Successful, increasingly sophisticated hacker attacks are becoming more and more common. High financial losses are just one of the possible consequences. How should a company behave in an emergency? Especially in a particularly serious case?
Preservation of evidence – your company needs professional help
Let’s assume a company with critical infrastructure (KRITIS). This company falls victim to a perfidious cyber-attack that paralyzes the entire network. The hackers quickly manage to encrypt the company data and demand that the CEO pay a large ransom.
Based on our experience, we say: Do not pay under any circumstances. Doing so would only benefit the criminals’ further business – and there is no recovery guarantee for the lost data.
A typical attack looks like this:
A user receives an email with a link or attachment that they click on or allow to install. This user typically has more local rights than needed – they are a local admin because the company did not act according to the minimal principle when assigning rights.
This means that software can be installed from the internet with the compromised user rights without the approval of the IT service desk or other responsible roles. The software runs with administrative rights. This is the most dangerous way for hackers to infiltrate a company.
The malware works its way into the cached credentials (stored access data) and gains access to all users who have ever logged on to this computer.
If an admin, who usually has a highly privileged account, has logged on, the damage is immense. The malware now has access to all data and encrypts it in no time. More recent and combined hacker attacks mix this approach with upstream phishing campaigns in which access data is captured. This makes it possible to store copies of the data that is later encrypted on servers in third countries (data leakage). Later, the blackmail can be intensified by threatening to publish this partially confidential customer data. As already mentioned, we recommend never paying any ransom.
A brief digression
Lateral movement paths, or LMPs for short, are an important component of the security insights provided by Microsoft Defender for Identity. These are visual guides that help the affected company to quickly understand and identify how attackers can move laterally within your network.
The people affected notice too late that malware has been installed on the computer in the background. An encryption trojan blocks access to all computers – there is no longer access to internal company data, such as customer and contract data. The company is incapable of acting.
If you put yourself in the shoes of a CEO, the answer to “What now?” is not an easy one.
Report the incident? This means that it is no longer “only” a matter of financial damage, but the reputation and existence of the entire company is at stake.
Or better to keep quiet about the incident and only pass it on to affected customers and employees – and “hope” that they don’t say a word about the attack? This is definitely not an option, since failing to report is illegal.
The GDPR stipulates the following for reporting the incident by the company: Data protection violations must be reported to the supervisory authority within 72 hours. There is also an obligation to inform the persons concerned and the police authorities. This period begins as soon as the data protection violation becomes known, and the controller is actually able to make a report. In the event of a cyber-attack, the police are always involved. The aim is to locate the attackers, secure evidence to arrest the perpetrators and prevent them from attacking other companies.
Communication strategy
The communication strategy for customers plays a central role.
It is essential to provide customers with information quickly and transparently. A well-structured communication plan is useful for maintaining customer trust and minimizing damage.
If cyber security insurance exists, it is mandatory to report the incident. This provides protection against financial losses resulting from hacker attacks and data protection violations. To qualify for such insurance, a company must meet certain information security requirements. These include providing evidence that employees receive sufficient training, that antivirus programs are kept up to date, and that a firewall protects the company from external threats. This also includes the prompt installation of security updates (patch management) on all devices.
Jürgen Brombacher, Head of Compliance & Cloud Consulting, emphasizes:
The average downtime of the IT environment after a serious cyber-attack over the last three years was over 20 days, with recovery costs of around 2.6 million USD. It is obvious that responsible companies must take precautions for this eventuality. DORA will also demand this.
Jürgen Brombacher
Detect hacker attacks early – consistent prevention is important
Specialized service providers have the option of defining how future hacker attacks can be detected early and immediately contained based on appropriate incident response planning.
In doing so, the so-called CSIRT team (Computer Security Incident Response Team) acts according to a predefined playbook. This contains a detailed procedure for every type of incident. By precisely defining customized countermeasures, the trained team can proceed quickly, in a coordinated and productive manner, to enable a rapid recovery of the IT systems.
The tasks of the CSIRT team focus on the following points: preparing for possible hacker attacks, minimizing and categorizing the damage, eliminating security threats, hardening the security architecture against further possible attacks, following up the incident with forensic analysis and documenting the attack. The team is thus involved in strategic process optimization and operational attack elimination.
This means that new insights into how hackers have overcome security systems and which potential weak points still exist in the system are constantly being gained. The sooner this information is available, the faster additional access points can be blocked and security gaps closed.
Rapid IT reconstruction after a hacker attack
IT service continuity management is used for the reconstruction of an entire IT infrastructure. Ideally, the approach, roles, and partners to be involved in such an event have already been defined in advance and recovery can begin without delay. The primary goal is to restore the company’s security and ability to function as quickly as possible. It is essential to call on experts from a CSIRT team (Computer Security Incident Response Team), because malware usually remains on the network for around 280 days before it is discovered.
If you try to restore the IT yourself, there is a high probability that the malware is still lurking on the computers in the background and that “backdoors” still exist. Often, the malware has been running in the background for months and is monitored by the hackers. They look for a buyer who is interested in the stolen company data. As a rule, this data is resold several times before it causes damage.
If the company infrastructure cannot be made operational again quickly enough, it is often advantageous to provide replacement devices and a replacement operation to bridge the gap. In terms of time, this is only possible if the appropriate devices are already available or have been pre-contracted with a supplier – or if precautions have already been taken to provide virtual workstations.
Competent support from experts is indispensable. They can also help with necessary regular emergency drills. The diagram below shows the benefits of IT service continuity management – starting with ensuring operational capability, all processes merge into one another:
Conclusion
A successful hacker attack often has serious consequences.
People still pose the greatest risk.
To ensure that your company is fully protected in an emergency, the Incident Response Readiness (IRR) processes must be integrated into the corporate culture and daily workflows. It is essential to incorporate the workplaces of all employees into the strategy.
It is best to have the following aspects reviewed by a team of experts and thus continuously kept up to date. Feel free to contact us.