Breached! What next?

In today's digital age, the threat of cyberattacks is ever-present and poses a significant risk to organisations of all sizes.

With the rapid evolution of technology, it has become increasingly challenging to keep up with the latest cybersecurity threats and vulnerabilities. As a result, it is crucial for senior leaders to take proactive measures to enhance their organisation's incident response capabilities.

First, to bolster an organisation's cybersecurity posture, senior leaders must understand the broad impact of cyberattacks on their organisation, acknowledge potential consequences, and allocate appropriate resources. It is essential to identify critical systems and their recovery order, understand system interfaces and dependencies, and have a high-level architectural view linked to Information Technology (IT) asset registers and a Configuration Management Database (CMDB).

Effective collaboration with IT teams, legal experts, and operations resilience teams is key for formulating a robust response strategy, which together with regular communication and training with employees, can ensure the teams remain vigilant and well-equipped to respond swiftly. Lastly, organisations need to establish a comprehensive recovery plan, including an incident response plan, have regular data backups, and conduct tests of the business continuity programme to minimise the impact of an attack and restore normal operations.

But what should you do if you have been breached? Here are a few things you may consider.

A crisis management structure always provides a solid foundational step in maintaining a steady recovery. Each crisis committee member has specific roles to play, and those in senior positions within the committee can use their role to define the direction of crisis management by asking teams with the right questions, for example:

• Should we pull the plug? Depending on the size of the breach, the questions you raise after the breach will set the course of your business for the coming days. Those questions will also set the tone for your speed of recovery and accuracy of the information processed by the systems.
•  Who is the crisis manager? A cyber-attack may be a unique situation requiring a different kind of governance and command structure, so it is critical to respond accordingly. The role of an incident commander is not to be responsible for all matters of the recovery, but to facilitate the key decisions across the organisation.
• Do we have adequate capacity to run recovery? Handling incidents is not a day-to-day job for those who find themselves at the forefront of a situation, therefore ensuring that there is adequate support to prepare and execute the plan is particularly important. Ensuring that your team has enough available financial and procedural support, as well as cover for the extended hours that may be required, will be a significant step in the right direction for solving the incident. 

Finding the right recovery strategy and following the plan is of utmost importance. Executives should understand the impact and benefits of a strategy before confirming their preference, however, depending on the situation you may be prompted to follow a particular strategy. For example, from an infrastructure deployment perspective, there are three major options:

• Like-for-like recovery - one of the most common options is to recover systems to the same infrastructure (specifically if you have an insurer and the insurer has instructed your recovery team). Here, you can apply a zero-trust principle and detect, clean, and recover your business systems as they were hosted previously. You can also create separate network zones to recover through red and green networks.
• Hybrid infrastructure recovery - using a hybrid approach, organisations can leverage cloud-native tools to bring selected systems live within minutes, for example email and videoconferencing tools (e.g., Office365 or Google Workspace). This will enable the teams to collaborate, while other business systems are being recovered to their original hosting infrastructure or to a new environment.
• Public cloud recovery - with cloud recovery, organisations can use cyber incidents as an opportunity to rethink their hosting strategy and migrate to public cloud. Many companies have legacy infrastructure or unsupported versions of operating systems, so recovering these systems to their original states (before incident) can often be lengthy and complex. Instead, organisations can look for opportunities to develop a new cloud landing zone and quickly deploy a fully patched infrastructure-as-a-service (IaaS) environment to host their business systems.

Your recovery plan will be different depending on the selected recovery strategy; however, all recovery strategies have three common workstreams: execution, security monitoring, and progress monitoring.

• Execution: Alerting relevant authorities, as well as your ransomware insurer (if you have cover), is a necessary first step. From a technical perspective, the moment you notice a ransomware demand or see encrypted files, you should disconnect the machine from the network and isolate it as quickly as possible. Then, assess your entire IT estate to determine the level of infection across your physical infrastructure, virtual infrastructure, and end user devices. Finally, select an appropriate recovery strategy for each IT asset and bring the systems online for business users.
• Security monitoring: In parallel with restoration, it is important to have a dedicated Security Operations Centre (SOC) team to monitor your IT infrastructure for any suspicious behaviour. Consider using Endpoint Detection & Response (EDR) software to constantly scan your IT assets, identify threats that may still linger within your environment, and automatically take remedial action.
• Progress tracking and Communication: Keeping business stakeholders informed about the recovery progress is essential for informed decision-making. Consider providing daily updates to C-level executives, presenting clear insights into the entire IT landscape, such as the number of affected offices and data centres, the count of clean (or recovered) systems, and any potential issues causing delays. This transparency helps stakeholders grasp the challenges and intricacies of the recovery process, understanding that an immediate restoration of everything is not possible. It is crucial for both business and IT leaders to comprehend that decryption keys alone cannot resolve the situation overnight. Organisations must invest efforts in rebuilding, cleansing, and hardening the infrastructure to prevent future incidents. Often, senior stakeholders may assume decryption keys are a magic wand for a quick recovery, but this is far from the truth!

A robust contingency plan is crucial for your business's recovery, but when it comes to crisis management there are several permutations that may go wrong. The real situation will test your resilience on all levels, underscoring the need for adept advisors and support personnel to guide you through the uncertainties. Understanding the expectations of each stakeholder and meeting their specific needs is paramount. In the face of severe incidents, difficult choices may be inevitable, and executing those decisions will only be possible if you have a well-established governance structure.

For further information on cybersecurity, recovery, or cloud infrastructure, please do not hesitate to get in touch.