The Grim Reality of a Cyberattack: From Probability to Certainty

It is clear by now that most organizations will inevitably suffer from a cyberattack. Cybersecurity measures implemented by enterprises, governments and individuals are increasingly being rendered obsolete by the growing sophistication of cybercriminals’ methods.¹ Perhaps the rate at which cybersecurity measures are rendered obsolete is partly due to unscrupulous individuals repurposing artificial intelligence (AI) for malicious purposes. WormGPT, a generative AI tool that can be used for cybercrime, has been touted as a method for cybercriminals to launch sophisticated phishing and email attacks.² Today, the outlook is grim for organizations that wish to keep their data secure. As such, it is necessary to understand practical methods for reducing the impact of suffering from an attack.

So, You Were Breached

In the unfortunate event that an organization gets hacked, there are certain actions a cybersecurity team can take (or avoid) that significantly impact recovery time and cost. The first action is to report the incident to all relevant authorities, just as someone would declare a physical crime. Many organizations are legally obligated to report such instances and informing the authorities helps protect other enterprises from similar attacks. It is worth noting that authorities and regulators are not going to assign blame. They seek to learn valuable lessons from attacks and build hacker profiles that help minimize the consequences other organizations may face. In addition, enterprises should alert their cyberinsurance providers. This is often a prerequisite for filing a claim, and evidence must be presented to receive compensation.

After the appropriate authorities have been notified, it is important that IT teams slow down and avoid making costly mistakes in haste. It is too late to take preventive measures. The first reaction is often to quickly recover the affected IT systems and fix any remaining problems immediately. Rather, IT teams must focus on containing the situation.

Post-Ransomware Response

Every attack is different, particularly in the case of ransomware. However, there are several valuable actions that can be taken in the event of a ransomware incident:

• Isolate affected devices, but do not shut them down. Evidence that could be critical to the investigation may be lost if the system is shut down, resulting in an incomplete investigation.
• Isolate affected user accounts and terminate active sessions. It is likely that the threat actor has knowledge of account passwords, therefore, disabling affected accounts and terminating sessions removes one method of access—particularly if Azure Active Directory (AD) or any other cloud-based user management platform is used.
• Isolate network segments to prevent an attack from spreading. There is a possibility that the specific ransomware variant could be self-propagating. Isolating network segments ensures that any systems that have not yet been affected remain so. With the threat of AI-powered ransomware on the horizon, this step is more important than ever.
• Take backup servers offline. Backups are critical during the recovery process and it is important to ensure that they are preserved as quickly as possible.
• Power off the domain controller. Unless the domain controller has been affected by the ransomware (in which case it should remain powered on, but with no network connectivity), powering off the domain controller will stop any further authentication across the network.
• Change network-shared files to the read-only setting. This prevents the ransomware from causing further damage to any critical file shares in the environment.

Stay Calm, Keep a Log

Being hacked creates stress and chaos. It is important to stay calm and listen to advice from credible sources. A cyberincident owner should be appointed who can record actions and decisions made in a log and establish a priority list for further network protection and data recovery.

Above all, it is critical to avoid assigning blame for an attack. Cyberattacks are sophisticated and a clever phishing attempt can dupe anyone. Playing the blame game is not productive nor does it solve the problem.

Cyberattacks are sophisticated and a clever phishing attempt can dupe anyone.

Ten Actions to Take and 10 to Avoid

There are 10 strategic steps that should be followed after becoming a victim of a cyberattack to help expedite an organization’s recovery. Those actions organizations should take include:

1. Report the incident.
2. Call your cyberinsurance provider. They may be able to point you in the direction of firms that can help, and this may also be a condition of your policy.
3. Ask for help. Do not go it alone. Your cyberinsurance provider may be able to introduce you to incident response, public relations (PR) or legal firms who have experience dealing with attacks and can help guide you through the attack in the right way. Do not be afraid to reach out to industry partners, either—they have likely been through this, too.
4. Appoint a cyberincident owner. This should be someone in a role senior enough to make critical decisions, depending on the type of incident. For a serious ransomware attack, this may be a chief information security officer (CISO), chief information officer (CIO) or chief technology officer (CTO).
5. Record actions and decisions in a log. This allows you to undertake a post-incident review, which can help improve overall cyberresilience in the long run.
6. Focus on containment. Make sure systems and networks are isolated as quickly as possible. This ensures that the damage does not become any worse and can save future headaches.
7. Listen. You may have engaged with third parties to help respond to the incident, whose advice may seem counterintuitive. Trust their expertise. They have seen many organizations go through the same experience and have plenty of experience from which to learn.
8. Be patient. Avoid making rushed decisions or having knee-jerk reactions. Quick fixes may end up making the organization more vulnerable and cause more harm in the long run.
9. Help authorities and regulators as much as possible. They likely have many questions, but they are not looking to assign blame. Providing information to them could prevent other enterprises from suffering the same attack.
10. Be faster than the story. Think decisions through carefully, but do not hesitate. Attacks such as this can be fast-paced and reacting to them in a quick but thoughtful manner is critical to successful recovery.

Conversely, there are 10 responses enterprises should avoid after falling victim to a cyberincident:

1. Avoid letting everyone help at the same time. If news gets out that an enterprise has been attacked, it is likely to be inundated with offers of support. It is important to be selective about who is enlisted to help to ensure that there are no conflicting priorities and that there is only a small community of trusted advisors.
2. Avoid paying the cybercriminal. This is what motivates them, and enterprises continually paying ransoms only fuels them to undertake more attacks in the future. In some cases, it may also break international sanctions on known criminal groups.
3. Avoid communicating externally. This should only be initiated when the organization knows how and what to communicate.
4. Avoid lying or underselling the severity of the incident. This can quickly erode an enterprise’s reputation with clients, suppliers and the public because the truth typically comes out sooner or later. This is especially true for ransomware cases, wherein ransomware groups are known to publicly publish lists of their victims.
5. Avoid trying to recover too soon. Recovering without rethinking the network infrastructure and security provisions increases the likelihood that an enterprise will be compromised again in the future. Use this as an opportunity to redesign infrastructure with security at the forefront.
6. Avoid focusing solely on root-cause analysis. Depending on the organization, a widespread ransomware attack is likely to affect business operations. The priority should be to get the enterprise up and running in a safe and secure manner, and it is important to not let the investigation get in the way of that. However, some investigation may be required to inform the recovery process.
7. Avoid buying more security tools without thorough consideration. It may be tempting to suddenly invest in security tools to fix the problem, however with so many different options in the market it is important to carefully consider which ones will be the best fit for your organization.
8. Avoid pointing fingers or assigning blame. You are the unfortunate victim of a crime, and no one is at fault apart from the criminals themselves. Especially as attacks are getting more sophisticated with the development of AI, anyone can fall for a clever social engineering attack. Cyberattacks are a fact of life and happen across the world every minute of every day. Assigning blame will not solve the problem, only the hard work and dedication of your teams will.
9. Avoid denying anything before the facts are available. Controlling the message is important, but do not deny anything that you do not have the facts to back up. The story will unfold as the investigation progresses and going back on something you said previously can damage reputation irreparably.
10. Avoid trying to cover things up. In today’s world, anyone who has a large service incident will be subject to numerous questions from suppliers and the public asking whether ransomware is involved. Covering things up only makes the inevitable admission even harder to bear, and it is important to provide little room for speculation.

Conclusion

Organizations can benefit from insights into the realities of data security, especially in the context of ransomware attacks. Hackers are more organized, better funded and able to leverage tools with which many cybersecurity professionals need to keep pace. Ransomware actors are financially motivated, and as such, any organization that is quick to pay their demands is only fuelling the fire, encouraging the criminals to further their efforts and attack more enterprises. Enterprises can take numerous proven steps and avoid risky responses to manage cyberincidents calmly and effectively, including engaging with third parties to help respond to the situation and reporting the incident to the correct authorities. These steps alone can help a great deal, however, there are cultural aspects that may be difficult to capture in an incident response plan. Clear, rational decision making differentiates a successful response that carefully manages risk from a response that amplifies the risk, not only for impacted organization, but for any other potential victims.

Endnotes

¹ World Economic Forum, The Global Risks Report 2022, Switzerland, 2022
² THN, “WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyberattacks,” The Hacker News, 15 July 2023

James Allman-Talbot

Is the head of incident response and threat intelligence at Quorum Cyber. He has more than 15 years of experience working in cybersecurity and has worked in a variety of other industries including aerospace and defense, law enforcement, and professional services. He has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations, and has worked closely with board-level executives during incidents to advise them on recovery and cyberrisk management.