Observe the actions taken to eliminate the attacker from the information system
In parallel with the investigations and crisis management, remediation takes place.
The remediation is a project of regaining control of a compromised information system and restoring it to a sufficient operating state. This particularly involves carrying out the following activities:
Remediation Phases | Objectives | Objective Details |
Containment | Prevent the attacker from progressing within the information system.
|
|
Eviction | Remove the attacker from the core of the information system to restore trust. | Identify the trusted core of the information system around which reconstruction can occur and ensure the reliability of technical systems. |
Eradication | Eliminate all of the attacker's access to the components of the information system. | Do everything possible to prevent the attacker from returning to the information system by removing their access and detecting any potential return. |
Reconstruction | In parallel with eviction and eradication, rebuild and enhance the security of the information system to better resist the current and future attacks. |
It is the operational/technical crisis cell that leads the remediation operations during the crisis. The investigations we discussed earlier are a necessary prerequisite for effective remediation: it is important to first understand where the attacker went and what actions they took within the information system.
Before starting remediation, a plan must first be prepared. This remediation plan consists of:
Strategic objectives, such as, in our example, being able to treat patients again;
Operational objectives, like restoring patient record backups to know their medical history, restarting medical imaging equipment;
Technical actions such as restoring tapes containing patient record backups, determining if medical imaging software has been corrupted and reinstalling it from scratch if necessary, etc. Validating this remediation plan involves the approval of all concerned departments: hospital management, doctors, IT team, etc.
As with any action plan, it is important to prioritize objectives, determine associated resources, and effectively communicate with all stakeholders.
It is now time to implement it, accompanied by a reconstruction phase, which I detail in the next section.
Follow the Recovery of an Information System
I’d now like to take you through the actions taken to recover the hospital’s information system.
First, it’s important to bear in mind that recovering the information system won’t happen in a day or even a week. After a cyberattack like this, it may take several months for the hospital’s information system to be 100% operational and strengthened to withstand future attacks.
After the cyberattack response phase, it’s time for the recovery phase.
Teams at the hospital are now busy cleaning up the information system, restoring data and restarting applications. During this phase, it’s essential to know your information system inside out, including which systems and applications are most critical, how they interconnect with other systems and applications, and whether your data backups are working properly.
We talked about the Business Continuity Plan (BCP) in the previous chapter. There’s also an equivalent document for the recovery phase: the Disaster Recovery Plan (DRP). This document is essential for knowing which actions to prioritize during the recovery phase. In the panic of a crisis, it’s difficult to keep a cool head and see the bigger picture. The DRP helps you think ahead about which services to prioritize during the recovery and which steps to take first.
As soon as the IT and security teams are sure that the attacker no longer has access to the hospital’s information system, they can start restoring the data backups. This is only possible because the IT team keeps the backups isolated from the information system, so the attacker couldn’t access them! Note that the IT team took the time to check that the backups were safe before restoring from them.
After restoring the data from the backups and restarting the most critical applications, the hospital’s essential functions can resume. Remember (and this is important), this can take between several weeks and several months to complete.
After recovery, the IT and security teams continue to work on strengthening the information system by implementing new security measures to help prevent another attack. These measures include:
upgrading to a more recent version of Windows, with the latest security updates.
installing new cyberattack detection tools.
raising awareness of phishing among information system users.
improving its procedures in the event of an attack.
These teams also have an essential role to play in preventing cyberattacks. We’ll look at this later in the course.
Discover How to Make Your Information System Resilient
How do we now ensure that this never happens again, or happens as infrequently as possible?
For every incident and every crisis, it’s essential to learn from how it was managed. Crisis unit members meet to review:
the teams’ performance during the crisis in terms of involving stakeholders, assessing the impact, implementing the BCP, communicating, and so on.
compliance with existing procedures (crisis management procedure, BCP, DRP, backup restoration procedure, etc.).
actions to be implemented to improve management of the next crisis.
These meetings are called “lessons learned” meetings. They usually take place immediately after a crisis, then again a few weeks or even months later when the dust has settled. An action plan based on the information from these meetings is essential in improving the organization’s ability to withstand a crisis in the future.
The aim here is to improve the resilience of the information system and, ultimately, guarantee the smooth running of the organization.
What does “resilience of the information system” mean?
The crisis manager’s role is essential in ensuring and improving an organization’s resilience.
There are several initiatives to put in place in order to:
reduce the probability of successful cyberattacks by implementing specific measures (see previous section).
reduce the impact of a cyberattack by knowing your information system inside out, having the right procedures in place to react better and faster, etc.
reduce the recovery time for the organization’s essential activities by recovering data quickly, restarting the most critical systems, etc.
That’s why ensuring your information system is resilient requires practice, and that means taking part in drills.
Drills? A kind of mock crisis?
Exactly! The idea is to organize crisis management drills or business continuity and disaster recovery tests to test how well-prepared your teams are and whether your documents (crisis management procedures, BCP, DRP) are up to scratch. During these drills, a small team prepares the scenario (trigger, attacker’s actions, etc.), while a group of employees reacts as if the attack were real. Sometimes, the employees don’t even know it’s a drill!
These drills are an excellent way of preparing teams for managing a crisis and identifying areas for improvement before a real crisis strikes.
Let’s Recap!
In this chapter, you learned that:
the steps involved in recovering an organization’s operations are restoring data backups, restarting applications and strengthening information system security.
recovery is a lengthy process that can last several months.
resilience is essential to any organization, enabling it to function in the event of a crisis and return to normal operations as quickly as possible.
it’s important to practice crisis management to improve your preparedness for the real thing!
You’re now familiar with some of the roles involved in crisis management and recovery after a cyberattack. In the next part of the course, I’ll introduce you to the roles involved in preventing cyberattacks. Hold tight, you’ve still got some great people to meet!