Even if the depth and complexity of these exercises vary, the capabilities tested are often the same. They almost always entail knowing how to take on roles, assimilate a strong flow of information (stimuli), and understand a high-stakes, high-intensity situation. These exercises train coordination and impact assessment, but they cannot be considered an end in themselves. Resolving a crisis is not limited to the famous: “isolate, cut, communicate, we’re out of the woods”. We are calling for a paradigm shift in the preparation of cyber crisis management. 

Shift the focus from information management to feasibility 

Most crisis exercises used today test the players’ ability to manage and synthesize the flow of information. However, this is not where the quality of crisis management is concentrated. Some might even say that a decision-making unit should not be in a situation where it is erratically and incessantly solicited by its stakeholders. A decision-making unit must be put in a position to decide. To do so, it must respect a healthy work rhythm in cooperation with other more operational bodies. 

These exercises too often lead players, who are sucked into the time-consuming management of information, to take misleading operational sides. They make assumptions about what they can do and when – the famous “isolate, cut, communicate, we’re out of the woods.” These exercises give decision-making teams the impression that they are ready to cope when in fact they have limited their preparation to the ability to understand and coordinate events. This is a necessary step, but not sufficient.  

The key word for a 2023 preparedness strategy? Feasibility. Notably, though, the feasibility of all the steps of crisis management is based on a wider spectrum than just information management. This feasibility must be measurable, specific, and enabled by documentation, equipment, simulation, and sequencing of these capabilities. 

Preparing across the spectrum: from threat detection to reconstruction 

Training to manage a crisis involves above all taking into account the complete chronology of crisis management. We can summarize this chronology in eight major steps: 

1. Detect relevant threats and have the capacity to investigate them  
2. Mobilize experts and decision-makers to react 
3. Survive during the first peak by guaranteeing business continuity capabilities  
4. Evaluate the impact, its ramifications, and its foreseeable evolutions  
5. Contain the threat and understand the impact of isolation  
6. Coordinate your strengths and those of your ecosystem  
7. Communicate with internal and external stakeholders  
8. Restore and rebuild what can be restored and built when it can be restored and built 

Also, prepare the tools: I design, I use 

A relevant preparedness strategy must encompass each of these eight steps with the keyword of feasibility. It requires answering the question: will we really be able to carry out these actions when we need to? 

The answer to this capability question is based on three aspects:  

1. Ensuring the formalization of brief, up-to-date and known processes (e.g.: have a flow matrix indicating how to isolate, the timeframe, and the operational consequences)  
2. Equipping, training, and empowering the teams in charge of these actions (e.g.: having a discussion on “license to kill” and technically enabling a “red button” on relevant perimeters)  
3. Training the teams concerned specifically through role-playing exercises and specific simulations of the deployment of these capabilities (e.g.: test the decision-making process leading to the use of this “red button”, then technically test the proper functioning of the red button)

Thus, while some may limit themselves exclusively to the latter (simulation), it is essential to design one’s preparation with more hindsight and to begin with a real effort to build capacity. The exercise should be a milestone for verifying, adjusting, and promoting capabilities. In the worst case, it can be a deadline for preparing the capability or even serve as an opportunity to build said capability during the session (e.g.: reconstruction chronology, identification of technical interdependencies, etc.). 

Overcome opportunistic logic and practice the capabilities’ sequencing 

Currently, the main drivers of complexity are the increase in duration, intensity and the number of actors involved. Here again, we call for a paradigm shift. 

First, we call for a culture of preparation based on the eight pillars detailed above. This entails the need to provide tools and formalize the capabilities to do and train these capabilities throughout the year – without necessarily making them an event in a big exercise (e.g.: ComEx workshop on the first 10 actions to launch in case of a cyber crash, testing the isolation of backups or the restoration of workstations).  

In addition, employing vertical training logic (e.g., enable then simulate), it is important to train the ability to sequence the different capabilities quickly and efficiently. Thus, it is advisable to propose larger exercises, common to the business, forensic and decision-making teams, to orchestrate their different simulations in a single exercise. In training, for example, the detection capacity should be tested with a Purple Team, and then the mobilization capacity of the crisis system with a surprise mobilization using the alternative tools provided. A second example: work on the coordination capacity of the numerous crisis cells over a long period of time and then producing a communication message for all its stakeholders (internal and external). 

A long-term commitment 

To be relevant, this approach must be supported by strategic, global, multi-year thinking. Since it is more ambitious and involves more stakeholders (SOC, RPCA, Resilience, Infra, CISO, ComEx, Third Parties, …), it can gain legitimacy through a prior empirical evaluation of the means: 

1. Assess the current state of your readiness by taking a feasibility-centric approach to the eight pillars.  
2. Establish a maturity target and a roadmap that you will be able to report on empirically over time. 
3. Finally, share with your management teams a more robust view of your crisis management maturity.  

This type of approach, more empirical and personalized, will not only allow you to identify capacity gaps but also to truly train for the actions that will be essential at the worst moment. 

Cet article Enabling a paradigm shift in cyber crisis management preparedness est apparu en premier sur RiskInsight.

Wavestone assists many victims in managing their crisis triggered by ransomware attacks. Often, poorly trained IT and management teams make incorrect decisions in response to these unexpected situations.

This list of the top ten pitfalls to avoid in ransomware crisis management is based on the feedback from over 5 years of supporting victims.

#1 Paying the ransom will speed up your back up process

Although the French National Agency for the Security of Information Systems (ANSSI) recommends never paying a ransom, this question will always arise for certain stakeholders, especially the decision-makers, who are not completely aware of these issues. Beyond the fact that paying the ransom encourages attackers to continue their activities, it should also be noted that paying the ransom does not always lead to the recovery of the decryption key.

In cases where a ransom payment allows the decryption key to be obtained, the decryption time is often very lengthy. It can take several hours or even dozens of hours per server or workstation, depending on the size of the encrypted files. When there are large numbers of computers, strict coordination is necessary for processing all the systems. In comparison, it will be faster to restore systems from backups.

In addition to the time required, the encrypting or decrypting process is rife with errors, according to past experience. Thus, even with the decryption key, certain files, particularly the largest ones, are sometimes modified and cannot be restored as they are.

In short, we are far from the widely held notion that a simple click can restore a functional information system after ransom payment. There is no point in considering a ransom payment to restart services if there are healthy and functional backups. In the case of data theft, the issue gets more complex.

#2 Reopening the information system too quickly

To limit operating losses due to inactivity, the crisis unit is often urged by the business to restart the information system as quickly as possible. During the reconstruction phase following a cyber-attack, it is necessary to control the following two main risks:

• Resumption of the attacker’s attack and re-encryption of the reconstructed systems
• Theft of new information by the attacker who restarts the data exfiltration

Isolating the information system from the outside world is the initial security measure that must be implemented to reduce these risks significantly (internet access in and out, links with partners, etc.). This measure eliminates the connection between the attacker and his malicious tools, and thus drastically reduces the likelihood of a repeated attack. Certain external flows can be opened individually for the most critical activities (from or to a controlled server, on a given port), but reopening a wide range from or to the outside increases the risks.

Restoring servers is the first step in the rebuilding process. However, since servers are not always backed up simultaneously, resynchronisation of applications and data are often necessary before the servers are put into service. As an example, a hasty restart of a payment application during a crisis has already resulted in a double payment of hundreds of thousands of euros, which had already been transmitted to the bank before the attack.

#3 Wait for an extreme level of security before reopening

As cyberattacks can have a significant impact, fear of repeated attacks can be traumatic for crisis teams, leading them to impose an extreme level of security before restarting. The challenge here is to find the right balance between security and rapid recovery.

There are two possible strategies for rebuilding servers:

• The green zone strategy- It prioritises security over the speed of recovery. It involves creating a new network zone in which only the rebuilt machines are hosted. The technical components (Active Directory, DHCP, DNS, etc.) are dedicated to this secure zone. However, changing the addressing plan can have unintended consequences and it will slow down the reboot.
• The grey zone approach- It favours the speed of recovery over security. It consists of rebuilding or restoring servers in their initial zone. Compromised machines can be found alongside the restored machines. This strategy will represent a risk when the attack is propagated from server to server.

The choice of strategy must be made in the light of the investigations and techniques used by the attacker. As mentioned earlier, isolation from the outside world remains as a key measure in reducing the risk.

#4 Denying a restart in degraded mode

In most companies, IT has become indispensable for all their operations. In the exceptional situation of a total IT shutdown, it is often initially inconceivable to continue working without IT. This is the common argument put forward by the IT and business managers during cyber crisis.

By working in degraded mode, it is possible to limit the impact in many instances. This includes implementing previously defined resilience and business continuity plans. To consider implementing these plans when all the activities are ceased during a crisis, special emphasis must be given to when these activities were stopped during the crisis, as well. Managers often underestimate the mobilisation and creativity of the teams to work differently (disengaging non-essential processes, transferring to a partner, carrying out operations manually, etc.).

It is essential to find a good balance between restarting the first application in degraded mode within two days, rather than waiting two weeks to have the complete application chain.

#5 Wanting to restart all at once

Quite often, the information systems of large organisations contain hundreds or thousands of applications. During cyber crisis situations, it is impossible to spend an enormous time on all these applications. Thus, it is essential to prioritise them by defining a restart order.

Each department often tends to consider that its own activity is the most important in the company. Arbitration by general management is often necessary to establish a restart plan that can be utilised by everyone. Some departments, countries, or regions will see their applications getting started later than others too.

It should also be noted that there are many dependencies between applications, and these are not always known by IT teams. But this must be considered in the reboot plan.

#6 Executing major changes in a hurry

It is sometimes tempting to want to take advantage of the situation of a system shutdown to carry out major changes in the information system.

Security teams see this as an opportunity to carry out projects that the IT department has turned down in the past because of their perceived complexity and impact: network partitioning, upgrading operating system versions, Active Directory tiering, multi-factor authentication, etc.

If these projects are necessary to reinforce a level of security, it is advisable to avoid making too many changes during the crisis period. Thus, the teams can concentrate on actions that are necessary to restart within a controlled level of security.

For example, partitioning the network requires a review of the addressing plan, the addition of network equipment, and the modification of configurations. These actions often cause additional problems to be dealt with (IP hardcoded in the application, blocking of flows necessary for the proper functioning of the application, etc.).

#7 Waiting until investigations are complete

Investigations are essential to understand the attacker’s techniques and identify the vulnerabilities they exploited to carry out the attack. These vulnerabilities can be corrected during the reconstruction to avoid a new attack. However, investigations are complex and time-consuming (sometimes several weeks).

A standard mistake is to wait until the end of the investigation to launch the reconstruction. In reality, it is essential to start the reconstruction operations before the end of investigations. According to the conclusions from the investigative teams, the plan for secure reconstruction will be regularly revised.

In many instances, it will not be possible to identify patient zero or reconstruct the attack’s chronology. Indeed, the traces (log) maintained by the information system are not always precise (verbosity) or it does not permit going back far enough (retention time). They have sometimes been deleted by the attacker itself, while erasing his traces.

Finally, decision-makers frequently ask whether the data has been exfiltrated from an information system. It should be emphasised that unless the organisation has advanced security systems, it is rarely possible to respond precisely to this issue (DLP, for example).

#8 Not anticipating human resource management

Cyber crises are situations where employees are intensely mobilized. Some members of the teams can be so determined to settle this matter, that they do not wish to quit at all! Concurrently, it is quite common to see cases of burnout, hospitalization, or sick leave during a poorly managed crisis.

In the case of a large-scale ransomware attack, intensive team mobilisation will take at least three weeks. It is essential to organise team rotations from the start of the crisis ensuring that key resources are maintained over time.

It is often appropriate to call on external service providers for expertise (digital investigations, Active Directory reconstruction, backup systems, etc.) to multiply efforts (reinstallation of workstations, upgrading of operating system versions, coordination of tasks, etc.).

#9 Hiding the situation from employees, partners, customers

More than five years ago, companies that suffered a cyberattack but failed to take adequate precautions had their reputations severely harmed. Due to the rise in cyber-attacks, an increasing number of organisations are falling victim to cyber-attacks, and firms will be evaluated not just on their ability to manage a crisis, but also on their status as victims.

One of the first reflexes of management teams is often not communicating with stakeholders (employees, partners, and customers) in the hope that the attack will go unnoticed. It is clear that a major attack will always end up being communicated. In these situations, social networks and the media will communicate before the victim, who will then have to adopt a defensive posture in response. It is recommended to adopt a posture of transparency with the stakeholders, who will be reassured to know that the situation is under control. 

Finally, there must be appropriate communication between partners. Without specific information, many of the attackers tend to cut all the links with the victim, and thus the reopening could be longer and more complex. Moreover, s will be inclined to reopen if the victim has proactively warned them.

#10 Failing to structure crisis management

Since ransomware attacks have a significant impact on information systems, they inevitably cause chaos within an organization. Thus, no longer we can rely on the current communication and decision-making procedures.

Some people think that a crisis situation allows approximate management: improvised meetings, follow-up of perfectible actions, lack of formalisation, etc. On the contrary, decisions must be precise, rapid, formalised, and communicated to all stakeholders involved. This discipline is the key to successful crisis management, where everyone finds their place and is utilised wisely.

In certain large-scale crises, such as those involving international groups, keeping a PMO crisis unit for several dozen individuals is advantageous. It will be their responsibility for consolidating precise inventory, organising crisis committees, communicating, and following up on the decisions taken by the crisis unit. This unit of crisis management professionals is an indispensable asset for effective crisis management.

A ransomware attack is a sudden event that has a very significant impact on the business’s operations. There are various pitfalls to avoid in crisis management to quickly regain a functional situation. To optimise operations and gain valuable feedback, it is strongly advised to surround yourself with cyber crisis management professionals.

Cet article Successful Ransomware Crisis Management: Top 10 pitfalls to avoid est apparu en premier sur RiskInsight.

Cet article Preparing for a Cyber Crisis est apparu en premier sur RiskInsight.

Addressing the need to know and the need for reassurance

Supported by the increased number of incidents and attacks on information systems, the cybercrisis has moved into the public realm. The democratisation of its vocabulary is a clear indicator of the place that this subject takes up in the media. Data leakage, ransomware, hacktivist, DDoS, phishing, whistle-blower, these terms have left the server rooms and specialist blogs to make their way into national newspaper columns and most people’s vocabulary. The cybercrisis is no longer a mere quality incident discreetly handled in-house but has become an event that arouses the interest of a broad audience. This interest transforms the cybercrisis into a communicational crisis. However, while this theme’s new popularity is logically transposing into an increase in coverage, other elements justify a significant increase in solicitations, whether internal or external to the organisation in crisis.

When the cybercrisis results in data leakage, for example, it is not only the subject of the crisis that is newsworthy, but its very object. In fact, when the data leaks or is stolen, its nature arouses curiosity, whether it is personal data, a State secret or simply a private conversation. This mechanic logically generates for many audiences both the need to know the unknown, and to make sure that they are not the victim. These two primary needs of curiosity and reassurance are the essential drivers of media coverage and more generally encourage the information consumer, the stakeholder, the client to fill that need and seek to obtain this information. The same logic assumes that the source of this information, in this case the legitimate data holder, addresses these requests and communicates on the incident.

Whether it’s strategic events such as presidential elections or everyday private conversations on digital media that are compromised, the crisis’ media effect is magnified by the extraordinary nature of the event. This is the result of both its supposed impossibility and the confidence that the public entrusts it. The sudden rupture of the trust placed in these “institutions” of major importance, erected in good stead in a 2.0 version of Maslow’s pyramid, then generates itself the interest and the need to know, translated into an explosion of the number of requests for information to the organisation in crisis.

Figure 1: Maslow Pyramid Example

Communication war between the attacker and the communicator

Cybercrisis communication is thus a specific exercise given the subject it deals with, but also by the nature of the actors present. In fact, when immeasurable sums of money are stolen without warning or institutions fall under “citizens” hacktivist attacks, opinion tends to sympathise towards the attacker perceived as a modern hero, a romantic pirate or a anonymous vigilante.

This public figure, aware of its image and the codes of the communication world, will of course be able to play this environment. Thus, the very methods of the attackers reinforce the central place of communication in the management of cybercrises. Attacks on political, ideological and militant grounds are no longer confined to the compromise of a system but send a message whose publicity must be maximised.

This obvious appropriation of the activists’ specific methods is illustrated in several ways: prior warning of a DDoS, defacing a website, publication over time of proofs of a theft on social networks, dissemination of information such as exchanges of compromising private mail conversations, etc. If the attackers have learned to maximize the reputational impact of their attacks, they also use this lever to disrupt their target’s crisis management and make a noise that will buy them time once their attack is discovered. While one of crisis management’s key success factors of is regaining control of this rhythm and the publication of new elements, the cybercrisis inevitably leaves this power to a malicious third party.

This third party can also, if the compromise goes deeply, alter the company’s means of communication. While it tries to respond to the need to express itself urgently and widely, this can severely hinder the fluidity of its communication. Without email, how to spread a message to employees? Without social networks, how to be close to the community and answer their questions?

Restoring the trust relationship through communication

Fascinated by the attackers and the magnitude of the attacks, the general public is nonetheless intransigent at a time when trust and data are the very value of a company. Intrinsically, preserving the first assumes the protection of the second. When the organisation fails to achieve this goal, crisis communication is the only one able to restore this relationship of trust on which depends the future of the relation with customers and partners, who will or will not continue to entrust their data or the management of their tools, as well as their services to an organisation.

This trust requirement also brings about, when it’s is broken, the search for whom to point the blame. Although the reality of the facts is much more complex, the general public will easily assume that information system attacks are made possible by exploiting a vulnerability and therefore a fault.

A data leak is thus not only perceived as an attack perpetuated by a malicious third party, but also as negligence in the defences of the company victim to the theft. The latter is automatically designated as responsible and its reputation is logically impacted. Even as the attackers have become professional, the attacks complexify and the absence of vulnerabilities is a myth, cyber-attacks are now a subject of crisis management and communication in their own right. Because of its potential impact on the general public’s daily life and therefore its newsworthy nature, it forces the victim, considered to be co-responsible for its loss, to express itself.

Try to Keep It Simple for Better Crisis Communication

Beyond defining a clear, shared and timely strategy, managing a cybercrisis with its particular rhythm and the obstacles caused by the attackers must be accompanied by a special communication which implies a final effort: keeping it simple.

Confronted by a cybercrisis, like any type of crisis, communicating implies being able to translate the events and corrective actions into clear impacts and to address them in a coherent manner. Of course, the complexity of the terms and the mechanics of a cybercrisis makes this exercise tricky and is another particularity to take into account.

In this context, through their ability to translate the technical cause into business consequences and more generally into layman’s terms, the CISO and their team’s role is central. During business as usual as well as in times of crisis, the CISO’s mission is the responsibility for translating the facts and technical components not only into business impacts but also into understandable and convincing impacts for diverse non-expert audiences. They may also have to conceive or even bear responsibility for elements of crisis communication language in the same way that a human resources representative is exposed during a social crisis.

Without presupposing their exposure on a major TV channel’s news programme, information security experts’ words will be expected on social networks, on professional networks, in the specialized press or in-house. In crisis communication, everyone is responsible for everything and everyone has to be prepared for it.

Thus, the subject of cyber carries a media power of its own; the immediate consequence of which is the considerable increase in expectations and requests to be informed from different divisions of an organisation as well as from the public. If the impending occurrence of an information security incident involves a specific defence and continuity of operations planning, it also requires anticipation of these requests and an active preparation for this overall communication effort.

Cet article Cybercrisis, a fully-fledged media topic est apparu en premier sur RiskInsight.