CyberCrisis

avatar
Created by
EarlyHorse17571

Cards (31)

  • What is a Cyber Crisis?Based on the severity of the incident, the blue team decides the best response. In our example, only a level 4 incident would trigger the Crisis Management Team (CMT).
    • Level 1SOC Incident - Small enough that the incident can be taken care of directly by the security operations centre (SOC), such as a user reporting a phishing email
    • Level 2: CERT Incident - Small enough that a team in the SOC can take care of the incident, such as a single user that has interacted with a phishing email
    • Level 3: CSIRT Incident - A larger incident that requires not just the SOC team, but also incident managers, such as multiple users that have interacted with a phishing email that contains malware
    • Level 4: CMT Incident - A critical incident where the CSIRT requires the ability to invoke nuclear actions, such as an incident where ransomware is being deployed and the CSIRT needs to take the environment offline to protect the rest of the estate
  • So, how does the team actually decide the level of an incident? This is done through an incident severity classification matrix as shown below: most incident severity classification methods rely on measuring the scope of the incident against the number of systems or users that are impacted vs the difficulty of recovering the affected systems and assets.
  • There are several roles and responsibilities that have to be taken care of in the CMT. Normally, not all CMT members are involved from the start. Depending on the crisis, members are added as needed. This is to help ensure that the CMT can respond as rapidly as possible.
    An autocracy is the best approach for a CMT to ensure that actions are taken decisively without wasting precious time. Usually, this responsibility would fall on the CEO.
  • CMT Chair
    • The Chair is the person that leads the CMT. Usually, this role is fulfilled by either the CEO or the COO of an organisation. The Chair is responsible for leading the CMT and, as mentioned before, is usually responsible for having the final say in what actions will be implemented during the cyber crisis.
  • Executives
    • Executives are usually part of the CMT. This includes the CEO, COO, CIOCTO, CFO, and even the CISO. In cases where not just the CEO is responsible for decision-making, these executives would each be granted a voting right. As executives will ultimately be held accountable for what happened during the incident, they are involved in the CMT to ensure that the damage is kept as small as possible.
  • Communication
    • An important responsibility in the CMT is communication. This includes communications that are being sent both internally to employees and externally to customers. An important part of any CMT is staying in control of the narrative to help ensure that unnecessary panic is not created. Therefore, communication during the cyber crisis is incredibly vital.
  • Legal
    • While we would like to believe that the CMT can take any action, it is important to ensure that these actions are actually legal. A very common discussion during certain cyber crisis scenarios is whether a ransom will be paid or whether the team will interact with the threat actors. It is important to note that in certain countries, these actions may not even be legal for the team to do.
  • Operations
    • One of the CMT member's sole responsibility is to concern themselves with the best possible approach to ensure that the operations of the organisation are affected the least amount possible during the cyber crisis. In certain cases, this role is fulfilled by the COO; however, it can also be fulfilled by an entire team of experts that are looking for ways that business can continue during the crisis.
  • Subject Matter Experts
    • During a cyber crisis, subject matter experts (SMEs) play a vital role in providing critical information to the members of the CMT. This information then helps inform the team about the crisis scope and which actions would be the best to perform. During a cyber crisis, this would most likely include the head of the SOC and/or the incident manager of the CSIRT.
  • Scribe
    • Note-taking is incredibly important during a cyber crisis. It is important to create a full timeline of events as this often has to be disclosed to other third parties, such as the government or regulator. The role of the scribe is therefore important to detail all events and conversations during the CMT session.
  • When the CMT is invoked, the first hour is one of the most crucial. Similar to any investigation, as more time progresses, rebuilding what has happened and recovering from it becomes harder. We refer to this as the Golden Hour. During the Golden Hour, the CMT has to perform several critical steps.
  • Assembly
    • The first step in the Golden Hour is to assemble the CMT. Once the CSIRT decides to invoke CMT, a process should be followed to notify all initial CMT members that they are required to help with a cyber crisis. Usually, a playbook and call tree are created for this. It is incredibly important since some of the required members may not be available (for example, the COO could be stuck on an overnight flight). Therefore, their replacement and their replacement's replacement should already be documented.
  • Assembly:
    • Usually, the CSIRT Chair would be responsible for invoking the CMT and then performing the initial notification. From there, several members can assist in assembling the CMT. The team should also decide if the team would assemble remotely or in person and what communication channels will be used. While this decision might sound simple, it is often harder than you would think. It could be that the CSIRT has a strong suspicion that their primary communication channels have been compromised by the threat actor and therefore, out-of-band communication will be required.
  • Information Gathering:
    Once the CMT has been established, the very first step is to understand what has happened and what actions should be taken immediately. For a cyber crisis, this is usually done in the form of a CSIRT briefing where the CSIRT provides:
    • A summary of the information discovered up to this point
    • A summary of the actions that have already been taken by the team and the effect they had on the incident
    • Recommendations as to what nuclear actions should be taken immediately by the CMT
  • Crisis Triage
    • Once the CMT has been briefed, it is important for the team to triage the incident and consider the actions proposed by the CSIRT. The CMT should think carefully about the impact that the actions would have on the organisation and already think about what steps can be taken to limit the impact. During this triage phase, the team will also decide on which other stakeholders should be involved in the CMT.
  • Notifications
    • One of the first steps that the CMT should already perform during the Golden Hour is to prepare and in certain cases send out communication, both internally and externally. Usually, CMTs would prepare by making use of holding statements. These are messages that do not divulge exactly what is happening, but provide reassurance that the team is investigating and will provide more feedback as information becomes available. This can help calm the situation as stakeholders are aware that the team is busy working on whatever the issue is.
  • Once the CMT has been established and the Golden Hour actions have been performed, the CMT starts with a cyclic process to deal with the crisis, as shown below:
  • Information Updates
    • The CMT receives updates from the various stakeholders. This usually happens in the form of briefings with SMEs. The goal is to provide the CMT with new information to better understand the scope of the crisis and what impact actions taken in the past have had on the crisis. The CMT decides how often these update sessions are performed. At the start of the crisis, these updates would often be more frequent.
  • Triage
    • Once the team receives new information, the triage process has to occur again. During this phase, the CMT decides if the severity of the crises should be raised or lowered and if any new SMEs should be involved in the CMT. The CMT also needs to decide if there will be any new communication sent out internally and externally.
  • Action Discussions
    Using the new information provided by the various SMEs, the CMT has to discuss the proposed actions. The goal of these discussions is to understand the impact that these actions would have on the organisation. In this case, we are no longer talking about easy and small actions, such as removing a phishing mail from a user's mailbox. We are talking about large actions such as:
    • Restricting remote access to the environment by halting all VPN access
    • Performing a domain takeback of the Active Directory domain
    • Switching a system over to the disaster recovery environment
  • Action Approvals
    • The CMT chair will usually limit the amount of time for discussions. This is to ensure that the discussions do not go on forever, leading to inaction. Furthermore, depending on the scenario, the situation may worsen with more time. For example, if ransomware is being deployed from a central location such as Group Policy Objects, the entire Windows environment would be encrypted within 120 minutes! Every single minute the team discusses actions longer, the ransomware is spreading. Therefore, these discussions are limited before the team decides which actions will be followed.
  • Documentation and Crisis Closure
    • Once the crisis has been remedied, it has to be documented. Using the notes from the scribe, a crisis document is created. This document details what happened during the crisis and what actions were implemented to deal with the crisis. This information is not just for the archive, but can be used by the CMT to learn lessons about the crisis and adapt their processes and policies to better deal with a cyber crisis in the future.
  • Jack of All Trades
    • The members of the CMT usually have broad scopes for their roles. For example, the CEO is responsible for running the entire organisation. While the CEO might have extensive knowledge of several things in the organisation, it cannot be expected that they are an expert in everything that the organisation does. This is the case for most of the CMT members. As such, this team in isolation would not be able to deal with the crisis and therefore, have to leverage the expertise of others around them.
  • The Masters of One
    • This is where subject matter experts come into play. As a security engineer, you may be involved in a CMT if the crisis pertains to your specific division. As the security engineer, you should have an incredible depth of knowledge of your specific system or asset and can therefore provide vital information to the CMT.
  • The CMT can only take effective actions if the following is true:
    • The CMT must have an accurate understanding of the scope of the incident, including what has happened and what the impact is on the business. It will never be possible to understand the full crisis scope as the investigation will still be ongoing, but having an as clear as possible picture is important.
    • The CMT has to understand what actions are available for them to take and what the impact vs effectiveness of these actions would be.
  • SMEs play a critical role in providing this scope and info. As a security engineer, you will understand the system best to know what potential actions can be taken to recover from the crisis. You will know how long backups are kept. You will know whether the environment can switch to DR. You will know what the impact would be if you have to take critical assets in the environment offline.
  • Internal Communication
    • The CMT will have to decide what communication will be sent internally. This doesn't just include messages that will go to employees, but also communication that is prepared for key divisions such as the help desk. Depending on the technical response taken by the CMT, the help desk might receive an influx of support queries. To ensure that the help desk can assist employees and to limit the spread of panic, the CMT will also prepare communication for this team.
  • External Communication
    • This does not just cover the communication that is sent directly to customers, but also communication such as comments to the press or interviews that will be performed. This component has become vital and incredibly difficult to navigate in today's time due to social media. Often, organisations will employ teams that will specifically take care of this communication during an incident to help ensure that the public is informed about what is happening without spreading fear and panic, which could cause reputational damage to the organisation.
  • Informing the Regulator
    • Depending on the category of the organisation, there may be the need to inform other third parties. For example, in the financial sector, organisations are usually required by law to notify their respective regulator if there is a crisis. This is because the crisis could have an impact on the entire country. Another common regulator that must be informed during a crisis is the information regulator if the crisis has resulted in the breach of customer information in countries that have to adhere to laws such as GDPR.
  • Contacting Law Enforcement
    • Also, depending on the country of the organisation, there may be a need to contact law enforcement agencies, for example, the FBI. Usually, these processes are defined by the CMT before a crisis and will be part of their playbooks. Law enforcement agencies can often help with the investigation and help to ensure that the chain of custody of forensic evidence is followed to help with prosecution later.