What should you do within the first 24 hours of a disruptive cyber attack?

Over the past few years disruptive cyber attacks have increasingly become commonplace, with ransomware topping the list. Even nation-state attacks have been rising in prominence, with devastating wipers destroying systems or, as with NotPetya and WannaCry, whole networks within minutes. It goes without saying that organisations need to be prepared to respond to the growing risk of destructive threats.

Unfortunately for some, what is thought of as traditional cyber incident response and mitigation exercise can quickly become more of a recovery issue, and needs to be dealt with in the right way. There are many elements that need to be well understood when tackling a malicious threat actor which has just destroyed your network. This blog will look at a particular example of a cyber attack and highlight three critical elements, communication, prioritisation and recovery (CPR), which need to be tackled within your first 24 hours. The decisions taken and strategy set in this time window often determine the success or failure of a response and, in my experience, their complexity should not be underestimated. 

Picture yourself in this scenario

Just for a moment, I want you to pretend you are sitting at your office computer. Suddenly your computer shuts down and the screen goes black. Thirty seconds later, everyone is standing up, looking around and scratching their heads as their screens have also gone dark. You try to pick up the office phone to phone IT support. It doesn’t work, and just shows “cannot connect to the server” on the screen. You try and see if you can access the global address book or email on your phone and realise it also just says “cannot connect to the server”. Something is not right. What do you do next? Where do you start? After all, you are the CIO, or even the IT manager, so you should be prepared for this, right?

Time to perform CPR...

Communication

Communication during any cyber incident or crisis is key. Without clear, early communication you will spawn siloed, competing and incompatible pockets of response activities which are destined to fail. When it comes to the risks of destructive attacks, the only real solution is to have a designated out-of-band communications system which has no reliance or connections to your day-to-day IT estate. Stakeholders of the organisation need to know how to access the system and use it to its full potential in corralling staff into supporting a cohesive recovery process. Some key questions when it comes to communication:

  • Is it truly out of band, and has no reliance on your day to day infrastructure? Is it mobile?
  • Do you need a mechanism to share files, create groups?
  • Do stakeholders know how to access it, and has it been tested?
  • If you need to sign people on, how do you validate who they are? How do you get them the details on how to connect?
  • How do you get individual messages out to thousands of staff members, such as when creating new accounts and passwords en masse? Remember, staff wont have email, and you need to ensure you have their personal details, up to date and accessible.

Prioritisation

If there is one thing my experience has taught me, it’s that it will take you time to work out where to even start. Which system do I need to rebuild first? Do I have a backup that hasn’t been destroyed? How do I get to the backup if I have no systems to access? Where are the encryption keys for that backup?

Senior management need to understand the current situation and scale of the problem, and the likely effort ahead. Don’t sugar coat it - that will not do you any favours down the line when you’re trying to explain why the email system is still not back online after five days.

It is important for the executives to work closely with IT and highlight, in absolute priority order what the business needs to stay operational. This could include document management systems, email, telecommunications, financial systems, customer portals etc. Everyone has to be willing to give a bit in these discussions - not all systems can have top priority in recovery.

Once each priority is identified, it is important that all required staff focus on tackling that restoration one problem at a time. For every system there will often be numerous dependencies or other systems which need to be rebuilt. For example, dependencies for an email service could include multiple email servers, an Active Directory server, DHCP and DNS servers, a desktop or remote active sync that can connect to retrieve emails.

It is equally important that staff focusing on rebuilding systems have the time and the space to do so. Constant meetings and pulling people away from their priority tasks to tackle side issues will inevitably deter them from ensuring an effective and rapid rebuild process.

Recovery

You absolutely need to understand why your systems went down. How did something propagate through the network and destroy everything? Not fully understanding the root cause may set you back to square one only moments later as you introduce systems back onto the network. 

A crucial part of avoiding a similar catastrophe is ensuring that security controls are built into the systems being rebuilt and reintroduced into the network. Layering these controls and mitigations with further levels of protection will reduce the risk of a cyber threat from achieving its goal, as well as assist with the prevention of critical data from being leaked. I like to think of it as a game of ‘pass the parcel’ -  each person in the circle will have a go at opening the present, but will only be tearing off one layer of wrapping at a time, further making it harder and delaying them from reaching the gift. This layering will also help you reduce the risk should you need to loosen a control that may impact certain systems from operating correctly. Just don’t hold back; it is much easier to reduce any restrictive controls later when you feel you have the right layers in place than it is to try and introduce new controls later.

When it comes to risk, don’t forget about your people; it is not just the technology and process aspects. Staff will be working hard and you need them more than ever before. They will be tired. Look after them, ensure they rest, eat well and have the mental resources they need to underpin a fast and effective response.

I hope this blog gave you some helpful insight on the key areas of focus when experiencing a disruptive cyber incident. For more information on how we can help you to prepare for, respond to and recover from a cyber incident, please get in touch or visit our cyber incident response page.

Contact us

James Campbell

Incident Response - Director, PwC United Kingdom

Tel: +44 (0)7565 844 153

Follow us