IT equipment and data are critical assets for organisations. The unavailability or damage of those equipment and data caused by a cyberattack can significantly impact an organisation’s finances and reputation, or even threaten its survival. Cyberattacks thus represent an important crisis to which every organisation should know how to react.
Cybercriminals spend a consequent amount of time to set up a cyber-attack, making sure it will succeed. As organised as a cyber-attack is, the solution to remediate it must also be managed methodically. The management of such a crisis should happen at the highest level of the organisation, involving the IT Responsible, their team and, if the organisation has one, the security team. The immediate goals are to limit the impact of the attack, allow for a resumption of business operations as soon as possible and establish the additional security measures to put in place in order to avoid a recurrence of the incident in the future.
Cyber security incident management is not a linear process; it’s a cycle that consists of preparation, detection, incident containment, mitigation and recovery. The final phase consists of drawing lessons from the incident in order to improve the process and prepare for future incidents. During this cycle, communication with both internal and external stakeholders is of critical importance.
This article aims at helping organisations undergoing an important cyber-attack, or wanting to be prepared in case one happens, to identify the main actions to take in order to be able to manage the incident.
For advanced guidance on incident management you can consult the Cyber Incident Management Guide of the Cyber Coalition.
When confronted with a cyber-attack, specific actions can be taken to stop it and contain the risks:
The IT Responsible will know best how to deal with the incident and how to resolve it as quickly as possible. If the organisation has no IT Responsible, reach out to someone from leadership and follow their instructions.
Incidents should always be reported to the IT Responsible, even if it was only witnessed or if there is a slight doubt. The sooner the right people can act on it, the smaller the consequences of the incident.
By cutting off all connections from the infected resources to the Internet and to the local corporate network, cybercriminals can’t go from one system to the other and spread the attack. Do NOT turn off the computers in question, or you will erase the traces left by the perpetrators of the cyberattack.
Managing the actions of the various fields (e.g., technical, HR-related, financial, communication-related, legal, etc.) involved is a key element when dealing with a cyber-crisis. The goal of the crisis management team is to supervise the specific actions each field should take during the crisis. Sensitive communications on the progress of the incident should be done on a separate and secure channel.
Keep a record of all events and actions to present to the investigating authority and to help the IT Responsible to establish the lessons learned from the incident afterwards.
This task is carried out by computer specialists. They will examine the computer affected by the infection and try to find clues as to the perpetrator, such as changes in the system, configuration files or company data. They will also determine whether the perpetrators have installed any malicious software. Finally, it is important to thoroughly examine all log files on the system.
Keep all messages received, machines affected, connection logs, etc. as evidence. Just like the record of all events and actions, it will be important in the investigation afterwards.
We strongly advise against paying a ransom. There may be situations in which payment is the only option left, but keep in mind that attackers are most likely interested in financial gain and any opportunity to extort more money from you will be evaluated by these actors.
Establish which other resources can be uses to replace the ones that have been infected in order to ensure the continuity of critical operations. If the organisation has a Business Continuity Plan or a Disaster Recovery Plan, those can be used to identify what should be done to manage the crisis.
Reporting can help not only to investigate the incident, but also allow other organisations not to fall victim to the same attack. Reporting may also be a legal requirement in some case.
• The police
If money is lost or the company is being extorted, we recommend reporting it to the police. You can file a report with the local police where you live. It is important to bring along as much information as possible (e.g. relevant bank statements, screenshots, printings, etc.) when going to the police station.
• Bank and Cardstop
Contact your bank and call Cardstop on 078 170 170 if you have passed on bank details, money has disappeared from your bank account or if you have transferred money to a scammer. This allows for fraudulent transactions to be blocked. If you want to report the fraud, you can contact your bank by calling a specific number that can be found on https://beschermjezelfonline.be/bank-contacteren-for-help
• Safeonweb
If you received a suspicious e-mail or message, forward it to suspicious@safeonweb.be and then delete it.
• Mandatory reporting of NIS incidents
Reports must be made via the NIS reporting platform (https://nis-incident.be/). The platform is accessible via the internet through a secure connection and a unique identification key for each AED and DDV (login/username and password). If the platform is not available, the incident must be reported via the website of the CCB. The platform ensures that the report reaches the CCB, the National Crisis Centre and sectoral government.
Find more information here [https://ccb.belgium.be/en/node/899] and here [https://ccb.belgium.be/en/node/903].
Identifying where the attack started and how many resources were infected will help take the right actions to correct any existing security issues and prevent another incident.
Establish the level of details and transparency to share information with all relevant parties (e.g., collaborators, clients, providers, stakeholders, the media, etc.).
Communicate early and often, keep your internal collaborators, suppliers, service providers and customers informed. Hiding the attack is generally not a good idea as it can damage your brand's reputation. Be as transparent as possible to your collaborators, stakeholders, customers or users, and the press about the attack. Even if you do not have all the answers, it is important to inform all stakeholders.
There are legal obligations to notify authorities such as the DPA/GBA/APD in case of a suspected data breach (usually within 72 hours). https://www.autoriteprotectiondonnees.be/citoyen/agir/contact (website available in NL and FR). Involve your Data Protection Officer (DPO). The legal team and/or the DPO can also file a complaint with the local police.
Check that the attackers have not also compromised the security and integrity of your backup system.
Fix, update, rebuild and reset your authentication system, implement multi-factor authentication. Do not restore a system based on backups near or after the attack. Act on the above first and then, and only then, begin activities to rebuild your system from the backups. Be careful not to reinfect clean systems during the recovery process. Once the system has been restored, make sure there is nothing malicious left on it before reintegrating it into your network. Rebuild your systems according to a priority order of critical services. Restore servers first, then endpoints. Delete or completely isolate old systems and protocols.
• Running a virus or spyware scanner to remove the offending files and services;
• Updating signatures;
• Deleting malware;
• Disabling breached user accounts;
• Changing passwords of breached user accounts;
• Identifying and mitigating all vulnerabilities that were exploited;
• Identifying security gaps and fixing them;
• Informing employees about the threat and giving them instructions on what to avoid in the future; and
• Informing external stakeholders such as the media and your customers. It is also important to inform top management about the eradication and clean-up results and the network situation.
No organisation wants to relive the same attack over and over again. It is thus important to establish all the lessons learned from the incidents and set up an action plan to define which security measures and investments (e.g., financial, human, contractual, etc.) should be put in place to strengthen the protection of the resources.
It is absolutely essential that the antivirus software is up to date, as well as all the applications installed on the workstation. Install a firewall and an Intrusion Detection System. Set up a secure password management policy and implement Multi Factor Authentication, which requires a user to provide at least two different methods (e.g., passwords and PIN code, PIN code and a code received via text) to verify their identity and grant them access to the resource they are trying to reach.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.
