Shostack + Friends Blog


The British Library’s Incident Review

Thoughts on the British Library incident The report title, ‘LEARNING LESSONS FROM THE CYBER-ATTACK British Library cyber incident review’

The British Library has been operating at reduced capacity for months as a result of a ransomware attack. They’ve just released a quite solid analysis of what they’ve undergone and learned: Cyber Incident Review.

There’s an awful lot to like. It’s readable, thoughtful, transparent, and not finger-pointing or blame-dodging. It has a good history of the events, separated from the analysis and lessons. And as I read it, I did have questions, and before I get to them, I want to emphasize that I don’t mean to nit-pick, and respect that they got a report like this out while they’re still in what they call the ‘adapt’ phase.

More, I feel like they’ve staked out and demonstrated a modern way to respond to a cyber incident. They’ve taken the reasonable perspective that this was done to them, they show concern about the individuals whose data was taken, they seem to be engaged with the police and Information Commissioner’s office, and seem to not have “lawyered up.” All of that is easier for a public institution, but we know that admitting mistakes reduces lawsuits, even when people have died from preventable medical errors.

My questions are largely targeted at the promise the report makes in its title: Learning lessons. There are several places where I’d like more details, and I’d love to see an appendix or somesuch with IOCs/TTPs and other technical details that didn’t make it to the report.

While the Library’s monitoring software did not automatically isolate the intrusion at source, it did intervene in some of the actions and prevented further intrusion into parts of the Library’s technology estate.

I’d like to know more about the monitoring software. Where did it intervene? Were there places that someone might have expected it to intervene and it didn’t? Was its intervention and misses a matter of defaults, configuration, or capabilities?

We believe that the unedited Electoral Roll database held as part of the collection was not compromised, as all indications are that the enhanced levels of encryption in place on that particular database functioned as intended and protected it from the attack method described above.

I don’t understand this. Is “the attack method described above” copying the network drives? (That’s the first attack method described.) Because it seems that would not work against “forcibly creating backup copies of 22 of our databases.” So a bit more about what happened would be helpful.

I also like that they thought about the ways in which they are not unique:

“Many of the major collections institutions in the DCMS family and the wider sector are likely to have similar risks to the British Library in terms of investment levels in cyber-security, legacy infrastructure, and difficulties attracting and retaining sufficient IT talent.”
That’s a point that was made by the NCSC’s founder, Ciaran Martin, who wrote: “Indeed, an incident of the severity of the BL attack is likely in each of the next five years.”

Overall, an excellent report, and it’s worth learning from.

Ok, I do have one nit I’m going to pick: Why is the report not on a white background? Does the Library not know that people print things?