This article has originally been written in french and then translated with tools. The translation should be on point, but please forgive us if some parts are not perfect.
We can have all the preventive measures in the world in place and still be the victim of a cyber attack. The question here is not “if”, but “when”.
(Before getting to the heart of the matter, an aside: if a cybersecurity product or service provider promises you 100% security, run away. Away. It’s impossible to be, so you’re dealing with a liar…).
Being prepared is always the best way to handle a situation. Cybersecurity is, of course, no exception. A cyber-attack to deal with is never a situation you want to find yourself in, but having a good incident management plan in place is paramount to avoid running around like headless chickens on D-Day.
Of course, size, industry, business reality and many other parameters will influence its content and complexity.
We haven’t invented anything here. The content we offer is taken from the book “Confronting Cyber Risk: An Embedded Endurance Strategy for Cybersecurity” by Gregory J Falco and Eric Rosenbach.
In one of the chapters, the authors describe in great detail the steps involved in a good incident management plan. Quite honestly, this chapter is worth its weight in gold. Here, we’ll only pull out the broad strokes to help you, but we very strongly advise you to get yourself a copy of the book (and give it a whirl to all your CA 😉 ).
Just as you’re likely to have plans in place to deal with a power failure or natural disaster, you need to have a plan in place to deal with a cyber attack. By planning ahead, you’ll be able to:
The following measures must be taken during the planning phase:
An incident response plan should serve as a roadmap, indicating how you will implement each step of the process and who will be responsible for each task.
Its aim is to ensure that the necessary people and tools are in place in the event of a cyber attack, and that systematic and consistent measures are taken to minimize the risks. The information obtained and recorded during the incident can then be used to improve your security measures and better prepare you for future incidents.
Communication is crucial. It is therefore imperative to set up reporting mechanisms so that your employees can communicate an attack to the appropriate person as quickly as possible. Contingency plans must also be put in place if line managers or response team members are unavailable. The clearer the process, the faster the right people will be informed and able to take action. Timing is key.
Checklists for the incident response team to use during attacks should be prepared in advance to ensure that action can be taken quickly, tasks are not duplicated and no task is overlooked.
Have on hand high-level network diagrams and a list of critical assets for the entire organization, so the team can quickly see how the various systems are connected and how an attack could compromise these systems and networks (if you’ve done business with us, it’s time to get out your Bloodhound diagram 😉).
Choose your methodology, but it’s important to prepare a system for tracking issues and the status of each task during incident response
Think about having a paper version or one stored outside the network so you’ll be able to access it in the event of ransomware or network access problems of any kind.
Your response team must regularly carry out exercises simulating a cyber attack. On paper, your plan may look foolproof, but the reality may not be so perfect. It’s better to find out during practical exercises than when your entire production line is at a standstill. That way, you’ll be able to adapt.
Training exercises can take the following form:
It’s essential that your in-house team takes an active part in setting up the incident management plan (for obvious reasons). That said, bringing in external consultants can speed up the process and give you the benefit of their experience.
It’s also advisable to call in offensive security professionals to test the robustness of your system and the responsiveness of your existing teams. The consultant will come and try to compromise your system (penetration test) and, in addition to detecting technical flaws, will also test your response to the attack.
A cyber attack cannot be dealt with until it has been detected, a lesson Capital One has learned the hard way. However, many cyberattacks occur over long periods and are often not detected until serious damage has been done. Detecting attacks is above all a preventive measure, so it won’t be detailed here. Nevertheless, it is important to remember its importance.
Once a threat has been detected, it must be analyzed before any action is taken. The most important reason for this analysis is to confirm that it is an attack and not a false positive. If you work in IT and have access to consoles, you know that false positives are commonplace. In the event of an alert, we need to take the time to validate whether we are dealing with a real threat before taking action.
Once it has been determined that the incident is (unfortunately) not a false positive, the incident response team must apprehend the situation. It’s the short downtime that allows them to take the necessary step back to fully understand the situation, and not make bad decisions due to stress.
Understanding the situation allows you to determine the scale of the impact, the type of attack, whether automated procedures have been deployed to mitigate the attack internally, the networks and systems affected, the type of data that has been stolen (if any), the stage of the attack (if an attacker persists in the network) and the origin of the attack.
It is important to bear in mind that as much evidence as possible should be preserved during the analysis phase, as it could be used in subsequent litigation.
Once an incident has been validated as a cyber attack, everything about the attack must be documented. In the heat of the moment, this is not usually our first reflex, but it is essential. These documents will serve as a reference for post-event analysis, and as evidence in legal proceedings.
The following elements must be documented:
Taking the time to clarify these points will also help you structure your communication (see later in the article).
The aim is to prevent the attack spreading to other systems or departments within the organization, and to limit the extent of the damage. It may be that the threat has been contained automatically by IDPS or a virus removal program, meaning that no further action is required on your part at this stage.
However, if no automated action has been taken, the affected systems must be identified and one of the following steps implemented (depending on the situation):
The action to be taken depends on the need to keep certain services available to the organization’s employees or customers, and whether a short- or long-term solution is required until the team is able to eradicate the threat.
Note: if the timeline allows, consider making backups of all infected systems for forensic analysis before the threat is brought under control.
Remember the Sobeys cyber incident in 2023? It’s the best example of what NOT to do. They played the non-transparency card to the point of denial after the public and even their employees. Their reputation was damaged more by their poor communication than by the attack itself, you don’t want your organization to be talked about in this way (and it cost them CAD 25 million by the way).
Once again, your crisis communications plan must be ready for deployment on D-day. Good communication can’t be improvised. There are two stakeholders to notify:
Because of the considerable impact of a cyber attack, external stakeholders need to be informed of the breach and, above all, of the consequences for them.
Not all situations require the same level of communication. Before an incident occurs, you need to discuss the criteria for sharing information with your PR specialist, legal team and senior management. The contact details of all these people must be accessible and included in your incident management plan, so that you can call everyone together quickly. You don’t want to waste time finding a phone number when you’re setting up your war room.
These discussions help establish important information-sharing criteria that will be recorded in the crisis communication plan (this plan is detailed in the book).
Whatever stakeholders an organization communicates with, the information given must be clearly stated. Ambiguity and incorrect messages can lead to confusion and legal action.
Internal communication is just as important as external communication. Indeed, your employees are most often the closest point of contact between your organization and your customers. Consequently, your team needs to be kept abreast of important developments so that they can communicate clearly with the parties concerned, helping to restore trust.
Without necessarily disclosing everything about the cyber attack to all your employees, senior management must ensure that they share enough information with their team to build trust. Specify what information they can share publicly with their customers. Similarly, inform your employees if their personal information has been compromised. They need to be reassured that their information, and that of their customers, is protected (if it really hasn’t been compromised, of course).
Internal communication plans should also include escalation strategies that specify exactly how team members should react and who they should contact in the event of a cyber attack. This is particularly important if a cyber attack impacts external stakeholders. In this case, team members need to know who the lawyers, human resources managers and journalists are who need to be informed in order to manage expectations and share information on the steps being taken to remediate the breach.
Eradication involves identifying the root cause of a cyber attack and eliminating it. It may be necessary to use forensic software to identify the origin of the problem (and those responsible for the attack) before it can be eradicated.
The incident response team is responsible for identifying the attack vector and its path, to ensure that all entry points are closed and infected areas are cleared.
Persistence is generally a feature of sophisticated attacks, meaning that the attack vector has self-preservation capabilities and intends to remain stealthily on the machine even after clean-up. More simply, it means that the attacker remains hidden in your network.
This may mean reviewing the detection and analysis stages of the process to ensure that all threats have been identified. Any weak points identified during the eradication phase need to be reinforced to prevent the same or similar attacks from happening again, whether due to persistence or a brand new malware attack using similar attack vectors (don’t be fooled twice by the same vulnerability…).
The following measures should be taken during eradication, depending on the type and nature of the attack:
Once the threat has been eradicated, the recovery process can begin.
Admittedly, there can be a tension between the need to get systems back up and running as quickly as possible and the need to ensure that all traces of the attack have been eliminated before recovery begins. It’s a good idea to enlist the help of experts to help you make this kind of decision, and above all to save you time.
Recovery refers to getting your systems up and running again. This process usually takes some time and is not a one-off action. It’s a team effort: from the IT department and relevant business units, to the operations department and senior management. These parties can either be directly involved in the recovery process, or provide advice on the process to be followed and the deadlines to be met.
The most important systems for restoring your company’s core functionality should be prioritized. The interdependencies between systems also need to be understood, as some systems can only be restored after others have been.
Once the attack can be attributed to a specific group or individual, recovery can be easier, as the incident response team will have a better understanding of the motivation behind the attack and the methods used.
During recovery, systems are rebuilt, reinstalled or restored by the disaster recovery team using backup data (hence the importance of a good back-up system). Files are replaced by clean versions and patches are installed. It is important that restored systems are tested and checked to ensure that there is no reinfection and that they function as intended. The recovery process is an opportunity to reinforce security on the basis of vulnerabilities discovered during the detection and analysis stages.
The recovery process can, depending on the case, take months, hence the importance of having tested its resilience from an operational point of view. Business continuity plans, service agreements with suppliers (to guarantee immediate access to the necessary hardware and software) and proactive communication with stakeholders (such as customers) are all elements that could make a company more resilient and should therefore be included in the incident response plan.
It is necessary to evaluate a cyber attack to determine whether or not our response was sufficient, and to implement the lessons learned. This stage can begin while recovery is still underway, particularly if it takes some time for all systems to be restored. The aim of this stage is to improve the incident response plan and strengthen systems to protect them against future attacks.
Organize a meeting with all the players involved in managing the incident. The aim of this meeting is to identify any shortcomings in the way the attack was detected and eradicated. A further lessons-learned meeting should also take place once systems have been fully restored. The aim of this meeting is to learn enough about the overall recovery process and how your organization still needs to improve its operational resilience.
An incident report (also known as a post-mortem report) should be drawn up at the end of the lessons-learned meeting.
This report will serve not only as a reference for planning the response to future attacks, but also as a training tool for the future.
Very importantly, it can also be used as evidence in the event of legal problems arising from the attack.
The report should address the following points:
All the lessons learned from the post-event analysis must now be implemented to reduce the risk of future incidents and ensure that you are better prepared in the event of another attack. This may require changes to policies, processes and procedures, tools and equipment, or even the behavior of the parties involved in the process.
Improvements should be classified as short-term or long-term. Short-term improvements can be implemented immediately, while long-term improvements involve strategic changes, such as a complete overhaul of certain processes, which will take longer to implement. Action plans including responsible parties, due dates and expected results need to be drawn up so that all stakeholders know what is expected of them.
The updated and improved incident response plan should also be tested before being deployed, to determine whether the improvements made are sufficient.
——
If you found this article useful, we definitely recommend you read the full book: “Confronting Cyber Risk: An Embedded Endurance Strategy for Cybersecurity” by Gregory J Falco and Eric Rosenbach. A full chapter goes into even more detail on how to properly prepare for an attack, and the whole book is a practical guide to adopting good cybersecurity strategies for your business (it’s the kind of book that makes a great gift for your executive committee in our opinion 🤓- we say that, we say nothing!).
The summary:
Cyberattacks continue to grow in number, intensity, and sophistication. While attackers persistently adapt, business leaders have suffered from employing the same cyber risk management strategies for decades. Organizations must learn how to move past temporary solutions and invest in long-term resiliency measures to thrive in the future cyber economy.
Confronting Cyber An Embedded Endurance Strategy for Cybersecurity is a practical leadership guidebook outlining a new strategy for improving organizational cybersecurity and mitigating cyber risk. Veteran cybersecurity experts Falco and Rosenbach introduce the Embedded Endurance strategy as a systems-level approach to cyber risk management which addresses interdependent components of organizational risk and prepares organizations for the inevitability of cyber threats over the long-term. Using real world examples from SolarWinds to the Colonial Pipeline attack, the authors extend beyond hardware and software to provide a thoughtful ten-step process for organizations to address the simultaneous operational, reputational, and litigation risks common to cyberattacks. They conclude with helpful “cryptograms” from the future, in which business leaders are confronted with the next generation of cyber risk challenges.
Clear and informative, Confronting Cyber Risk provides CEOs and cyber newcomers alike with concrete guidance on how to implement a cutting-edge strategy to mitigate an organization’s overall risk to malicious cyberattacks in an evolving cyber risk landscape.
The (unaffiliated) Amazon link to purchase the book: Confronting Cyber Risk: An Embedded Endurance Strategy for Cybersecurity
Peace ✌️
Cyndie & Nicholas