17 March 2022
Cyberattacks are still too often equated with IT crises only. However, and recent history has proven it (NotPetya, GandCrab, Emotet, Clop…), they actually impact all services as well as the reputation and image of any targeted structure. Any cyber crisis is necessarily transverse and must be managed by actors who are not always used to work together. They must then find a common language and pursue the same interests. Thus, within the framework of cyber-crisis management, the IT teams are almost always joined by the communication and legal teams, human resources, and the several professions concerned by the event.
One of the specificities of the cyber crisis is that it can be the result of the late detection of a cyberattack that originated several months earlier. The attacker was gradually able to arrange his charges and activate them at the right time (during a vacation or over the week-end for example). One of the qualities of the crisis organization is then its ability to react to the event. It must be capable of implementing emergency measures to limit the impact, avoid over-accidents and adopt a defensive posture. It can also deploy precautionary measures to preserve its vital assets (Active Directory, backups, etc.).
Another specificity: during a cyber-crisis, it remains impossible, or imprudent, to rely on the usual means of communication (Skype, e-mails…) because they may be out of order or compromised.
As a result, the entire organization’s way of working and exchanging must be reviewed. The impacts are also strong on business continuity plans. New ways of doing things are important, and those must be known by that the stakeholders in the crisis management system before they are triggered.
<h3>Cyber crisis: knowing your weak points
Apart from pure opportunism, cybercriminals know, in most cases, what they want to get before launching their attacks. Targeted and prepared well in advance, these attacks are rooted in the vulnerabilities of each organization, whether they are purely computer-related or organizational in nature.
The first step in preparing for a crisis is to be aware of your own vulnerabilities. This involves technical and organizational audits. It is also advisable to determine the events that are likely to have the most critical consequences, but also the most likely events. This approach by probabilities and impacts allows for the identification of realistic attack scenarios from which all the pre-crisis preparation will follow.
The objective of anticipation is to reduce the risk of occurrence and to prepare in advance everything that can be done. This makes it possible to limit negative impacts as much as possible and avoid the risk of over-accidents.
Thus, it is recommended to carry out upstream simulations with the teams concerned. This will enable them to determine the emergency, precautionary and/or quarantine measures that they could take at the appropriate time to reduce the impact of a cyber-attack.
Preparation also helps to anticipate the tension that a crisis can cause, whether it is cyber or not. Stress and fatigue are real and sometimes increased tenfold by misunderstanding. During the first few hours, it is often difficult to know exactly what is happening and to identify the source(s) of the attack and its scenario.
The ability of employees to keep a cool head, work together and make the right decisions quickly lies in having learned the right moves in advance and being able to apply a simple and effective method; improvisation is not an option.
The first step in building an effective crisis management organization would be to conduct a risk analysis or build on a vulnerability audit previously conducted, ideally less than a year ago.
Thereafter, it is important to think about the best possible organization, taking into account the context and scope of the company. Finally, the drafting of a crisis management policy and the construction of a documentary kit is necessary. The documentary kit mainly consists of (the following list is not exhaustive) :
Defense plans: they list the means by which a company is protected.
The trigger matrix: it allows for the qualification of an incident according to pre-established criteria and to prove or not the crisis situation. This matrix must be known to the first personnel informed of the incident (supervision, help desk or help center, Security Operation Center or SOC, third parties, etc.) as well as to the employees in charge of mobilizing the crisis unit with dedicated and tested communication means.
The reflex cards: they contain the procedure to follow in case of crisis. Extremely precise and didactic, they indicate, step by step, the actions to be taken, in order, according to the scenarios identified during the audits.
The job descriptions: they are individual and explain what the role of each member of a crisis unit is going to be.
Checklists: not to be confused with job descriptions. They are checklists that include the first actions to be taken and the documents that you need to bring with you (job cards, reflex cards…).
Call trees: there are as many call trees as there are crisis cells. They contain the contact details of the primary contacts as well as that of the substitutes in the case of an incident.
Contact sheets: these contain the contact details of all employees who can provide assistance during a crisis, but who are not part of a crisis management unit.
Legal documents: during a crisis, there are legal documents to be provided to the authorities and insurance companies. They include all the actions carried out during the crisis, by whom and their objectives.
In general, each company creates two multidisciplinary crisis management units: the first one is decisional (it determines the strategy to be adopted to manage the crisis while reducing the impact on the company’s activities as well as its image and reputation). The second is more tactical (it coordinates the actions defined by the decision-making cell). To these will be added others, more specialized, but also more operational (their members implement the actions decided upon above). It should be noted that this specific organization is particularly adapted to large companies.
The members of a crisis cell, once identified, are trained to know their responsibilities as the limit of their role. They also learn to master new secure tools for communication. Remember, during a cyber crisis, the traditional channels (email, Skype, SMS…) can be put out of service.
A cyber crisis management exercise is, as its name suggests, a simulation of a cyber-attack. This can take several forms depending on the objectives and means of each client: from a simple simulation, with an educational aim, to a fake attack carried out under more realistic conditions. It is also possible to involve a Red Team to test the detection of an attack and the mobilization of the crisis unit.
In general, the duration of a crisis management exercise can vary from one hour to half a day. In the latter case, the exercise involves one or more crisis management unit(s) working in the same geographical area and therefore in the same time zone.
It takes about a month to prepare this kind of simulation.
If the exercise is conducted in countries with a large time-zone difference, it can take up to a full day or more to complete and involve several crisis management units. It should be noted that it is also possible to run the exercise in “condensed time”.
The preparation time can easily reach three to four months for a multi-cellular and/or international exercise.
Important precision: everything is always simulated. As an illustration, in a factory, it is not a question of stopping a production line. An accomplice agent can call the help desk announcing: “My PC is no longer working. Before shutting down, the screen displayed a ransom demand. Can you help me? ».
To involve all actors of a company (and not only IT experts), the scenario created must be close to reality. It can be based on the audits and risk analyses carried out prior to the exercise, and thus represents the most likely threats with the greatest impact for the company.
For a bank, it is possible to create a scenario based on a misappropriation or extortion of funds for example. For a site specializing in e-commerce, it will rather be a leak of personal data. These examples are concrete, and more meaningful than a “ransom attack” or “denial of service” for employees who are not familiar with IT issues.
During the crisis management exercise, all the elements prepared beforehand will make sense. The aim of an exercise is to test the knowledge of the people trained, but also to create automatisms with employees who are not necessarily used to managing this type of situation.
At the start of an exercise, the members of the crisis management unit must, among other things (the list is not exhaustive):
Note that the organizers of the exercise (animation cell) regularly send stimuli, but also false leads to stick as closely as possible to the conditions of a real attack.
At the end of an exercise, a post-mortem analysis is performed to collect participants’ feelings. This is also the most relevant time for each cell group member to understand what they did right, but also the mistakes they made. More than the exercise, it is actually the debriefing that is the most rewarding.
Following this, a report is given to the client. It contains :
On this last point, it sometimes happens, for example, that some members of a crisis management unit are too discrete or, on the contrary, too authoritarian. The action plan also offers the opportunity to become aware of such pitfalls so as to correct them as best as possible.
The post-mortem analysis, like the writing of the action plan, has only one goal: continuous improvement. Thus, the crisis management policy, like all the documents mentioned, must be regularly updated. It is also advisable to continue to train cell members regularly and to test their knowledge in an exercise at least once a year.
A company’s ability to respond to and contain the negative impacts (on its businesses, activities, personnel, image and reputation) of a crisis depends on its level of preparation and training. Here, in short, is the procedure to follow to best prepare for a cyber-crisis:
Analyze the weaknesses of the company.
Identify its most sensitive data.
Draft a crisis management policy.
Write a documentary kit (see list above).
Set up crisis cells, appoint members and their substitutes.
Define their roles and responsibilities and limits.
Think about the coordination between the different members and the different crisis management units.
Train each member in crisis management and new secure communication tools.
Create an exercise scenario based on a known vulnerability and the most likely threat with the greatest impact.
During the simulation, frame the intervention perimeter in order to avoid the risk of over-accidents.
Observe the actions of each person, note them carefully.
Pace the exercise with stimuli designed to recreate the tension of a crisis.
At the end of the exercise, perform a post-mortem analysis session.
Write an annual report and an action plan for continuous improvement.
Regularly conduct training sessions.
Conduct crisis management exercises at least once a year.
Regularly update all the above-mentioned documents.