Article
Approx. 6 minutes
Sep 21, 2023 Published on 21/09/2023

Paralyzing cyberattack: what posture to adopt, what tools to use?

Depending on the severity and scope of the attack, a cyber attack can lead to the total or partial interruption of certain services and components of the information system. This situation makes cyber crisis management and communication all the more difficult.

What are the first steps to take to stop the spread of a cyber attack? What tools should be used? How can we communicate effectively about an ongoing cyber crisis when certain tools are no longer accessible? What lessons can be learned from such a crisis to strengthen IT security?

3 major examples of cyber attacks

Of course, it's impossible to list all the different forms of cyber-attack, given the sheer number of threats and the variety of modus operandi. Here are 3 examples.

Intrusion

Intrusion into an information system is defined as unauthorized access by a third party to a computer system (server, network, mobile device, etc.). Various methods can be used to achieve intrusion into an information system, such as misconfiguration, exploitation of known vulnerabilities or theft of identifiers.

Once inside the information system, the malicious actor may seek to gain access to other areas, elevate privileges, steal information, disrupt the operation of certain services, and so on.

Ransomware

A ransomware attack involves sending a malicious program to a device to encrypt its data. The attackers then demand payment in order to return the decryption key. The malware can infect a device in a number of ways: opening a fraudulent attachment or clicking on a malicious link to execute the program, computer intrusion, etc.

Distributed denial of service (DDoS) attacks

DDoS attacks aim to saturate a website with requests in order to slow it down or render it inaccessible. Relatively simple to implement, DDoS attacks can result in financial losses for the victim organization (linked to the resulting interruption of service). They can also damage the organization's image.

The first steps to take in the face of a cyber attack

1. Isolate compromised systems

The first thing to do when faced with a compromised information system is to contain and circumscribe the attack, to prevent it spreading to other parts of the system. In concrete terms, this means partitioning or disconnecting compromised elements (applications, servers) from the network, but without shutting them down.

Some of these network isolation measures may have consequences for business continuity. They must therefore be studied and validated by the crisis unit.

2. Assess the impact of the cyber attack on the information system

Reacting effectively to a cyber attack means being able to identify the perimeter concerned, the path taken by the attacker and the impact of the attack on the various assets that make up the information system.

Examples of questions to ask in order to assess the impact of a cyberattack on an IS, and take stock of the extent of IT malfunctions:

- Which systems have been or are suspected of being affected by the cyber attack?

- Have these systems been identified as critical to the organization, and do they support sensitive data?

- Are these systems subject to regulatory and/or contractual obligations?

- How disruptive is the information system?

- Are all businesses affected by cyber attacks?

- Are any services down or inaccessible?

- Are some files impossible to read?

This impact assessment stage will be facilitated if the teams in charge of managing the crisis can rely on an information system mapwhich lists the various assets and services identified as critical, the interdependencies between the various assets and services, and the interdependencies between the IS and entities external to the organization, such as subcontractors, service providers, etc.

By identifying services considered critical, mapping helps prioritize actions. For example, it helps determine which assets to isolate, monitor or protect as a priority.

3. Collect and store traces

This information gathering is essential for an overall understanding of the incident, and particularly useful for the investigation phase. Infected systems should be kept powered up (but disconnected from the network) to keep a record of the attackers.

The evidence gathered will also enable the cyber attack to be reported to the appropriate authorities. Keeping a record of events, measures and actions taken helps you to learn from crisis management. The aim is to capitalize on all these elements in order to improve its incident response posture.

Examples of evidence to collect and keep:

- Different types of logs (security, systems, servers, workstations, infrastructure equipment), to be secured by making offline copies or on isolated systems

- Hard disks of infected workstations and servers

- Mail bombs

- Contacts with attackers (if any)

- Encrypted files

This information-gathering phase must also prevent the attacker from destroying his own traces.

Strengthening IT security after a cyber attack: 3 key steps

Rebuilding your information system

- Correct vulnerabilities exploited by the attacker, remove his access.

- Define a strategy for rebuilding infected systems and restarting operations, prioritizing for a gradual reboot.

- Implement data recovery actions.

Capitalize on the incident to improve posture

- Understand a cyber attack as a pivotal stage in the long-term improvement of information system security, to avoid another crisis.

- Review your information system security policy (ISSP) and identify inadequate elements.

- Define the safety actions to be taken, deploy them and monitor them over time to achieve higher safety standards.

- Review cyber crisis management to identify areas for improvement.

- Draw up or update your disaster recovery plan (DRP).

Gain visibility over your information system

- Improve IS monitoring and detection capabilities.

- Map your IS or update existing mapping to identify critical services and resources.

- Share tools and information with all teams.

A cyber attack is destabilizing by its very nature. It is all the more so when the information system is durably impacted and disrupted, which complicates incident response.

‍Anticipation and preparation are essential for taking the first steps quickly and knowing how to communicate around the incident. Being properly equipped is also essential to react effectively. Analyzing crisis management can be an opportunity to improve your posture and strengthen your IT security.

Would you like to know how OverSOC can help you better organize your incident response? We'd love to hear from you.

Written by Aline Cordier Simonneau

IT and Cyber Editor @OverSOC

Our latest articles

Olympic Games 2024: the cybersecurity challenge

Olympic Games 2024: the cybersecurity challenge

Cybersecurity is one of the major strategic issues relating to the organization and staging of the 2024 Olympic Games. Organizing such a large-scale event involves a large number of players (with heterogeneous levels of cyber maturity), as well as a large number of different and potentially interconnected information systems. This article explores the potential threats and the measures taken to secure this global event, highlighting the importance of enhanced cooperation between all the players involved.

4/7/2024
More >
Article
How to prioritize your information system's vulnerabilities?

How to prioritize your information system's vulnerabilities?

Vulnerability management is crucial to protecting your information system. This article explores the key steps in identifying, assessing and prioritizing security vulnerabilities. François Devienne, Head of Operational Security at OverSOC, shares his tips for implementing a risk-based approach and optimizing your IT security strategy.

20/6/2024
More >
Article
NIS 2 Directive: what changes to expect and how to prepare?

NIS 2 Directive: what changes to expect and how to prepare?

The NIS 2 directive, which will come into force in October 2024, brings significant changes to cybersecurity. It broadens its scope of application, strengthens corporate obligations and introduces new penalties. This article guides you through the main changes to anticipate and the steps to take to comply with these new regulations now.

6/6/2024
More >
Article