Cyber-attack response: Adopt the right posture in 5 steps

The reality of the cyber threat is now well accepted by organizations who know they are cybercriminals' targets. Criminals use a variety of sophisticated techniques to access sensitive information (financial information, personal data, trade secrets, etc.), sometimes without being detected. The consequences of such intrusions can be disastrous for businesses, from loss of data and reputational damage to significant financial losses. With the growing scale of cyber threats, knowing how to respond to a cyber attack is essential. The immediate reflexes are now well known: isolate infected systems and apply all the precautionary principles that organizations have put in place in advance. But what to do next?

“The posture to maintain will be decisive in the long term because it is what will allow the affected organization to rebuild itself without suffering too much,” explains Romain Naïm, Principal Consultant at Orange Cyberdefense. Focus on 5 essential steps to adopt the right posture in the event of a cyber attack.

Not all security incidents are systematically classified as a crisis, and therefore the nature of the cyber attack must be analyzed. This involves drawing up a list of services potentially affected by this attack.

The objective is to understand how the attack took place and define the scale and scope of compromise in order to guide the experts who will be responsible for crisis management. What are the operational services, systems, and users that are at risk? What is their number? What are the links between the different compromised assets and their respective access? What is the compromise path taken by cybercriminals? This step is made easier and faster when the company has an up-to-date, real-time map of its information system.

This identification phase will make it possible to better understand the extent of the compromise and to prioritize the remediation actions to be undertaken. It will also give teams more visibility into the unavailability of certain services and tools and will thus guide them in implementing a business continuity strategy.

Investigations can sometimes last several weeks. No need to wait for a detailed and finalized report before launching the next step!

Once the perimeter of the attack has been established and if the potential impacts are sufficiently significant, it is then time to activate the crisis unit, the composition of which has been defined beforehand. If the crisis primarily mobilizes the cyber and IT teams, the crisis unit must integrate the different functions that have a role to play in crisis management in the broad sense: business, legal, communication, product, etc. This expanded crisis unit will make it possible to deal with the different aspects and impacts of the crisis. This involves setting clear and factual crisis exit objectives and defining a strategy to achieve them.

The crisis unit will be all the more effective and responsive if the procedures and rules have been defined upstream and the members have been trained and trained. An initial inventory of the situation will give everyone the same level of information. Regular updates will also be carried out, listing actions in progress and decisions to be taken.

The essence of crisis is uncertainty, and the worst enemy of crisis management is inaction. To act in the cyber crisis, we must anticipate and define the perimeters of the cyberattack. The elements collected during step no. 1 will help the experts to project the affected systems onto operations. By doing this work, it will then be possible to identify all affected stakeholders, internally and externally, and to put in place action plans to remedy the identified impacts, proactively as best as possible. cases.

Decision-makers require intelligence, not information, to make informed decisions. The crisis unit is responsible for processing and analyzing incoming information to propose action plans to the crisis director, who can either accept, amend or reject them. The vision of benefits versus risks must guide these decisions.

Once the action plans have been approved, it is up to groups of experts to implement them.

Knowing how to surround yourself with experts is a key element in cyber crisis management. This is also what ANSSI calls “Activating your support networks” in its guide to the cyber crisis. It is recommended to contact IT security professionals within the first hours of discovering the cyber attack.

Cyber crisis management can involve various partners and service providers. The company therefore has every interest in appointing people responsible for coordinating these different experts. Depending on the nature of the cyberattack, the legal obligations, and the regulatory constraints to which the company is subject, it must also make a declaration to ANSSI or notify a personal data breach to the CNIL. To support you in this step, Orange Cyberdefense offers a service called “Incident Response”, a CSIRT service to defend companies from cyberattacks.

Business experts who are as close to the daily operational challenges as possible will have to rethink activities in degraded modes beyond the technical aspect that needs to be managed. They will be responsible for implementing the action plans validated by the crisis unit in order to remedy the most critical impacts. Activating a PCA or a PRA may be required if circumstances allow.

It is imperative to inform employees about the ongoing cyber attack and to give them instructions on the procedure to follow: which accesses are cut and which services are inoperative, what is the envisaged recovery time, etc.

But the need to communicate often goes beyond this first circle. When an organization is affected by a cyberattack, its entire institutional communication strategy must be considered.

Maintaining or even regaining the trust of partners is a major challenge which, if poorly managed, can result in a succession of additional impacts (e.g. cutoff of flows from a critical supplier by fear of a rebound attack).

Communicators must be involved in crisis management from the very beginning for several reasons:

• Developing a communications strategy and producing and validating materials takes time. It's important to start working on communication before you decide to communicate.
• The cyberattack raises complex technical issues, especially for the uninitiated. Creating a link between technical experts and communicators is imperative to ensure the coherence of the communication;
• Centralizing the production of language elements which can then be used according to the targeted stakeholders is important to avoid discrepancies depending on the sources.

Fully transparent crisis communication is generally recommended, but be careful not to reveal information that could further compromise the information system.

Finally, to gain efficiency, the press release validation process must be formalized before the crisis.

Resolving cyberattacks requires time and effort. The resilience of organizations must be achieved over time and the preparation of cyber crisis management systems must be put in place upstream.

It is by relying on a robust crisis organization and using already existing procedures and processes that the implementation of these 5 steps can be done smoothly and efficiently.

Orange Cyberdefense is your trusted service provider to support you during each of these stages, during and before the cyberattack.

If you wish to learn more on how to prepare for a cyber crisis, download our whitepaper Readiness, response, and getting back to business after a cyber crisis.