Incident response is the act of responding to and recovering from a major incident such as fire, flood, or in this case cyber attack. While our toolkit and guidance should help stave off cyber attacks, the reality is you could be swept up in a so-called “zero-day attack.” This is an attack where the security community has no prior knowledge or effective defenses. It is, therefore, important that you prepare to recover from such incidents effectively or your business’ future may be at risk.
Be prepared and know who to contact if you are under active attack1. Do not be afraid to report incidents to the authorities; it is acknowledged that being a victim is not your fault. There is an expectation that cyber security is in place in the business such as can be found in the GCA toolkit. This avoids accusations of negligence and can help to avoid attacks entirely. The extent to which you are expected to do so depends upon the size of your business and the expected likelihood of attack and its expected impact.
Stage 1 – Prior Preparation
This is critical. During a live attack you will be under a lot of stress, so it is good to have a well thought out plan ready and easily at hand. Prior preparation will allow you to focus on the incident, rather than worrying about what you did or didn’t do beforehand.
- Complete the Know What You Have section of the GCA Cybersecurity Toolkit for Small Business, especially the Data Classification Policy as this gets you thinking about what information you have. Also include in this analysis what you will be required to keep your business operational. This should be backed up frequently with both incremental and offline backups. When making backups, it’s important you regularly schedule tests to ensure that you can restore from them with the minimal disruption. Afterall you do not want your backup to fail to recover after an incident.
- Once you have completed Know What You Have, you will now be aware of what devices and software are critical to your business. You should produce documents showing how they are accessed and any requirements they have, as well as any non-standard configuration. This should enable your staff to be brought up to speed quickly should you discover an attack. You should also designate at least one person who is not away from the office when you are to be the incident lead should an attack happen. If you have continuous monitoring it may be wise to designate an on call person. All documentation should be kept up to date as things change.
Finally, it’s a good idea to mitigate risk before an incident. As observed during supply chain attacks a vector of infiltration can be through suppliers and customers of your business. Maintaining a good relationship with each other can help manage brand damage and prevent attacks. This includes making a list of external people who can help in an incident, for example your web host or cloud provider. It’s worth investigating what help is available before you need it. The help you can receive will be dependent upon your sector and size.
Stage 2 – Risk Management/Incident Planning
Now that you know what needs to be protected and who’s going to lead that response, it’s time to consider what to deal with first.
- If you have a cyber insurance policy in place you should ensure you know how to contact them and what incident response support they can provide. This however does not shield you against a cyber attack.
- You should assign roles for people in the team (for example, the secretary is responsible for putting out a notice, the workshop manager is responsible for shutting down any computer-aided manufacturing equipment to prevent damage, the IT person is responsible for identifying/confirming and containing the attack, etc.) but also consider that on the day of a cyber attack, the full team may not be in the office. So who should deputise if this is the case?
- You should exercise even as a small business. The NCSC provides Exercise in a Box to help simulate an attack to test your plan and produces a report suitable for small businesses to help you improve; you could also create fake phishing attacks or check what security measures are in place to avoid disclosing sensitive or confidential information over the phone.
- You can also develop a decision map – once an incident has been identified, who has the authority to determine what action should be taken? For example:
- The IT person determines the website has been defaced: Who has the authority to order the website to be taken down?
- Who can make the decision between sacrificing one machine to allow for forensics to improve defences or shutting it down to help contain the attack?
- If the incident lead is not part of senior management, at what point should they be made aware? This can only be decided depending on the specific risk.
A simple example is provided by NCSC.
Stage 3 – Uncertainty, is that an attack or did we make the news (or both)?
You have exercised your team, built your documentation, and understand your risk. By using the GCA toolkit you will have hardened your defenses. If you have deployed an intrusion detection system (IDS) or system monitoring service such as a website load monitor, and they start to show unusual information, you may be uncertain if you are under attack.
The NCSC reports that the symptoms of an attack may include:
- – computers running slowly
- – users being locked out of their accounts
- – users being unable to access documents
- – messages demanding a ransom for the release of your files
- – people informing you of strange emails coming out of your domain
- – redirected internet searches
- – requests for unauthorised payments
- – unusual account activity
- – alerts from monitoring or IDS systems.
If you start experiencing any of these, you are guided to ask 10 questions:
- What problem has been reported, and by who?
- What services, programs and/or hardware aren’t working?
- Are there any signs that data has been lost? For example, have you received ransom requests, or has your data been posted on the internet?
- What information (if any) has been disclosed to unauthorised parties, deleted or corrupted?
- Have your customers noticed any problems? Can they use your services?
- Who designed the affected system, and who maintains it?
- When did the problem occur or first come to your attention?
- What is the scope of the problem, what areas of the organisation are affected?
- Have there been any signs as to whether the problem has occurred internally within your organisation or externally through your supply chain?
- What is the potential business impact of the incident?
If these questions are producing answers indicating an attack, it’s time to declare an incident. It’s better to declare an incident early before the damage is too severe or critical information is lost or ransomed.
Stage 4 – Under attack
Now that you have confirmed you are under attack, it’s time to act according to your plan. First, begin an action log; this can help others get up to speed with your early actions and provide something to review after the incident to help improve your response in the future. The first stage for your IT team will be to identify the type and path of the attack as this may provide information about the ultimate target.
If it is ransomware, running a full virus scan and disconnecting as yet uncompromised services, such as the main business database, may serve to restrict the infection. Using firewalls to block access to the infected systems or having an Intrusion Prevention System (IPS) blackhole command and control instructions may help. A good resource for this is No More Ransom.
If you are able to identify the type of attack, help may be available in the form of guidance and other technical support to help mitigate or limit the impact. Depending on the type of attack it may be the case that significant damage has already been done. You should not rely upon incident response to keep your business safe instead follow the GCA Toolkit and other relevant guidance as advised.
Stage 5 – Resolution
Once the attack is over, it’s time to start clearing up. External IT services should have been contacted as soon as the attack was detected. For internally managed systems you may have to:
- – Replace infected hardware
- – Restore services through backups
- – Patch software
- – Clean infected machines
- – Change passwords
Stage 6 – Reporting
If this was not done by non-technical staff or the incident lead during the attack or resolution stages, it should be done now. As previously mentioned, you should inform all necessary regulators, law enforcement or appropriate agencies, customers and suppliers. Who needs to be contacted will depend on your location, type and stage of attack.
If you are based in the UK follow NCSC guidance available here: https://www.ncsc.gov.uk/collection/small-business-guidance–response-and-recovery (if under live attack call Action Fraud on 0300 123 2040 and press 9 on your keypad). If you are in a critical sector or provide goods or services to Critical National Infrastructure, report the incident to https://report.ncsc.gov.uk/. You may also need to report the incident to the ICO by following the guidance located at https://ico.org.uk/for-organisations/sme-web-hub/72-hours-how-to-respond-to-a-personal-data-breach/.
If you are based in the US follow DHS guidance here: https://www.dhs.gov/sites/default/files/publications/Cyber%20Incident%20Reporting%20United%20Message.pdf and here from DoJ: https://www.justice.gov/criminal-ccips/file/1096971/download
Reporting procedures for European countries can be found here: https://www.europol.europa.eu/report-a-crime/report-cybercrime-online
Stage 7 – Lessons Learned
With the incident (hopefully) behind you, it’s time to ask a few questions to improve your response plan in the unfortunate event you are attacked again:
- – What went well?
- – How could you improve?
- – Are your current security systems adequate or should you invest in more comprehensive ones?
- – Should you bring on a dedicated cybersecurity specialist?
- – Should you change your exercising or planning?
- – Were your documents sufficient and up to date?
- – Do you need to improve your cyber hygiene?
This guide should help you be more prepared during a cyber incident. It is not comprehensive. You may encounter a wide range of threats – each one would take a full blog post to comprehensively document and plan for. Hopefully this guide demonstrates that proper planning is key to ensuring your response is effective. Additionally, having good cyber hygiene and using the tools within the GCA Cybersecurity Toolkit for Small Business will help strengthen defences against cyber attack and reduce the severity of any losses experienced.
This blog post has been written by an NCSC CyberFirst University Bursary Student who is currently on an eight-week summer placement with GCA.