A case study of a municipality phishing attack measures - towards a socio-technical incident management framework Grethe Østby 1, Stewart James Kowalski 1 1 Norwegian University of Science and Technology, Teknologiveien 22, Gjøvik, Innlandet, Norway Abstract During the Corona-crisis, the number of data breaches and hacking increased rapidly. For some organizations it was difficult to handle both the Corona-crises and such attacks. A decision made to prevent this overload of crisis, happened in Gjøvik municipality, where they closed their email-system and shut down macros in their applications to prevent an overload situation. In this work-in-progress paper, we have analyzed their decision in a combined socio-technical and crisis management context and suggest such framework to do analysis and make right decisions to prevent data breaches and other organizational cyber-crimes from succeeding, but also to prevent an overload of crisis situations at the same time. Keywords 1 Incident management, Data breaches prevention, Cyber-attack prevention, Socio-technical analysis, Crisis management analyses, SBC-analyses, NIST-analyses. 1. Introduction Recent studies in Norway show that cyber-attacks on organizations are increasing both in quantity and in scope [1]. The results also suggest a clear shift from attack on machines to attack on humans. The Norwegian Parliament was subject to such a social engineering attack in August 2020 [2], [3]. A spear phishing attack against several email-accounts took place. In the Parliament several technical measures had been previously implemented, but new social engineering attack approaches circumvented them. Social engineering attacks were also performed against other levels of government in the first period of the Covid19 pandemic (Corona crisis), including a number of Norwegian municipalities [4]. To prevent such attack from succeeding, Gjøvik municipality decided to stop all emails with word, excel and pdf attachments until they could gain control over these type of attacks [5]. By sandboxing these types of attachments, the municipality thereby limited the opportunity-curve as presented by Kowalski in [6] pg. 57 (socio-technical control capabilities over time). However, since the criminal opportunity curve demonstrates that attack methods often out pace control methods it is unclear how this control method will protect Gjøvik municipality, especially if the number of attempts to data breaches will increase in the same rapidly way as it did during the Corona crisis. In this paper we present the decision made to deal with the social engineering attack method by Gjøvik municipality in a socio-technical context, and further investigate if such controls can lead to a combined crisis management and socio-technical action framework to prevent attacks. After the introduction we present the background in section 2, before presenting relevant literature in section 3. The research approach is presented in section 4, before presenting the case with interviews and analyzes in section 5. Finally, in section 6, we conclude and suggest future research based on our study. Proceedings of the 7th International Workshop on Socio-Technical Perspective in IS Development, October 14–15, 2021, Trento, Italia EMAIL: grethe.ostby@ntnu.no (A. 1); stewart.kowalski@ntnu.no ORCID: 0000-0002-7541-6233 (A. 1); 0000-0003-3601-8387 ©️ 2021 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR Workshop Proceedings (CEUR-WS.org) 32 2. Background In the Dark numbers survey from 2020 [1], results showed that 28% of the cyberattacks were targeting public administration. The same study found that data breach and hacking still was the most reported attack. In 69% of the incidents, strategic management was involved, and 56% reported that they in the aftermath of the attack had made changes in their policies. However, only 11% reported the attack to the police, despite the police’s recommendations to do so [7]. This might be a consequence of the fact that only 44% of the population do not think the police can help them with investigation of such cases [8]. As a number of publicly known cases also are dismissed by the police (e.g. the attack against Helse Sør-Øst [9]), and 40 out of 44 such cases in Oslo in 2016 were dismissed by the Oslo police district [10]. We suggest that since the majority of cases are dismissed by the police there is a need to support competence development for cybersecurity incident management at the municipal level. Additionally, we suggest that the Norwegian laws and regulations on crisis management move the responsibilities away from crime reports and crime handling by the police over to the different organizations (like the municipalities). “The Norwegian law concerning the municipality's emergency duty, civilian preparedness and the Civil defense organization outlines the municipality's responsibility to analyze and make emergency preparation based on risk and resilience in their geographical designated area” [11]. “The municipalities would set up prepared societal emergency work that will 1) protect the population and contribute to uphold critical infrastructure, 2) give an overview of knowledge and awareness of societal critical challenges and what effect these challenges would have on the society and communities, 3) reduce risk and vulnerability through preventive work, and 4) ensure good emergency preparedness and crisis contingency” [11]. Moreover, due to the responsibilities outlined above, the municipalities in Norway are mostly self- assurance organizations, that is, they must pay for damages from their own budget. This may also lead to more focus on prevention than if they held normal type of insurance. For the municipalities to respond to cyber-crime, the understanding of the cyber-attack business is essential. Huang et. al. (2018) outline the cyber-crime business in a value-chain perspective. The primary activities in the mentioned value-chain perspective are 1) vulnerability discovery, 2) exploitation development, 3) exploitation delivery and 4) action, which can be directly translated to the adversary of an incident response process. In this paper we approach the challenges of the cyber-attack business – with an adversary incident response framework combined with a socio-technical analysis framework which take the municipality societal responsibility and challenges into consideration. 3. Relevant literature Crime science has traditionally studied incidents, not persons [13], and has a number of conceptual frameworks like 1) the rational choice perspective, 2) the routine activity approach and 3) the crime patterns theory, which all tries to explain incidents to prevent or control crime and disorder [13]. However, the studies are usually based on target studies, geographical surveys and case studies based on happened incidents, and does not analyze initiated prevention steps with no incident outcome. Additionally, crime science does not often take into consideration how response to crime may minimize the crime outcome. In this paper we therefore suggest to use incident framework like [14] to get a broader approach to crime prevention and crime response and recovery. Numerous opportunity reducing techniques are suggested in crime science [13]. These opportunities are however systematized to increase effort and risk, to reduce rewards and provocation and to remove excuses [13]. As cyber criminals in addition to targeting private persons also target organizations, several societal, organizational, cultural, methodological, and technical analyses are not taken into consideration in the traditional cyber-crime prevention framework mentioned. In this paper 33 we therefore suggest a socio-technical analysis framework in combination with the an incident framework. The “objective of socio-technical design has always been the joint optimization of the social and technical system” [15], and the early motivation for developing socio-technical theories was initiated by the desire to improve industry-workers stationary and repetitive job situation [15]. In this paper our motivation is to close the socio-technical gap in crisis management handling, and to create a framework to support those in the situation of making crisis decisions. We do not try to create a new socio-technical model, instead we will combine a traditional dynamic socio-technical approach, proposed by Leavitt in 1965 and modified by Kowalski in 1994 [6], [16] with the static Security-by-Consensus model as presented by Kowalski [6] to analyze the case mentioned. Leavitt’s model of organizational change comprises four concepts tightly connected to each other – people, task, structure, and technology. The modified Kowalski model also consists of four concepts, culture and structure on the socio site and methods and machines on the technical site. Kowalski’s model is presented in figure 1: Fig. 1. Socio-technical approach [6] In an organization, there will be several stacks (like in the SBC-model mentioned) to consider when to perform socio-technical analysis. Each of the stacks has it own socio-technical performance [6], and to analyze a case like the one we present in this paper, all stacks would need to be analyzed to find these socio-technical performances. Such a framework was suggested by Kowalski [6], and is presented in figure 2. 34 Fig. 2. The Security by Consensus model in a socio-technical context [6] When analyzing the organizations prevention performances in such socio-technical context, we suggest one would need to combine it with the crisis management responsibilities as mentioned in the background. In 1994, Kowalski suggested that this model should be implemented to support a day-to- day emergency response [6]. Kowalski’s original suggestion is presented in figure 3. 35 Fig. 3. SBC Model suggested to support a day-to-day emergency response [6] The information shared, escalated, and de-escalated (and adapted) on each layer in this model (figure 3) is in need of being accurate and efficient. Turoff et. al. [17] present a dynamic emergency response management information system to improve information flow. The suggestion is more of a top-down approach, thereby socio-technical semiotics like presented by Piccolo et. al [18] is better for considering information flow in necessary crisis communication. However, Piccolo et. al does not consider the practicalities of what should be considered on which layer in the organizational semiotics. Thereby we suggest using established incident response systems to support information sharing and to have the same information sharing approach on all layers involved in an incident. In ongoing teaching and research on management at the Norwegian Cyber Range (NCR)/Norwegian University of Science And Technology (NTNU) [19], [20], we are targeting management responsibilities and incident response using the NIST-framework. The American National Institute of Standards and Technology (NIST) provides organizations with a structure for “assessing and improving their ability to prevent, detect and respond to cyber incidents” [14]. The framework consists of 5 stages, 1) Identify, 2) Protect, 3) Detect, 4) Respond and 5) Recover. The framework is presented in figure 4. 36 Fig. 4. NIST Cyber security framework [14] By the nature of the case, we present in this paper, we will focus on the identify, the protect and the detect phases of the framework, but also outline the consequences in the respond and the recovery phases. 4. Research approach In this paper, we approach the crime prevention challenge by using the design science research in information systems (DSRIS) [21]. Design science research (DSR) is a methodology which can be conducted when “creating innovations and ideas that define suggestions through the development process of artifacts which can be effectively and efficiently accomplished” [21]. How to work on DSR is presented in a thesis written by G. R. Karokola [22]. He visualized this approach as outlined in figure 5. However, logical formalism in figure 5 is in our research modified with an inductive approach instead of abductive approach used by Karokola. 37 Fig. 5. Design research methodology – modified from abduction to induction [22] As visualized, we have approached the study by what can be referred to as an inductivist approach (instead of abductive or deductive). The inductivist approach starts by first observing a phenomenon and then generalizing about the phenomenon which leads to theories that can be falsified or validated [6]. We have presented the problem by a prevention decision case in Gjøvik Municipality and performed a socio-technical analyze using the SBC model in a socio-technical context (see figure 2) combined with the NIST crisis management framework (see figure 4) to present information from interviews with the decision-makers in Gjøvik municipality. Our suggested combination framework is presented in figure 6. 38 Fig. 6. A socio-technical and risk-management root cause analysis framework We conducted interviews with two of the four people involved in the decision, and the interviews were conducted as open interviews [23] where the participants freely could tell their perception of the situation and decision. We followed up with a few control-questions about crisis management and socio-technical thinking based on what was already told by the participants. Due to integrity issues, no quotes are presented in this paper. The participants were given the possibility of proof-reading the final written case-text to ensure that the content was correct before we started up with our analysis. As our proposed artifact is a combined risk-management and socio-technical framework to prepare for cyber-attacks, we suggest that this model can be generalized after validation in case-studies in other organizations. 5. The case of Gjøvik Municipality prevention decision – a socio-technical and risk-management root cause analysis After municipalities on the Hedmark-site of the Inland county in Norway was attacked by virus via phishing attack [4], the BAG-group (decision and recommendation group) in the IT-department in Gjøvik Municipality decided to escalate their prevention suggestion to strategic level in the Municipality. The suggestion contained several measures, like 1) to block macros from word, excel and ppt documents, 2) to block internals from sending and receiving emails with word, excel and ppt- files, and 3) to close down all incoming and outgoing emails all together. The suggestion was successfully accepted with immediate effect. The internal blockage lasted for a few days, and the external blockage lasted for proximately 14 days. At this stage no cyber-attacks against the Gjøvik municipality had been discovered. During the blockade, the municipality implemented sandboxing of word, excel and ppt-files attached to emails, where all the files would be opened and controlled in the sandbox before the email could be passed on. 39 The IT-department in the municipality participate in a diversity of fora for information security (like Athea2 and NorCERT3) together with amongst others the mentioned municipalities affected by the virus. It was in these fora they were informed about the content of the attacks, and it was the format of the phishing-attack with macros for reuse of internal emails which were analyzed to be the alarming threat. Knowing the internal status on clicking on links the group who decided the measures where confident in their decision (the municipality had already had two phishing attack tests amongst their employees, executed by students from NTNU, where both tests ended up with proximately 10% of the employees clicked on the links in the emails). The crisis management was not involved in this situation (as the crisis had not yet happened), but the escalation process routine in the municipality was followed: When the IT-department would have to affect the daily routines in the municipality organization, strategic manager in line shall be involved. 5.1. A socio-technical and risk-management root cause analysis framework. Even though the mitigation measures in Gjøvik municipality first and foremost were executed in the identify and protect phase of a possible data breach, we argue that the consequences in the detect, the respond (e.g. the implementation of the sandbox) and the recover phases were considered. Especially due to the increased number of cyber-attacks during the Corona-crisis. The Corona-crisis itself requires vast crisis management work, and another crisis on top of the ongoing crisis could have affected the organizations capabilities to handle (respond to) the situation, and the recovery could have been very difficult. In this section we present steps of the combined NIST framework and socio-technical framework presented in figure 6. We have chosen to pesent the Identify-phase of the NIST-framework applied to the socio-technical analyses of the Gjøvik decision in a detailed context (section 5.2) and outline overall importance of similar analyzes for the other NIST-phases in the next sections (section 5.3 – section 5.6). 5.2. The socio-technical root-cause analysis to IDENTIFY the situation In this section we present the socio-technical analysis (culture, structure, methods, and machines) of each stack in the SBC-framework framework suggested, on how the municipality identified and could identify vulnerabilities in the stacks. There is a strong culture for considering ethical questions in Gjøvik Municipality. In this case, one could have identified that the cost of closing the email-accounts would be too large to do this job, but the internal culture accepted the beneficial arguments to be more important. It could have been identified ethical concerns on the methodology to execute the cut-off, but there were no hidden agendas, and information about the decision was outlined in public (Facebook), which the local newspaper also put forward. The possible draw-back identified on the ethics of the situation was for how long the systems would-be put-on hold. There was no clear timeline on the implementation-phase of the sandboxing in the machines, and thereby important emails to the municipality could have been blocked. One could also question whether the crisis management group should have been involved all together. The decided structure 2 https://www.atea.no/ 3 https://nsm.no/fagomrader/digital-sikkerhet/nasjonalt-cybersikkerhetssenter/ 40 for decisions were followed, but due to the high crisis-risk of the decision, one ethical consideration could have been to involve the crisis management. The political direction in the Norwegian municipalities is put forward every fourth year, and one political priority in Gjøvik municipality is to be a university city, and as the Information security environment in the University is one of the prioritized areas in the University, so it has also become in the municipality. This is proven by the municipality welcoming students to do tests and write studies in the area. The political culture may therefore influence the culture within the organization, and thereby it might have been easier to take the decision. The legal aspect due to the crisis management responsibility suggests that the decision is owned by the municipality and cannot be argued unless the decision is violating any other laws. One may even argue that not taking the decision could have violated the responsibility [24]. To implement the sandboxing system would thereby be according to the law mentioned. The structure of the escalation routine starts normally at helpdesk if abnormalities occur. The on-duty system responsible would, if necessary, gather the BAG-group, which would consider involving the strategic manager. The strategic manager would eventually consider gathering the crisis management group, and necessary decisions would be taken at the proper stage for the case at hand. One has therefore identified that the culture for escalation is a bottom-up approach, where the operational organization outline recommendations to (in this case) prevent the situation. With the bottom-up culture described, a great deal of trust is also put on the operational organization to identify the right decision and execute the decision. Their suggested method was to block emails and macros from files, and when doing so, implement sandboxing before opening the systems again. The implementation was finished within two weeks. 41 As much as the municipality is dependent on using their email- system, word, excel and ppt, they still identified that they have an internal culture in the organization to set aside the applications for this period. This is proven right from the fact that there have not been any public critical comments on the decision. If there has been any internal critique, they also had identified the decision to live with such critique to be right. To make the applications unavailable to the organization may have postponed important necessary written work, but they identified the internal and external structure and culture of information would prevent such critique. The operative systems in this situation are well known systems, and the decision they identified to close all macros on these systems would make the applications unavailable for a short amount of time (prox 3 days for the internal users). The same identified issues on culture, methods and structure as described for applications was analyzed, and in this case had the same outcome. To protect the hardware from the virus, the identified implementation of sandboxing was essential. The method chosen was suggested from the information security fora’s the municipality is a part of. One may therefore say that there is a good culture for collecting knowledge from external expert groups. As previously mentioned, the municipality is self-assured, and this could also be an important impact identified for making the decisions they did. A costly investment in hardware would not have been desired in an already pressured financial situation (because of the Corona-situation). In the following sections we outline how socio-technical findings would be important in the other stages of the NIST-framework, but we do not go through all stacks in the socio-technical SBC framework. 5.3. Update on risk-and resilience analysis to PROTECT from data breaches and hacking A part of the outlined regulations [25] and municipality guidance’s [26], is to regularly update risk- and resilience analysis as a baseline for the emergency (contingency)-plans in the organizations. The organizational structure in the municipalities for update is all set, but the methodology is often to do an update every other year, and thereby cases like the one described in this paper might be forgotten. The 42 case would be a sub-issue but would have been a good example to use for deciding what culture, structure, methods, and machines would be necessary to protect the organizations from such attacks, using the SBC-model to explain the risks in the different stacks. 5.4. Emergency and contingency plans to DETECT similar data breaches and hacking In the municipality guidance [27], it is suggested to have emergency and contingency plans on both strategic and sectoral levels in the organization. For the municipality IT-department, it would be wise to do a socio-technical analysis as described on a diversity of Information security issues (like those described in [1]), and make relevant emergency and contingency plans relevant for all issues. 5.5. RESPOND to data breaches and hacking The respond to and escalation in an attack as described would vary by the severity of the attack, but like in the Hedmark-municipalities situation [4], managing the Corona-situation was already heavily burdening the municipalities crisis management team, and they were concerned that the impact of simultaneous crisis was emerging, and also ethical considerations were necessary to consider. Even political priorities were under discussion in the situation mentioned. Information from the Information security fora could also have been relevant to prepare for handling such situations, and in this case, it could be an important foundation for the decision Gjøvik made. 5.6. Update on Information security policy in RECOVERY phase data breaches and hacking In a situation with several ongoing crises at the same time, the recovery phase can take more time than usual. To use time on recovery from such a situation and do the proper socio-technical analyzes as suggested in this paper, could take too much time from other ongoing crises, and could be set aside (and forgotten) before the next crisis occurs. It would therefore be important to establish the framework as part of the deviation report, to be able to collect the analyzes for later recovery [6, chap. 13]. 6. Conclusion and future research In this paper we have discussed the Gjøvik Municipality decision case in a combined socio- technical and risk-management root cause analysis framework. We suggest that the combination of the two frameworks (the SBC-model/Kowalski model and the NIST-framework) outline first and foremost a good analysis framework to prevent data breaches and hacking from happening, but also to be able to prepare for the respond and the recovery phases. Our plan is to invite other municipalities in testing the framework, to see what impact such framework could have on incident management in organizations affected by such attacks. We have only tested the SBC-model combined with the Kowalski-model, as part of the socio- technical analyses. One may suggest that other socio-technical models could be more suitable in combination with the NIST-framework, and such could be tested to validate and possibly figure out the reliability of our suggested framework. Other incident response frameworks than the NIST-framework might also be relevant to test for combination with socio-technical models, and this needs to be further tested in other studies. First however, we need to test if our suggested model in this paper can be applicable in other case-studies. 43 Organizational semiotics are argued out of this paper but are suggested to have a great impact on emergency responses. Mentioned dynamic emergency response management information system (DERMIS) like presented by [17], and a socio-technical semiotic approach to build community resilience, like presented by [18] will be an important part of the future test and research of combining socio-technical and incident response tools. 7. Acknowledgements We would like to give our special thanks to Gjøvik municipality, which gave us the possibility to do interviews with involved parties in the decision. Our plan was to interview relevant parties on both strategic, tactical, and operational levels in the organization, but the tactical head of the IT-department was disabled from participating. We would, however, give our special thanks to the participant from the strategic management group and the participant from the operational IT-department and member of the BAG-group, for being able to participate in interviews in a hectically period of the Corona-crisis situation. 8. References [1] The Norwegian Business and Industry Security Council, “The dark numbers survey 2020,” 2020. [2] T. Bie, “Stortinget hacket: – Krise,” ITAVISEN, 2020. [3] J. Gilbrandt and M. Rønning, “Omfattende IT-angrep mot Stortinget,” dagbladet.no, 2020. [4] A. Krantz, M. F. Børresen, T. I. Hagen, and A.-K. Mo, “Dataangrepet: Kan skade korona- beredskapen,” nrk.no, 02-Sep-2020. [5] M. B. Staveli, “Gjøvik stopper e-poster med vedlegg etter hackingskandalen,” oa.no, 2020. [6] S. Kowalski, “IT Insecurity: A Multi-disiplinary Inquiry,” Stockholm University, 1994. [7] Politiet, “Datakriminalitet,” www.politiet.no, 2020. [Online]. Available: https://www.politiet.no/rad/datakriminalitet/. [Accessed: 14-Nov-2020]. [8] NorSIS, “Nordmenn og digital sikkerhetskultur 2019,” 2019. [9] Digi.no, “Henlegger saken om dataangrepet mot Helse sør-øst,” digi.no, 05-Dec-2018. [10] R. A. Njie, “Kripos advarer: – Stor økning i datakriminalitet,” nrk.no, 03-Apr-2017. [11] G. Østby and B. Katt, “Cyber Crisis Management Roles – A Municipality Responsibility Case Study,” in Science and Technology in Disaster Risk Reduction in Asia, 2019, pp. 168–181. [12] K. Huang, M. Siegel, and S. Madnick, “Systematically Understanding the Cyber Attack Business: A survey,” ACM Comput. Surv., vol. 51, no. 4, p. 36, 2018. [13] P. Hartel, M. Junger, and R. Wieringa, “Cyber-crime Science = Crime Science + Information Security,” Inf. Secur., pp. 1–55, 2011. [14] K. Scarfone, T. Grance, and K. Masone, “Computer Security Incident Handling Guide,” 2008. [15] E. Mumford, “The story of socio-technical design: Reflections on its successes, failures and potential,” Information Systems Journal. 2006. [16] H. Leavitt, “Applying Organizational Change in Industry: Structural, Technological, and Humanistic Approaches.,” in Handbook of organizations, J. G. March, Ed. 1965, pp. 1144– 1170. [17] M. Turoff, M. Chumer, B. Van de Walle, and X. Yao, “The design of a Dynamic Emergency Response Management Information System,” J. Inf. Technol. THEORY Appl., vol. 1, no. 1, pp. 253–292, 2012. [18] L. Piccolo, K. Meesters, and S. Roberts, “Building a Socio-technical Perspective of Community Resilience with a Semiotic Approach,” Proc. 18th Int. Conf. Informatics Semiot. Organ., vol. 527, 2018. [19] NTNU, “The Norwegian Cyber Range,” 2019. [Online]. Available: https://www.ntnu.no/ncr. [20] NTNU, “IMT4115 - Introduction to Information Security Management,” 2021. [Online]. 44 Available: https://www.ntnu.edu/studies/courses/IMT4115/2021/1#tab=omEmnet. [21] W. Kuechler and V. Vaishnavi, “A Framework for Theory Development in Design Science Research: Multiple Perspectives,” 2012. [22] G. R. Karokola, “A framework for Securing a-Government Services, The case of Tanzania,” Stockholm University, 2012. [23] D. L. Driscoll, “Introduction to Primary Research: Observations, Surveys, and Interviews,” in Writing Spaces: Readings on Writing, 2011, pp. 152–174. [24] Justis- og beredskapsdepartementet, “Lov om kommunal beredskapsplikt, sivile beskyttelsestiltak og Sivilforsvaret (sivilbeskyttelsesloven).” Norwegian Government, 2010. [25] Norwegian government, FOR-2011-08-22-894. Norwegian Government, 2011. [26] DSB, Guidance to holistic risk and vulnerability assessment in the municipality. DSB, 2019. [27] DSB, Municipality guidance, emergency duty. 2017. 45