How to handle a cyber attack
In my experience, the only effective way to deal with a cyber attack is with advance planning and preparation. Communication is vital and effective communication during any crisis requires situational awareness and experience. In summary, there are 3 critical threads to manage during a cyber attack;
Communication, Prioritisation, and Recovery
Planning an effective response for a cyber attack requires;
- Secure communications,
- Task prioritisation, and
- Recovery objectives.
Documentation is important and a timeline of events must be created during the response to preserve evidence, and detail activities; who, what, why, when, where, and how.
I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.
Rudyard Kipling, ‘Just So Stories’ 1902
During a cyber attack, being able to rely upon a secure channel for communication outside of the systems which are affected is vital. Keep this channel as simple as possible; for example, emergency mobile phones with 4G data allowance a secure messaging app are effective.
Do not expect to rely on any internal systems that have any dependence on internally managed services, this includes WiFi, email, contact lists and system access credentials.
Practice and training to create familiarity with the emergency communications procedures is time well spent and is the single most effective improvement I recommend. Schedule regular drills and actively seek out improvements to response and control protocols.
I have seen the results of premature recovery, whilst the intruders are still within the network. Once they believe they have been discovered, attackers have little to lose and wilfully destroy data, infect systems and modify backups. Having a separate and secure communications channel is vital.
Protecting data, determining what happened and preserving evidence are all important elements. Prioritisation requires assessment and is dependent upon many factors including the extent and the nature of the cyber attack.
At the top of my list is to mobilise the incident response team, often a combination of internal staff and external specialists, and their first task should be to secure the systems and start the business continuity programme.
However uncomfortable it might feel; it is critical to share the situation with senior management who will drive the order of priority when presented with dependencies and options.
Before any work commences, a clear plan for recovery must be created, and the recovery team must remain focused on their tasks without distraction.
Whilst there is always a demand for information and progress updates, it is important that engineers and their recovery processes have space to complete. I find it an effective use of everyone’s time to provide proactive updates and I advocate prescribing in advance a schedule of update broadcasts; every 30 minutes seems to work well for me.
Remember to keep the timeline of events updated too, being able to forecast forwards based upon milestones is valuable to senior business decision makers.
Before starting any recovery activity, it is vital to clearly understand what has happened.
When an attack re-occurs during a recovery process there is significantly greater risk; I have seen minor systems breaches turn into disasters because no effort was made to determine the root cause of the failure before recovery was started.
An approach that that works well for me is to use a ‘play book’ of planned recovery procedures. ‘Play book’ protocols can be tested and developed without requiring a crisis.
‘When you fail to plan, you are planning to fail.’ Recovering well maintained systems is straightforward, I know because I’ve done it. Recovering poorly maintained systems is a nightmare, I know because I’ve done this too.
Elements that are often not thought about include actively managing the incident response and recovery teams. Setting clear team objectives should be obvious, as is staying mindful of each member’s personal wellbeing.
If you’re considering how to recover from a cyber attack or how to handle any IT crisis, I recommend starting with an honest discussion – let me know if you’d like me to contribute.
Why choose to work with Sytec?
- We focus on reducing risk
- Our work and checks are separated independent processes
- We consider compliance and security checks as the default
- You will know which engineer has access and when they took action
- You will have phone, email and face to face access to security certified engineers
Sytec provides IT networking, security, audit, consulting, and support services to a broad range of businesses. Based in Salisbury, engineers are available to respond on a same day basis to ad-hoc or emergency requests, and within minutes for customers with a prepaid pool of consultative support.
We enjoy representing many other IT companies who require responsive field engineers, sytec.co.uk/subcontract for more about our coverage and response.