How does a cyber crisis arise… and how (try to) avoid it!

Cyber ​​crises can be devastating for a business! In what context do they begin and how can we escape them?

The impact of a ransomware-type cyber crisis is the visible part of the iceberg: a company completely at a standstill (unheard of!), worried employees, dissatisfied customers, silent factories for long weeks.

And in the midst of this silence a staff in turmoil, paralyzed in the first hours and which then tries to cope somehow with a unique situation. There are so many problems to solve: communication (internal, but also with the biggest customers who have probably isolated themselves and refuse any contact until the situation is under control) but also legal (personal data has stolen? Those of our employees? Do we have to make a declaration to the CNIL? What is the risk?). Obviously going through questions of production (which activity to restart first? Who to give preference to? What are our capacities in degraded mode?) or even human resources (should we give priority to technical unemployment or RTT for our employees What are the staff representatives saying?).

And all this, without even considering purely DSI questions: how to safely restart an IS in the dark, including the directory Active Directory is probably compromised, backups destroyed and without Internet access?

Suffice to say that during a cyber crisis of this type, no one sleeps much and tensions are at their highest.

“All the traces were there from the start”

How did we get here ? It is very often a first ignored security incident, which, over the days or weeks, provokes a series of others, just as ignored. Until it is no longer possible to turn a blind eye to these incidents!

Paradoxically, in most cyber crises, all the traces were there long before the outbreak, in the form of alerts scattered through various system logs or security solutions. Traces ignored by ignorance or misinterpretation of their gravity.

These traces are created as the attacker moves through the IS. It usually starts with taking control of a workstation, and continues on the network, looking for targets to compromise (highly visible reconnaissance activity), exploiting vulnerabilities, then chaining logins from compromised accounts to machines on which their legitimate users never connect, etc. Until the massive distribution of an encryptor from the Active Directory. Throughout this process, dozens of traces could raise the alarm: the creation of privileged user accounts, massive use of network resources, unusual or failed connection traces, etc.

The crisis, therefore, is a series of minor incidents that are not investigated and dealt with in time, until they become impossible to ignore. Thus, in one of the cases supported by Vectra experts, it was demonstrated post-mortem that the first three incidents on workstations (“suspicious code executions”, a highly questionable activity) were followed 4 days without any activity, then a start of a massive scan in the morning from one of these same workstations (again an unusual and highly suspicious activity), and finally several suspicious code executions in the evening. There was therefore plenty of time to pull the rug out from under the attacker’s feet between each alert.

Visibility, knowledge of the terrain and speed of action

How to avoid coming to this? The key is visibility: it is important to be able to see all the traces, these seemingly unimportant warning signs, across the different silos: both on-premises and in the cloud, and as much on machines themselves than on the network or in the directory.

This generates, one suspects, a large number of events, but a good artificial intelligence engine will be able to catalog and prioritize the most suspicious of them, whether they are deemed suspicious by their nature or by their sequence ( which amounts to bringing together different minor elements of the same detection to make it a significant incident).

These incidents will then have to be promptly investigated by a human, in order to determine if it is really a malicious activity. And the remediation will have to be fast: out of the question to wait four days to seize the compromised position of a user or delete an administration account.

But for that, it is still necessary to be able to identify the source as quickly as possible. This is why it will be difficult to ignore an excellent knowledge of the IS and good management of its assets (through a CMDB base or asset management in a patch management solution, for example).

By thus combining visibility, knowledge of the IS and speed of remediation, it is possible to hope never to see the crisis… but only a succession of minor incidents, which is a lesser evil!

We want to thank the author of this write-up for this outstanding web content

How does a cyber crisis arise… and how (try to) avoid it!

Our social media profiles here , as well as other pages related to them here.