We have just covered the various components of cybersecurity incident management. In this chapter, we will first discuss the governance component, focusing on crisis management, and then the understanding component, particularly the investigations conducted.
Find out How a Crisis is Managed
Setting up Crisis Management Organization
You saw in the first part that the Chief Information Security Officer (CISO) was the one who declared the crisis situation. The impact of the security incident is so great that the hospital’s management team needs to put a special type of management in place called crisis management.
OK, so it’s time to get everyone around the table?
First, we need to identify who we’re going to put around the table—otherwise there’ll be a lot of people! We also need to keep staff available to continue running the hospital. It’s likely that we’ll need information from various teams. For example, nursing staff will be able to give an overview of the most critical patients and urgent care, the IT team will know which components of the information system are still working, and management will make decisions to ensure the best possible care for patients.
How do you get all these people talking without creating too much commotion?
That’s where the crisis management organization protocols set up ahead of time come in!
There are several aspects to setting up crisis management organization protocols.
1. Organizing the necessary people and resources into “crisis units”
Our hospital has set up three crisis units: a strategic/decision-making crisis unit (managed by the hospital director), an operational/technical crisis unit (managed by the CISO and made up of members of the IT team and digital investigation experts), and an operational/business crisis unit (managed by members of the healthcare team). To keep things simple, we’ll focus here on the first two.
But how do we define these crisis units?
Bear in mind that different companies or organizations will choose different configurations. They may choose to set up fewer or more crisis units and define different scopes for them, based on what makes the most sense for their particular situation. Whichever model is chosen, coordination and communication between the various crisis units is key to crisis management.
2. Setting up the tools needed for communication between stakeholders
If your information system gets disconnected from the internet, it’s important to have already planned how you’re going to communicate in degraded mode.
In our case, the hospital had decided in advance to use employees’ personal cell phones and a secure instant messaging service.
The common goal of the teams managing the crisis is to ensure that normal operations can resume as soon as possible, without risk to the information system.
The more detailed goals of each of our hospital’s crisis units are as follows:
For the strategic/decision-making crisis unit, led by the hospital director:
Communicate about the crisis internally and externally
Help the legal team report the incident to the relevant authorities, as soon as a leak of personal data is suspected or proven
Activate the business continuity plan, or BCP (more on this later in the course)
Make the decisions and trade-offs needed to protect patients, depending on the consequences of the crisis: which services will be inoperative, which medical staff and other human resources are essential to manage operations, whether to activate the emergency management plan so that patients can be admitted to other establishments, and so on
Confirm whether the hospital will continue to operate in degraded mode
Decide the conditions for declaring the crisis over based on predefined criteria: when the hospital can admit patients again, when medical staff can access patients’ health data again, and when smart equipment is operational again
For the operational crisis unit, led by the CISO:
Analyze the impact of the crisis
Limit the spread of the attack and ensure that the attacker no longer has access to the information system: disconnect all computers and servers from the internet, isolate infected components, and check and protect data backups against potential infection. These measures will prevent Jo from running her ransomware and infecting the information system any further.
Understand and reconstruct how the attack unfolded, with the help of digital forensic experts. You’ll see this in more detail later in the section on investigations.
Prevent further intrusion by implementing additional security measures: fixing the vulnerability at the root of the intrusion, reinforcing the hospital’s information system security using other measures
The Business Continuity Plan (BCP) must also be activated to ensure that business operations continue as smoothly as possible.
The aim of the BCP is to reduce the impact of the unavailability of an organization’s normal services. It sets out the steps that an organization needs to take to compensate for this unavailability. For our hospital, this includes which other healthcare facilities to send patients to and how to manage the most serious cases.
Communicate During a Crisis
An important part of crisis management is communication. It’s essential to get the right information to the right people at the right time, to avoid rumors or panic. We need to be transparent, without revealing information that attackers could exploit, and at the same time maintain trust (among patients and employees, in our example). Communications teams are therefore critical stakeholders in the crisis and fit naturally into the strategic crisis unit. They are responsible for responding to press inquiries, managing communication on social media, and preparing the wording for all internal and external communications.
It didn’t take long for the news about our hospital to spread on social media! A patient posted a photo of the packed waiting room and even took a video of hospital staff rushing around. This only added to the panic among the public! Hundreds of reactions and comments were shared. The hospital’s communications team, with the approval of the strategic crisis unit, had to post a message on the hospital’s Twitter feed acknowledging that an incident was in progress and stating that further information would be made public as soon as possible. At the same time, phones were ringing off the hook with calls from journalists. Good thing the hospital’s communications team was involved!
The cyber crisis manager or crisis manager is another essential role in a crisis. A dedicated person or team may fill this role for large organizations or it may be part of the CISO’s responsibilities for smaller ones. Their main responsibilities are to:
prepare crisis management organization protocols ahead of a crisis (procedures, communication channels, etc.).
coordinate and advise the crisis management teams.
strengthen crisis management organization protocols: improve the procedures, tools and resources required for crisis management, after testing them in real-life crisis situations.
You’ve seen that managing a crisis involves many different resources and teams with a wide range of skills from areas such as IT, legal, communications and management. During a cyberattack, everyone is affected, not just IT security!
In short, in the event of a ransomware attack, it’s important to talk to professionals (service providers specializing in security incident management, cyber insurance companies) and to contact the relevant authorities.
Learn About the Investigations Carried out During a Cyberattack
One of the most fascinating activities that takes place during cyberattacks is the investigation. Find out what investigation experts do right here!
Once the security incident has been detected and declared, the investigation team takes over.
Investigation teams are made up of technical experts with highly specialized skills. In most cases, especially for small organizations, these experts come from outside the organization.
So, investigation teams are like detectives trying to find a criminal?
Exactly! The first thing they try to understand is what the cyberattack has affected and how significant that is for the organization. The investigation teams then study the evidence the attacker left behind in the logs and try to retrace the entire attack path on the information system, by answering these questions:
What data and applications did the attacker access?
What actions did they take?
How did they enter the information system?
Digital investigations often fall within the remit of security incident response teams, which may be called one of two things:
CERT (Computer Emergency Response Team)
or CSIRT (Computer Security Incident Response Team)
The CERT/CSIRT analyst, or security incident response analyst, is responsible for digital investigations and performs the following tasks:
Before an attack, they:
monitor new vulnerabilities or attack methods (working with the threat intelligence teams).
develop or use investigative tools.
During an attack, they:
collect the logs containing any evidence the attacker left behind.
analyze the logs to determine what actions the attacker took.
After an attack, they:
write the investigation report.
suggest improvements to prevent similar attacks.
The CERT/CSIRT manager is more experienced and is responsible for managing all incident response team activities, including:
ensuring that CERT/CSIRT team operations run smoothly.
coordinating with the SOC teams on incident management.
ensuring that incident response processes are up-to-date, relevant and shared with the right stakeholders.
Let’s return to our hospital to get a better understanding of the role these teams play.
After the hospital director and information system security officer declare the crisis, they decide that the hospital’s security team is too small, so they need outside help from some incident response experts! They contact a company offering CERT services.
The hospital’s IT and security team and four digital investigation experts meet for the first time. The aim of the meeting is to clearly identify the circumstances surrounding the incident, based on the initial information available.
Next, the hospital’s technical teams send the forensic experts a copy of the logs recovered from the various components of the information system. This part is critical, as they must take care not to change the copied logs in any way to avoid confusing the investigation with false leads!
Lastly, the forensic experts analyze these logs using highly sophisticated tools and techniques to reconstruct the sequence of events. After several hours, days or even weeks, they manage to find “patient zero.” This is the first computer to be infected, along with the malicious email that was at the root of Jo’s initial actions.
The final step is writing a report presenting the results of the forensic analysis, with a detailed timeline of the attack.
Let’s Recap!
In this chapter, you learned that:
a company sets up very specific crisis management organization protocols to ensure it can respond to the crisis as effectively as possible: it creates crisis units, prepares crisis communications and activates a business continuity plan.
a key role in crisis management is the cyber crisis manager, who works on crisis management before, during and after the crisis.
CERT or CSIRT experts carry out forensic investigation work in an attempt to reconstruct all the steps taken by cyberattackers.
It’s good practice to use a cyberattack and the subsequent analysis to strengthen your information system and security practices. Join us as we help the hospital recover and strengthen its information system after the cyberattack!