Cyber-attack survival: seven crucial dos and don’ts

With decades of experience, the Incident Response team at Quorum Cyber has aided organisations of all sizes, complexities, and sectors in safely navigating cyber incidents. In this article, they impart crucial do’s and don’ts during a cyber-attack. The actions your team takes – or don’t take – can greatly impact the overall duration of recovery, cost, and the potential to uncover vital evidence left by threat actors within your infrastructure.

Identifying a cyber security incident can be challenging. Many threat actors have mastered the art of quietly infiltrating IT systems and hiding their digital footprints. Not all cyber-attacks are as overt as encryption-based ransomware or mandate fraud. The rise of encryption-less ransomware and corporate and state-level espionage is concerning. These silent intruders can lead to data and intellectual property (IP) loss, diminished competitive edge or market share, potential regulatory fines, and reputational damage.  All of which can be just as devastating, if not more so, to an organisation, its employees, and investors, than a single ransomware incident.

The Dos

1. Engage your dream team

When a cyber-attack strikes, it’s time to rally the troops. Engage the expertise of cyber incident response professionals to navigate the technical turmoil and provide strategic input. Call in crisis communication partners to manage the message and maintain trust. Consider engaging external legal counsel to manage and limit exposure to potential liabilities.

External partners require internal coordination and resources. Handling a cyber incident differs from regular operations. It necessitates distinct roles and might require compartmentalisation. Small, focused teams addressing specific areas can be far more effective than a large team attempting to tackle everything at once.

2. Be faster than the story

Gone are the days when you could formulate a message over the course of a day for it to appear in the evening news or the following day’s newspaper. It’s not even a “golden hour” to get a message out now. With today’s social media and online reporting, that time frame is now down to as little as 15 minutes, according to communications expert and media trainer TJ Walker. If you leave an information void, rumour and conjecture will fill it and it’s a lot harder to dispel those and get the true message across once they have taken hold.

3. Just the facts

During an incident, clear and factual communication is critical to holding everything together, limiting damage and not giving yourself more problems. It’s not about wishful thinking or unfounded optimism, but about conveying the cold, hard facts. Don’t let your message get muddled with unverified information or hopeful assumptions. Stick to the truth, even when it’s tough. Conjecture may offer temporary comfort, but it risks creating confusion and mistrust down the line. Remember, the truth has a way of coming out, and when it does it’s better to be on the right side of it. So, skip the speculation and stick to the facts. It’s not just good communication — it’s good crisis management. Let your external crisis communications partner/specialist handle this for you. They have relationships with the press to keep things on-message.

4. Take a break, make a breakthrough

In the midst of a cyber incident, it’s a total team effort. The tasks pile up and the concerns mount. However, burnout isn’t a myth, it’s a reality. Avoid overlapping duties; instead, arrange shifts so that teammates can relieve each other, allowing for necessary breaks. Step away from the chaos occasionally to do simple things like taking a walk. Often, a brief respite sparks fresh insights, better judgments, or innovative solutions.

5. Avoid analysis paralysis

Despite my role, I feel privileged to join C-suite or board meetings during cyber incidents. It’s fascinating to observe the internal workings and strategies of an organisation. However, in a crisis, companies often fall into a ‘whataboutism’ trap, debating without making decisions.

This is effectively managed by a neutral scribe who tracks discussions and redirects tangents back to decision-making. Once a decision is made and an action assigned, the scribe revisits the tangent. Their role significantly boosts confidence, understanding, and productivity, effectively advancing the strategy and incident response.

6. Data, not systems

When it’s time for recovery, focus on retrieving data, not entire systems. Threat actors often employ clever tactics to maintain access. Rebuilding operating systems from scratch and reinstalling applications can help guarantee clean systems. Hence, aim to restore only the necessary data, not the complete systems.

7. Pivot

In his book, Only the paranoid survive: How to Exploit the Crisis Points that Challenge Every Company and Career, former Intel CEO Andrew Grove discusses how successful organisations identify inflection points and use them to pivot in order to take advantage of a situation and improve the organisation. For many, cyber incidents are stark infection points or wake-up calls, but they also offer many opportunities to shed legacy systems, improve processes, and advance the organisation at a speed previously only dreamed of.

The Don’ts

1. Let everyone ‘help’

In the chaos of a cyber incident, it’s tempting to accept all offers of assistance. However, this can complicate containment, control of information, and progress tracking. Depending on your organisation’s profile, you might find that the ‘help’ provided benefits the third party’s publicity and association with the incident more than that of your own organisation.

2. Anticipate resolution by Monday

No matter how keen you are to get it over and done with, a cyber incident is a marathon not a sprint. Even if an incident hits on a Friday evening and we’re able to get you functional by Monday, there’s still going to be fallout, disruption, and lessons need to be learnt.

3. Downplay the impact or the prioritisation of data security

Many organisations have tarnished their reputations by making statements they later had to retract. Post-data breach, claiming “We take your data security very seriously” invites scepticism and scrutiny about your security measures. Denying an incident or its impact can be even more damaging, as it paints you as untrustworthy. This is where trained crisis communication specialists become invaluable. They can deflect blame, draw attention away from negative aspects, and highlight positive messages the company wishes to convey.

4. Jump steps

In the aftermath of a system breakdown, organisations are often tempted to rush into restoring systems and operations. This can be detrimental and prolong recovery. Threat actors commonly attempt to re-enter the environment post-attack to assess recovery progress and target backup systems, aiming to force a ransom payment for decryption. If they spot previously inaccessible backup mechanisms, they’ll likely try to delete or encrypt them. Therefore, it’s crucial to complete the containment and eradication phases first and have robust detection mechanisms in place before initiating recovery to identify any returning threat actors.

5. Avoid legal obligations

Even if you believe a cyber incident has gone unnoticed, always report it if there is a regulatory requirement do so. A rising tactic among threat actors is to report incidents to regulatory bodies if they think a ransom payment is unlikely. In 2023, the ransomware group ALPHAV/BlackCat reported MeridianLink to the US Securities and Exchange Commission (SEC) for failing to disclose their cyber-attack within the four-day diktat. Failure to meet regulatory requirements often results in steeper fines than those imposed following appropriate disclosure and may result in inclusion of lists of what not to do during a cyber-attack.

6. Buy more security tools

Cyber security incidents can be costly, and there are unscrupulous vendors ready to capitalise on your crisis by selling you unnecessary tools. Often, organisations already have access to tools and resources that are simply not activated or properly configured. Utilising them not only enhances the organisation’s cyber security posture, but also saves it money. During incidents, you may be able to get trial licences or temporary licensing increases to help support you until you reach a stable position. At that point, you can reassess your needs and align your tools and exposure with the Mitre ATT&CK framework. This allows even non-tech savvy individuals to identify weaknesses in defences and monitoring and determine the most effective combination of tools and mitigations to suit their risk appetite.

7. Play the blame game

The sole culprits for a cyber-attack are the threat actors. Assigning blame and finger-pointing during or after an incident can seriously hinder response and recovery efforts. It can also discourage individuals from reporting potential future incidents for fear of punishment or other repercussions.

Our services

Learn more about Quorum Cyber’s Incident Response services and how we can help protect you before, during, and after a cyber-attack of any kind.