Increasingly cyber incidents warrant the need to declare a major corporate crisis which plays out in public. Data breach, cyber attack, ransomware attack or even during fast moving corporate frauds (such as data destruction or IP theft) are examples. This week’s Petya Ransomware worm attacks – combining ransomware with worm capabilities – offers another example. All too often these events become public very quickly whilst incident responders are dealing with the issues, feeding the feeling of crisis and driving the need to respond and communicate fast with company stakeholders and customers.

Thinking forensically in a crisis – finding and preserving evidence – is vital, whilst battling to get the business back on its feet. Gathering and preserving forensic evidence during an attack helps determine attack source and the response required, and is essential for insurance, legal and even law enforcement processes later on. But businesses learn very quickly that they are mostly unprepared for the task which leads to frustration amongst executives, the appearance of being out of control and misinformation in the public domain. It all leads to brand and reputation damage.

IT departments are usually at the centre of the action but are so often overwhelmed by the dynamic aspects of a crisis where incident response, business continuity, customer management and media relations activities are occurring simultaneously. And a lot of people are asking a lot of questions.

Often under the tense situation of a cyber crisis, CIOs and IT Managers (and in the case of NZ and Australia where extensive use of outsourcing is common place – IT Vendors) may duck for cover, look to minimise their own exposure and make rash decisions in the pursuit of recovery. Highly volatile forensic evidence can be lost. Communications become confused. So often these are the first casualties of a crisis.

Planning for a crisis is vital, particularly in an age where malware attacks are now seen on a frequent and global basis. A well-crafted and drilled Crisis Management Plan should include a single point of contact between the incident responders, executives and public relations specialists. Be prepared to provide hourly updates where a sensitive data breach has hit the media and the resulting reputation damage could impact customer trust and factors such as share price.

The key things people will want to know in a hacking attack are: 1. What’s the damage to our business? 2. What data has been accessed and ex-filtrated? 3. What’s the cause and how did they get in? 4. Have hackers maintained access or still have control? 5. Can we articulate the value and sensitivity of the data? 6. How are we responding and are we on top of it?

If you don’t think your organisation could answer these questions under the pressure of a cyber crisis, in a timely manner, then it is time to consider putting in the capability needed – this includes a Crisis Management Plan, Incident Response Plan and Forensic Investigation Capability. The faster you respond in a crisis and the more process-driven your response, the faster you’ll get on top of the situation, recover and get back to business as usual. Outsourcing this capability to experts makes real sense.

When we talk about forensic capability requirements being central to crisis management, the need arises because IT departments do not necessarily implement the tools required to sufficiently investigate a breach, or think forensically. They are trying to keep the business running. Some systems that network operations use daily do have great forensic application, for instance SIEM systems which are often deployed for defensive reasons, but also provide great forensic capability if used properly. It’s not all about protecting from external hackers though. Malicious insiders who have access to systems and data pose potentially greater daily threats to organisations. Cyber Research can provide many examples where artificial intelligence products (such as DarkTrace) deployed on networks have been used to great effect to uncover employees who have stolen sensitive data and given it to the competition many months after the event. The specialist forensic investigator’s tool kit is full of resources which help you get clarity on what happened in an incident, what the root cause is, and what action to take next.

Cyber Research provides forensic capability as part of our proactive Security Operations Centre offering in Australia and New Zealand. We integrate prevention, detection, response and forensics. We aim to identify incidents in real time and respond to them and manage them to closure before they ever become a crisis.