commandment – one of the few guidelines not woefully inadequate, of the Payment Card Industry Data Security Standards.

To ease any concerns you may have about your personal information going forward, we have also retained an experienced outside consultant that specializes in such security matters to bolster our existing efforts on these issues as we work to better serve you. We are on top of the situation and will continue to be vigilant in our implementation of the latest, and most comprehensive, data security measures.

Consultants are good (says the consultant) and especially since they got some good ones. This (the recovery, not just the consultants) will cost the firm a bomb, and they must not shrink from this responsibility. One of the most important things that happens once the shock of a major breach ends is that companies go back and second guess the decisions they made under fire in terms of how much they are committed to a solid security posture going forward. Sure, on the day everything is rushing out the door, everyone’s like, ‘Fix it! Fix it NOW, whatever it takes!”

But after a couple weeks, when the sky has not fallen, some leaders start to wonder just how secure they really need to be, and can’t they cut back on what these consultants are saying is right.

Don’t fall into the trap. If your security didn’t suck at first, you wouldn’t have had those people running around your office at 3 am, and you certainly wouldn’t have called in those federal cops to help. Half measures (it has been noted elsewhere) get you nowhere.

Stay the course. When the second wave of stuff gets released (publicly or through criminal channels) you’ll be glad you went down the correct road.

So far, in terms of incident response and reaction by STRATFOR, we give them an A- for its pragmatic, realistic and timely approach. OnTwitter, @rmogull counters,

I don’t think you hit an A if press confirms credit card exposure before you do. They are still doing well, but need to get ahead.

Which is a fair enough comment.

What do you think?