You Have Been Hacked! What Do You Do Next?

I am all about prevention. If you can prevent something from occurring — do it! However, determined cyber adversaries have proven themselves very good at penetrating even the best of defenses.

What do you do when you figure out that your systems have been compromised? Check out the guest blog post below that has excellent tips for organizations that find themselves in the unenviable position of trying to put Humpty Dumpty back together again.

A Sophisticated and Devastating Attack

It also was a devastating attack. The city’s network infrastructure was destroyed, many network servers and devices were infected, and the Active Directory structure, which enables IT administrators, to organize network elements into a hierarchical containment structure, was severely impacted. One of the outcomes was that the city’s 911 center had to operate without its computer-aided dispatch (CAD) system for a month — talk about stress! And because the network infrastructure was destroyed and the Active Directory was compromised severely, IT personnel in every affected agency had to touch every physical and virtual network device to assess and correct the damage, which complicated the recovery effort and lengthened the timeline. For example, the city’s police department had to reimage every device in use, e.g., in-vehicle laptops and in-station desktops, and then reload them with all of the requisite applications — now multiply this scenario across dozens of city agencies.

This event got me thinking, and the first thought that popped into my head was that no matter how vigilant an organization is, there’s a very good chance that a cyberattack will be successful. That’s because cyberattackers have become very sophisticated, they are very good at what they do, and their tactics evolve rapidly, seemingly by the hour. They also can be very persistent and patient and are highly motivated. In this way, a cyberattacker is very much like a burglar, who will spend weeks observing a target to determine whether it is worth breaching and if so, the best time and approach for doing so. And if a burglar really wants what is inside, he is going to find a way in.

Lessening the Severity of Cyberattacks When They Do Occur

All of that is not to say that you should give up on cybersecurity — it’s still good thinking to do everything possible to prevent cyberattacks. But it’s equally good thinking to develop a strategy and tactics designed to lessen the severity of such an attack if it occurs. Here’s where to start:

1. It is imperative that a disaster-recovery plan
   that addresses, on a high level, the agency’s IT assets exists — it should be an element of the agency’s continuity-of-operations plan. It should be as comprehensive as possible, event to the point of contemplating scenarios that are highly unlikely. The DR plan should be exercised and updated regularly, at least annually.
   
2. Expect that the DR plan doesn’t work exactly how you envisioned it — that’s why you exercise it, to discover the bugs and then fix them.
   
3. It’s a good idea to place backup servers, applications, and databases in the cloud.
   In this example, the city’s on-premises primary and backup infrastructure — i.e., physical and virtual servers — was attacked and compromised, but everything that resided in the cloud came away
   unscathed.
   
4. If a cyberattack occurs, immediately assess the specific damage, because the sooner that you do, the sooner that you can develop a post-attack mitigation plan. This seems intuitive but planning often is
   neglected in the heat of the moment. Think of this in terms of a structure fire — firefighters never are sent into a burning building unless size-up has occurred and a plan for attacking the blaze has been
   developed. The temptation is to rush in and extinguish the blaze, but that’s exactly the wrong thing to do — if it’s an oil fire, you don’t want to pour water on the flames, or if the structure has been compromised, you don’t want to send firefighters to the roof. It works the same way when responding to a cyberattack.
   
5. The mitigation plan should prioritize each IT capability category and determine the order that they are brought back online. In this example, the city identified three major categories — the network, the Active Directory, and the servers and applications that run on the network.
   
6. After the initial prioritization occurs, the next step is to prioritize within each major category that has been identified. In this
   example, the 911 system, particularly the CAD system, was the top priority in the servers-and-applications category.
   
7. After the mitigation plan is drafted, bring all stakeholders together to ensure that the priorities are correct, and they understand
   the plan’s timing.
   
8. During the restoration process, be overly cautious and thorough — you don’t want to miss something and in doing so cause a reinfection.
   

Bob Kaelin is MCP’s vice president, public safety. He can be emailed at RobertKaelin@MissionCriticalPartners.com.

Here’s a link to the above article: “Your Agency Experienced a Cyberattack — Now What?”