Every disaster movie starts the same way. Happy people joyfully going about their daily lives, completely unaware of the panic and chaos that is about to befall them. This is exactly how it is in the minutes and hours leading up to a cyber-attack. There is no warning, no lead time to prepare. It’s just calm one moment and bedlam the next.
How would you react if right this second, your organization was hit with an attack? What’s the very first thing you would do? Who would you notify? Would all the key people in your office take swift and appropriate action?
To help you answer these hypothetical questions, I thought it might be helpful to take you inside a cyber-attack from first critical event, through to conclusion (good or bad). At each point, you should ask yourself, what would I do?
At 9:10 a.m., an employee inside an organization we’ll call RandomCorp finds they are having file access issues. They notify their supervisors in the organization. Less than an hour later, it becomes clear they have been hit with an Arena Ransomware attack. This is a Trojan horse that encrypts files on the compromised computer and demands a payment to decrypt them.
If it were you, what would your number one priority be in this moment? For RandomCorp, they knew that they had to contain the breach as quickly as possible. To do this, however, it would mean a drastic containment strategy. They would have to disconnect from the internet and shut down critical servers. In essence, they would have to shut down RandomCorp and stop business operations.
This is a huge ask and not one that many executives would be happy to agree to. Would your CEO be able to make that call in the moment? Fortunately for RandomCorp, their CEO was tech literate enough to understand that this is what had to be done.
As it turns out, that tough call was critical in helping to limit the spread of the virus. It protected customers, it protected their critical customer service environment, and it limited the spread within RandomCorp’s production environment.
That was the good news.
What didn’t go well in those first few hours was prompt and effective communication. In the immediate rush to contain the virus, limited forethought went into how they would get the word out to people within the organization and external customers when the email, internet, and phone systems were taken offline.
When some service was restored, service desk people were the front line for both staff and customers wondering what was happening. With little information and no direction on what to say, people relayed their personal interpretation of the situation. This resulted in inconsistent messages that were often short on fact and long on interpretation, that left both staff and customers confused and frustrated. While the situation was controlled and customer data was not in jeopardy, the lack of clear information did not instill confidence that things were being dealt with quickly and competently.
Over the next 30 hours, RandomCorp worked to rebuild or backup and restore each infected server. By 6:00 pm the next day, all systems were fully recovered and brought back online.
When the smoke finally cleared, there was no lasting physical damage, but there was a reputational black eye. The lack of clear direction and an insufficient flow of information allowed people make up their own narrative. And it wasn’t positive.
RandomCorp knew they had to put in safeguards against this ever happening again so to that end, they hired outside professionals to design and help implement an Incident Response Plan. Based on their high level of expertise, they reached out to Cisco Security to help develop their strategy and plan. Within weeks, building on the extensive experience of Cisco and the requirements of RandomCorp, they had an IRP in place and were able to test it. The plan held up well against a sophisticated simulation and was implemented.
The incident response plan is crucial to avoiding similar mistakes should an attack occur again. Some of the key lessons learned from the cyber-attack were:
• At the moment of discovery of an attack, you need clear access to the right people, with the right knowledge to make the right decision – quickly.
• You do not want your incident response team picked by whoever happens to be available at the time, you need that team to be based on appropriate skills and capability.
• You need a clear communication plan, both internally and externally, including timelines, sample scripts and distribution plans in order to deliver a prompt, consistent message.
RandomCorp’s quick action helped limit the scope of damage. Not everyone is that fortunate. In 2017, a cyber-attack on Maersk Shipping cost them approximately $300m and well over a month of customer impact.
And if you think it would be easier to just pay the ransom, consider this. There is no help desk or honour code when dealing with criminals. There is no guarantee you will get your full system back.
Most breaches involve bad actors who invade your system, steal key data and the information they want – and only then, do they make you aware of the ransom notice. By the time you know you’ve been hit, it’s already too late.