When I thought about the TV series Haven, I remembered vague details, and thought it must have been a long time since I saw it. Then, when I looked it up, and saw that the series ran from 2010 to 2015, I was surprised that it was only 15 years...
Wait.
ONLY 15 years?
I guess it’s just one of those ways that your perspective changes as you get older, but it’s still strange.
I remember enjoying the series, though it doesn’t appear to have been particularly popular with critics. After skimming the Wikipedia article, I have started re-watching the series – we’ll see how far I get, as I don’t actually recall whether I saw the entire thing last time around.
The series indicated that it was “based on” the Stephen King novel The Colorado Kid (which I have not read), but Wikipedia describes the series as being “loosely based on the setting of the novel”. Maybe “inspired by” might be more appropriate?
There appear to be a lot of references to Stephen King’s work, such as the names of towns and characters, or situations which appear to be taken from scenes in various King stories. While I have read some Stephen King, it’s been a long time, and I probably miss the vast majority of the references.
One thing I found interesting in the pilot was the derivation of the name of the town, which is described as being named for a Mi’kmaq word meaning “haven for God’s orphans”. Interestingly, this immediately made me think of Midian, from Clive Barker’s Nightbreed, and... No. Stop.
Back to Haven, or rather the reason I was thinking about it in the first place.
On episode 1007 of Security Now, Steve Gibson described the recent attack on the cybersecurity firm Cyberhaven, and I found the story fascinating...
But why? What was unusual about this event? A security incident suffered by an organization I’d never heard of?
First, the announcement of the incident appears to have come on 27-Dec-2024. Obviously, the actual attack took place long before, and some security company or journalist finally released....
Wait. What?
The announcement came from the company’s CEO on their corporate blog?
Hm. Well, they probably discovered the attack a few months ago and are just now...
Two days before the announcement? On 25-Dec-2024, at 11:54 PM UTC?
Erm, so the actual attack must have been months ago... Oh. The previous day, on 24-Dec-2024?
Without dragging things out any further, the company identified the issue (a compromise to their Chrome plugin), the version (24.10.4), when it was identified (11:54 PM UTC on 24-Dec-2024), how long the malicious code was active (between 1:32 AM UTC on 25-Dec-2024 and 2:50 AM UTC on 26-Dec-2024), which browsers were affected (Chrome-based browsers that auto-updated within the window), identified the entry point (a phishing attack on an employee’s access to the Google Chrome Web Store on 24-Dec-2024), and notified affected customers on 26-Dec-2024.
They also described the type of data which was vulnerable, confirmed that they removed the compromised extension, deployed a secure version automatically, engaged an external incident response firm for further analysis, confirmed that they are working with federal law enforcement, and advised that they have implemented additional security measures to prevent similar incidents.
Did I mention that this all started on Christmas Eve?
This, in my humble opinion, was as near perfect an incident response as is realistically possible. It is a truism that everyone is vulnerable, and many InfoSec practitioners divide the world into two groups: entities which have been compromised, and entities which don’t yet know that they have been compromised.
The critical question is about how an organization responds to a security incident. There are a number of metrics which will likely be familiar to people involved with InfoSec and other fields which measure reliability and system recovery. Among these are MTTR (Mean Time To Repair / Mean Time To Resolve), MTTD (Mean Time To Detect), and MTTI (Mean Time To Identify), where the goal is generally to keep these measures as low as possible.
The problem is that many organizations, whether they measure these indicators or not, do not disclose them to their customers or the public until/unless the incident becomes publicly known, and many do not disclose even then.
The response from Cyberhaven is very strong evidence that the company has invested a lot of time and effort, not only in implementing systems to detect and address incidents, but also in developing plans for how to manage incidents with their customers, other external parties (such as law enforcement and third-party incident responders), and the public.
We hear horror stories about botched incident responses, which not only damage organizations, but also their customers and the public. Attempting to cover up an incident usually fails, and usually causes far more damage than did the original incident, leading to the well-known phrase: “it’s not the crime, it’s the cover-up”.
In contrast, handling a situation in the way that Cyberhaven did, in my opinion, is about the best advertising possible. It tells the world that an organization is ACTUALLY serious about security, unlike those who start their (eventual) disclosure with “we take your security seriously” – Troy Hunt has a great post which describes breach disclosure successes and failures in detail.
But wait! There’s more!
According to Ars Technica, the announcement from Cyberhaven and the follow-up uncovered a broader campaign against Chrome extensions, and led to the discovery of at least 33 compromised extensions, some of which had been compromised for up to 18 months, affecting roughly 2.6 million devices.
With so many bad things happening, and so much to criticize, it’s wonderful to be able to point to a real-world example of how to do this security thing correctly.
Cyberhaven’s near-perfect response was a wonderful gift to their customers, their industry, and the public at large.
Chef’s kiss. Brilliant response!
Cheers!
Comments