WannaCry, or Plan Cyber Incident Response? - Lessons from 12/05

7Safe Cyber Trump Card - CSIR By Joshua Goddard, 7Safe Cyber Incident Specialist | 16 May 2017


7Safe has timely advice for those affected by Ransomware

Unless you’ve been living in a faraday-cave for the past few days, you will have been following the ‘cyber pandemic’ hitting public and private sector organisations worldwide. Mainstream news outlets are talking cyber security – again – with the punchline that WannaCry is a super-advanced evil being hell-bent on crippling our National Health Service, and the attack was so bad because organisations don’t patch their systems in a timely manner.

The attack was ‘bad’ for the organisations that weren’t prepared for it. How was a delivery company able to keep delivering parcels while a car manufacturer had to halt its production line? The answer is likely that one had a tried and tested incident response plan – the other didn’t.

Why do I need an incident response plan?

So you don’t have to halt your production lines – at least not for very long. An incident response plan is a necessity for any organisation that relies on IT (i.e., every organisation). It helps an organisation prepare, respond to and follow up on any cyber-attack. It defines exactly who should be doing what, where, and in which situation. It’s the go-to document that your entire IT team should have access to at 9 PM on a Friday evening because an adversary has inconsiderately launched some heinous act against you outside of normal business hours. You need it to save your bacon.

What will an incident response plan contain?

7Safe are a CREST registered Incident Response provider, so we use the CREST model for incident response – other methods are available. The CREST model outlines the actions that should be taken in the event of a cyber security incident, and any well-rounded incident response plan will address each of these.

Phase 1 – Preparation

“The best way we can avoid getting hit is to make ourselves a smaller target.”

The preparation part of your plan will identify threats, vulnerabilities and preventative or proactive measures to implement. It will schedule regular assessments on infrastructure vulnerability through scenarios and rehearsals. It will also keep track of who knows what – a training log and education framework is essential. From this planning, you will implement appropriate controls. Review. Repeat. Make sure you make a note of which drawer the frozen peas are in – you will get hit, and it will hurt.

This global cyber-attack was a first for many organisations. Their incident response plans should have recognised worming ransomware as a threat. The scenario should have been played out, and controls should have been in place to prevent it or at least help in managing it – things like process execution and file integrity monitoring.

Phase 2 – Response

“We’ve been hit. The evil software is wriggling its way through our systems. It’s red-raw!”

This part of your plan will clearly outline what systems you have, what they should be doing and how they talk to each other. This will help you identify exactly what is going on and what might happen next. From here, you can form a plan of attack (or defence) with policy on how you can eliminate or contain any threat and restore systems to business-as-usual if necessary. Keep the peas pressed on for now.

In the recent attack, the response should have been to immediately stop the ransomware from spreading by limiting how it can communicate. The malicious processes encrypting data should have been terminated. Systems which weren’t infected should have been patched. For systems where the response wasn’t quick enough, data should have been restored from the latest backup and patched.

Phase 3 – Follow-up

“Thank goodness that’s over. Is it really over? Why did we get hit? What actually happened? Management are all over my back - it all happened so fast!”

This part of your plan will outline the scope of the investigation and reporting following an incident. It will explain how to critically review the incident and any action taken, as well as detailing how to report such information and to whom.

In this attack, after systems were back online and nothing more malicious could be found, the ‘how’ should have been identified and reported. The incident response plan should have been modified according to any lessons learnt.

How do I make an incident response plan?

Get your cyber security team together and talk it through. Identify a core team of incident responders responsible for the plan and its execution. Incident responders require a very broad but also very specialist set of skills. They should be skilled in cyber security, operating systems, networks, digital forensics, threat hunting and investigation.

Who can help me with my incident response plan?

Many organisations offer incident response services. Have a look around at who offers what, then visit www.7safe.com and look no further!

7Safe are CREST accredited experts in incident response who have responded to incidents from clients including large financial institutions and government bodies. We even saved the day at a primary school once – much to the children’s dismay. Everything we do underpins our professional development courses which have taught people from some of the largest private and public sector organisations globally. Our courses focus on straight-talking experience-led education rather than death-by-PowerPoint ‘training’. Incident response requires practitioners, not operators, and hands-on-training with us is a great way to give a team the capability to handle anything that comes their way. And if it’s a bit too much to handle, we’re a phone call away from coming to help ourselves.

#   #   #

Learn more about Cyber Security Incident Response here:

How you respond to a cyber security incident determines the final outcome. 7Safe’s expert CSIR team can help your organisation to take the right steps before your organisation suffers a breach:

Cyber Security Incident Response (CSIR)

Need expert help now? Talk to our CSIR advisers in confidence on +44 (0)870 600 1667

"7Safe are a CREST registered Incident Response provider, so we use the CREST model for incident response – other methods are available. The CREST model outlines the actions that should be taken in the event of a cyber security incident, and any well-rounded incident response plan will address each of these."


« Back