Ten lessons from a cyber attack response exercise

Posted on 27 August

This week Charlie conducted a cyber attack as the scenario in a response exercise. Here are some lessons learnt from conducting the exercise.


1.     I don’t think you need to be an IT security expert to conduct a cyber attack exercise. The technical element of the exercise is done by IT, and if you are looking at the first 24 hours of an incident then you don’t have to be too specific about how the attack took place just about what the consequence of the attack was.
 
2.     To be credible you have to do some reading on how other attacks have taken place, what the consequences of them are, and how to respond to them. There is a lot of guidance on the web about this so it is not very difficult to get yourself up to speed on the subject. One particular document I thought was useful was the National Institute of Standards and Technology (NIST) “Computer Security Incident Handling Guide.” It is reasonably technical but it contains lots of useful advice for those who are non-technical.
 
3.     One of the first lessons learnt during the exercise was how would the news of a data breach come into the organisation, and how would the incident team who is responsible for managing any incident be made aware of it? There was a fear that the information might stay amongst senior managers, or IT, and those charged with managing the incident might not immediately be informed. Who within your organisation is responsible for managing the response to a cyber attack, and are IT and senior management aware of how an incident would be managed? 
 
4.     If the personal information of your staff held by the organisation was compromised, including their dates of birth and financial information, do you have in place a pre-written communication which informs them of the risk and goes through the process for staff to check if they could be a victim of identity fraud and givie them useful advice? It was felt during the exercise that this information should be pre-prepared as it might take some time to collate the appropriate information together.
 
5.     It was also felt that it would be useful to have prepared in advance what information security the organisation has in place, and any standard they adhere to. So if there was a breach, or a potential breach, you could immediately ensue the robust processes are carried out. This is when having ISO27001 would be very useful, as you could then say you take data security very seriously, your information security is externally audited, and you are certified to ISO27001.
 
6.     If you outsource any part of your IT to a third party, have you thought through how you would work with that organisation to respond to an incident?  
 
7.     One of the key decisions to be made during an incident is when will you inform your stakeholders, or those who could be affected by the breach, that the incident has happened. My reading on the subject said that if you do it too early you might not know the true facts, and it may be worse than you initially thought. While if you leave it too late, it looks like you are trying to cover up the event. An exercise is a good forum to have this discussion rather than during an incident.
 
8.     Communications during a cyber incident are going to be key, but often the plans in place for this only deal with the technical response to the incident and communicating with stakeholders. You need to ensure that your existing incident communication plans are robust enough to deal with a cyber incident.
 
9.     Have you thought about the insider threat? Snowden didn’t hack into the NSA to get the information he is presently releasing, he was an IT contractor working directly on the systems. Are you vetting appropriately your contractors and keeping records of who has had access to what systems?
 
10.  Last of all, incident prevention is better than cure, and sometimes good management of information security can prevent an incident.