Seven crucial dos and don'ts for cyber-attack survival
Think you’ve been hit by a cyber-attack? You need to move fast, but what immediate actions should you take, or should you not take? Here’s a Cyber Incident Responder’s guide to steer you through the turmoil. The actions your team takes -- or doesn’t take -- can greatly impact the overall duration of recovery, cost, and the potential to uncover vital evidence left by threat actors within your infrastructure.
Identifying a cyber security incident can be challenging. Many threat actors have mastered the art of quietly infiltrating IT systems and hiding their digital footprints. Not all cyber-attacks are as overt as encryption-based ransomware or mandate fraud. The rise of encryption-less ransomware and corporate and state-level espionage is concerning. These silent intruders can lead to data and intellectual property (IP) loss, diminished competitive edge or market share, potential regulatory fines, and reputational damage. All of which can be just as devastating, if not more so, to an organization, its employees, and investors, than a single ransomware incident.
The Dos
1. Engage your dream team
When a cyber-attack strikes, it’s time to rally the troops. Engage the expertise of cyber incident response professionals to navigate the technical turmoil and provide strategic input. Call in crisis communication partners to manage the message and maintain trust. Consider engaging external legal counsel to manage and limit exposure to potential liabilities.
External partners require internal coordination and resources. Handling a cyber incident differs from regular operations. It necessitates distinct roles and might require compartmentalization. Small, focused teams addressing specific areas can be far more effective than a large team attempting to tackle everything at once.
2. Be faster than the story
Gone are the days when you could formulate a message over the course of a day for it to appear in the evening news or the following day’s newspaper. It’s not even a “golden hour” to get a message out now. With today’s social media and online reporting, that time frame is now down to as little as 15 minutes, according to communications expert and media trainer TJ Walker. If you leave an information void, rumor and conjecture will fill it and it’s a lot harder to dispel those and get the true message across once they have taken hold.
3. Just the facts
During an incident, clear and factual communication is critical to holding everything together, limiting damage and not giving yourself more problems. It’s not about wishful thinking or unfounded optimism, but about conveying the cold, hard facts. Don’t let your message get muddled with unverified information or hopeful assumptions. Stick to the truth, even when it’s tough. Conjecture may offer temporary comfort, but it risks creating confusion and mistrust down the line. Remember, the truth has a way of coming out, and when it does it’s better to be on the right side of it. So, skip the speculation and stick to the facts. It’s not just good communication -- it’s good crisis management. Let your external crisis communications partner/specialist handle this for you. They have relationships with the press to keep things on-message.
4. Take a break, make a breakthrough
Amid a cyber incident, it’s a total team effort. The tasks pile up and the concerns mount. However, burnout isn’t a myth, it’s a reality. Avoid overlapping duties; instead, arrange shifts so that teammates can relieve each other, allowing for necessary breaks. Step away from the chaos occasionally to do simple things like taking a walk. Often, a brief respite sparks fresh insights, better judgments, or innovative solutions.
5. Avoid analysis paralysis
Despite my role, I feel privileged to join C-suite or board meetings during cyber incidents. It’s fascinating to observe the internal workings and strategies of an organization. However, in a crisis, companies often fall into a ‘whataboutism’ trap, debating without making decisions.
This is effectively managed by a neutral scribe who tracks discussions and redirects tangents back to decision-making. Once a decision is made and an action assigned, the scribe revisits the tangent. Their role significantly boosts confidence, understanding, and productivity, effectively advancing the strategy and incident response.
6. Data, not systems
When it’s time for recovery, focus on retrieving data, not entire systems. Threat actors often employ clever tactics to maintain access. Rebuilding operating systems from scratch and reinstalling applications can help guarantee clean systems. Hence, aim to restore only the necessary data, not the complete systems.
7. Pivot
In his book, Only the Paranoid Survive: How to Exploit the Crisis Points that Challenge Every Company and Career, former Intel CEO Andrew Grove discusses how successful organizations identify inflection points and use them to pivot in order to take advantage of a situation and improve the organization. For many, cyber incidents are stark infection points or wake-up calls, but they also offer many opportunities to shed legacy systems, improve processes, and advance the organization at a speed previously only dreamed of.
The Don’ts
1. Let everyone ‘help’
In the chaos of a cyber incident, it’s tempting to accept all offers of assistance. However, this can complicate containment, control of information, and progress tracking. Depending on your organization’s profile, you might find that the ‘help’ provided benefits the third party’s publicity and association with the incident more than that of your own organization.
2. Anticipate resolution by Monday
No matter how keen you are to get it over and done with, a cyber incident is a marathon not a sprint. Even if an incident hits on a Friday evening and we’re able to get you functional by Monday, there’s still going to be fallout, disruption, and lessons need to be learnt.
3. Downplay the impact or the prioritization of data security
Many organizations have tarnished their reputations by making statements they later had to retract. Post-data breach, claiming “We take your data security very seriously” invites skepticism and scrutiny about your security measures. Denying an incident or its impact can be even more damaging, as it paints you as untrustworthy. This is where trained crisis communication specialists become invaluable. They can deflect blame, draw attention away from negative aspects, and highlight positive messages the company wishes to convey.
4. Jump steps
In the aftermath of a system breakdown, organizations are often tempted to rush into restoring systems and operations. This can be detrimental and prolong recovery. Threat actors commonly attempt to re-enter the environment post-attack to assess recovery progress and target backup systems, aiming to force a ransom payment for decryption. If they spot previously inaccessible backup mechanisms, they’ll likely try to delete or encrypt them. Therefore, it’s crucial to complete the containment and eradication phases first and have robust detection mechanisms in place before initiating recovery to identify any returning threat actors.
5. Avoid legal obligations
Even if you believe a cyber incident has gone unnoticed, always report it if there is a regulatory requirement to do so. A rising tactic among threat actors is to report incidents to regulatory bodies if they think a ransom payment is unlikely. In 2023, the ransomware group ALPHAV/BlackCat reported MeridianLink to the US Securities and Exchange Commission (SEC) for failing to disclose their cyber-attack within the four-day diktat. Failure to meet regulatory requirements often results in steeper fines than those imposed following appropriate disclosure and may result in inclusion of lists of what not to do during a cyber-attack.
6. Buy more security tools
Cyber security incidents can be costly, and there are unscrupulous vendors ready to capitalize on your crisis by selling you unnecessary tools. Often, organizations already have access to tools and resources that are simply not activated or properly configured. Utilizing them not only enhances the organization’s cyber security posture, but also saves it money. During incidents, you may be able to get trial licenses or temporary licensing increases to help support you until you reach a stable position. At that point, you can reassess your needs and align your tools and exposure with the Mitre ATT&CK framework. This allows even non-tech savvy individuals to identify weaknesses in defenses and monitoring and determine the most effective combination of tools and mitigations to suit their risk appetite.
7. Play the blame game
The sole culprits for a cyber-attack are the threat actors. Assigning blame and finger-pointing during or after an incident can seriously hinder response and recovery efforts. It can also discourage individuals from reporting potential future incidents for fear of punishment or other repercussions.
Image Credit: alphaspirit / Shutterstock
Mark Cunningham-Dickie is a Principal Incident Response Consultant for Quorum Cyber. He has over 20 years’ experience in the technology industry including more than ten working in technical roles for law enforcement and other government funded organizations. Mark has an MSc in Advanced Security and Digital Forensics and a BSc (Hons) in Computer Science.