Cyber Attacks : Crisis Recovery and Anticipated Measures by Daniel Guinier, Expert in cybercrime and financial crimes for the International Criminal Court in The Hague

Having exposed a model to represent cyber attacks based on characteristics that can be broken down and the dynamics of its stepwise process, the author now discusses its essential measures and proposes a crisis recovery plan incorporated into the business resumption plan (BRP)[1].

Introduction

While the victims of cyber attacks are not always able to bear the direct costs, they also have to face other negative consequences related to restoring the situation. These include extra costs for additional hours and staff, external experts and consultants to be called upon, and technical security measures to be put in place on an emergency basis after the attack. To these are added organisational changes; repair of damage caused to systems, infrastructure, software and data; loss of revenue; loss of clients and efforts to maintain relationships with clients. Other consequences are related to liability for sums or data stolen during the attack and for damage caused to third parties, especially damage due to a failure to comply with legal or contractual obligations. All these things may lead to legal proceedings against the organisation, which are likely to compromise its reputation and image and shake the trust of its clients and partners.

Crisis recovery during a cyber attack

Preliminary observations for a suitable response

To ascertain the reality of the presumed situation, the sequence of events must be retraced in order to be sure that it is indeed a cyber attack and determine if it is still in progress. The catalogue and its dynamics will be essential indicators, as will the criticality of the services and processes affected, to judge the state of crisis. This involves classifying processes, assets, systems and data, combined with monitoring regularly for updates, without neglecting to react swiftly[2].

At the technical level only, infrastructure and software dedicated to surveillance of events, as well as visual and automated analysis of logs[3] — of access, connection and traffic — and reporting of abnormal behaviour — should allow early detection of cyber attacks by means of correlation of events, as well as suggested fixes and improvements to be made.

Each month, nearly 10,000 terabytes of security or hacking data are transferred or relayed on the Internet. These enormous volumes of data constitute a portion of the mass of data referred to as « big data ». Selecting and transforming cybersecurity-related data; correlating them, particularly with internal incidents and other weak signals; and presenting them could play a role in decision-making through predictive, contextual and behavioural analyses that require big data[4]. The goal here is to reduce the risk of accident, error and malevolence by means of predictive measures combined with other generic measures, above all to prevent cyber attacks.

Despite everything, this is insufficient to ensure that the information system is restored and there is a return to normal business without too much impact. Success hinges on the level of preparation and the quality of the management of the situation, whereas failure results from haste related to a lack of maturity. It is necessary to provide for a suitable response to the state of the crisis and the diversity of cyber attacks by complying with best practices, according to the state of the art and procedures in force. This response must be planned, coordinated and checked. It must also be supported by ad hoc communication. This presumes sufficient skills, both internal and external, with expertise in management, organisation, technical matters and legal matters[5].

Incorporation of the response into the business resumption plan

Incorporating the response into the business resumption plan (BRP) in a section on the management of a cyber attack[6] is a natural move, in view of the ISO 22301 standard on requirements for business continuity management systems.

Rational specification[7] of a structured plan should cover all objectives. On this basis, a plan would established to satisfy the requirements in terms of features — organisation, skills, backup, technologies, data, etc. — and assurance — design, backup and archiving, documentation, tests, auditing, intelligence, etc. — to arrive at a coherent and trustworthy comprehensive solution. These requirements would call for measures, technical and non-technical, and procedures, for the purpose of coherence of operations, relying on compliance and efficiency, from the design of the BRP to its implementation. They will be found in the wording of the items that form the BRP, in the form of modules assigned to roles that are quick to change, depending on the intelligence on cyber attacks, new activities and changes in the information system, and, above all, the crisis situation encountered.

This innovative method for engineering crisis plans should ensure flexibility and robustness, notwithstanding changes in context and unforeseen crises.

Model linking the catalogue of entities to all anticipated measures

The figure presents the links between the attributes of the different entities and all anticipated generic measures[8], which are combined for more in-depth security[9].

Crisis organisation rests on three groups: The D group, for direction or management, meets in a crisis unit to make decisions. It has a designated spokesperson to communicate about the crisis with external entities and the media. The spokesperson reports to the general management. The C3 group[10] coordinates, controls and ensures internal communication. Finally, the O group is in charge of carrying out operations. The crisis unit effects the meeting of the managers of these groups at a planned location. It brings together entities that make decisions and create cohesion so that the BRP may be carried out properly. It steers and ensures crisis management and operations support. Its manager makes the decision to activate the BRP in the event of a confirmed state of crisis, according to the procedure, planned means and information that are provided to him or her, relying on a severity scale that is pre-established or applied by analogy. To face the diversity of situations, teams will be formed to assume the responsibilities entrusted to them and the tasks they will be in charge of, the case of a large-scale cyber attack being one scenario among others.

The response is in the « cyber attack« paragraph within the framework of a BRP, with common organisation and communication about the crisis for a coordinated response. Some specific elements get grafted on as a result of needs for surveillance, collection and storage of evidence data, for computer forensic analyses and investigations. Certain points requiring special skills and appropriate methods will demand considering the use of additional resources from pre-planned external assistance[11].

During the discovery of an attack, it will be necessary — even before the BRP is triggered — to respond quickly, applying emergency procedures with a sufficient understanding of the situation and the difficulties to be anticipated, and acting prudently to keep from making the situation even worse and preserve the evidence. The emergency plan enables notification of the state of alert and prepares the crisis unit in order to make the crisis plan operational to better respond to the situation that will arise. The backup plan will allow survival in fail-soft mode and the conduct of operations up to recovery and a return to normal, relying on the data backup plan and the crisis communication plan to maintain trust in the organisation and its image. Such a BRP will take into consideration the most varied threats — known or not, if not predictable — against processes, the information system and data, as well as the reputation of organisations and people[12].

The organisation’s internal security policy will provide the principles and rules[13] to be adopted at the decision-making level, to deduce from them — following assessment of the degree of need — the implementation of operations, at the organisational and technical levels, concerning the information system, data, assets and staff, internal and external, permanent and temporary, etc. In this regard, the EBIOS method[14] will prove useful according to the General Security Repository[15] and the ISO 27001, 27005 and 31000 standards.

Conclusion and prospects

Cyber attacks must be prevented with various measures, which may even include the use of big data. Prevention also depends on addressing the underlying crisis and more than anything else on capacities for response. Nevertheless, many organisations struggle to apprehend such attacks, despite their efforts. Most often, they treat the symptoms and stick to the technical level. There are deeper causes linked to organisations’ intrinsic weaknesses and resilience. These must be examined to ensure business continuity in case of damage or crisis following a cyber attack.

In contrast to André Gide’s proposal[16] — « What are you going to look for over there? I’ll wait until I get there to find out« , organisations should already be concerned and pursue in-depth measures — to raise awareness, prevent and detect, and otherwise, to protect in order to withstand the crisis and ensure a return to a normal situation, relying on a business resumption plan (BRP). Everybody must be vigilant and follow the procedures specified in the best practice guide for security understood and adopted by the staff.

Finally, considering changes in threats and potential impact, it must be mentioned that the fight against cybercrime — in general and with respect to cyber attacks in particular — is anticipated at the international level, in parallel with the development of a proactive French policy of fighting cybercrime[17] by engaging all cyber centres with the public and private sectors.

References

ANSSI (2010): Méthode et logiciel EBIOS 2010 (EBIOS 2010 Method and Software)

ANSSI (2012): Les bons réflexes en cas d’intrusion sur un système d’information (Reacting Swiftly in Case of Intrusion into an Information System). CERT-FR briefing note

ANSSI (2013): Guide d’hygiène informatique (Guide to Computer Health), 49 pages

DCSSI (2004): Guide pour l’élaboration d’une politique de sécurité de système d’information: PSSI (Guide to Preparing an Information System Security Policy: ISSP), March

French gendarmerie (2010): Le guide pratique du chef d’entreprise face au risque numérique (A Practical Guide for the Company Manager Faced with Digital Risk). Version 2.0, 91 pages

http://www.montauban.cci.fr/uploads/assets/entreprises/guide_pratique_chef_entreprise.pdf

French gendarmerie (2011): Analyse prospective sur l’évolution de la cybercriminalité de 2011 à 2020 (Prospective Analysis on Changes in Cybercrime from 2011 to 2020). Version 1.0, 55 pages

https://www.signal-spam.fr/sites/default/files/Prospective%202020%20v1%200_0.pdf

Guinier D. (1994): Catastrophe et management — Plans d’urgence et continuité des systèmes d’information (Catastrophe and Management — Emergency and Continuity Plans for Information Systems). Masson, Paris, 323 pages

Guinier D. (2003): Ingénierie du plan de reprise d’activité — Spécification rationnelle du PRA et approche par composants et rôles (Engineering the Business Resumption Plan — Rational Specification of the BRP and Approach by Components and Roles). 15th Ann. Canadian Information Technology Security Symp., Ottawa, GoC/CSE–CST, 12-15 May

Guinier D. (2006a): Dispositif de gestion de continuité — PRA/PCA: une obligation légale pour certains et un impératif pour tous (Continuity Management Plan — BRP/BCP: A Legal Obligation for Some and an Imperative for All). Expertises, no. 308, Nov., pp. 390-396

Guinier D. (2006b): La politique de sécurité (Security Policy), in the Encyclopédie de l’informatique et des systèmes d’information (Encyclopaedia of Information Technology and Information Systems), Vuibert Sciences, pp. 1486-1498

French Ministry of Defence (2013): White paper: Défense et sécurité nationale 2013 (Defence and National Security), 160 pages.

French Ministry of Justice (2014): Protéger les internautes — Rapport sur la cybercriminalité (Protecting Internet Users — Report on Cybercrime), by the French inter-ministerial working group on the fight against cybercrime, 277 pages, and annexes, 207 pages.

http://www.justice.gouv.fr/include_htm/pub/rap_cybercriminalite.pdf

http://www.justice.gouv.fr/include_htm/pub/rap_cybercriminalite_annexes.pdf

SCSSI (1994): Guide pour l’élaboration d’une Politique de Sécurité Interne (PSI) à l’usage du responsable de la sécurité du système d’information (Guide to Preparing an Internal Security Policy [ISP] for Use by the Information System Security Manager), Version 1.1

SGDSN (2015): Stratégie nationale pour la sécurité du numérique (French National Strategy for Digital Security), French Prime Minister, 16 October, 40 pages.

References

[1] Continuation from the end of his article in La revue du GRASCO (Research Group on Actions against Organised Crime), no. 14, Dec. 2015.

[2] See ANSSI (2012): CERT-FR briefing note on reacting swiftly in case of intrusion.

[3] Logs are records of traces of events that have occurred on a machine — work station, server, etc. — and communications to or from this machine, especially at the firewall level.

[4] This is achieved with practical solutions capable of processing tremendous volumes of disparate data, structured or unstructured, generated in real time or not, from anywhere in cyberspace. The challenges can be met with a proactive policy, changes in legislation and R&D efforts, especially towards varied algorithms and skills in this regard. Big data will require policymakers to commit to changing data-related policies, in France and elsewhere, by anticipating the future to take into account concurrent changes in legal matters and technical solutions, while ensuring that big data is used in compliance with legislation and regulations.

[5] These are important actions that indeed depend on collecting evidence and investigation data, which requires technical–legal expertise and the use of more or less complex computer forensic methods, both for backup and for the legal admissibility of the analysis. Others also relate to the backup and restoration of reliable data.

[6] Here referred to as: « BRP § Cyber Attack Plan ».

[7] Approach by components and roles based on engineering described since 1994 by D. Guinier (1994, 2003 and 2006a).

[8] According to the common systems model for cyber centres described by D. Guinier (2013).

[9] For this purpose, the Guide d’hygiène informatique (Guide to Computer Health) by the French National Information Systems Security Agency (ANSSI) (2013) offers 40 essential rules deriving from 13 points.

[10] C3 for: Coordination, Control and Communication.

[11] These may include private skills, with assistance from qualified specialised providers and suppliers, and public ones, with contributions from the ANSSI and specialised investigators from law enforcement agencies — police, gendarmerie, etc. Regarding consultants, those with certifications issued at the national level, particularly by the International Information Systems Security Certification Consortium ((ISC)²) and the ISACA for information systems security, and by the Business Continuity Institute (BCI) and the Disaster Recovery Institute International (DRII) for crisis management, are to be preferred.

[12] The qualitative impact will depend on the nature of the attack, situation and type of impact — related to legal matters, financial matters, production, image, social climate, skills, clients, suppliers, opportunities, etc.

[13] See the guides by the French Central Service for Information System Security (SCSSI) (1994), the French Central Information Systems Security Division (DCSSI) (2004), and D. Guinier (2006b) concerning the basis, preparation and implementation of organisational security policy.

[14] EBIOS is a method developed by the ANSSI.

[15] In France, the General Security Repository (RGS) is the regulatory framework established for the purpose of building trust in electronic exchanges in administration and with citizens, while adapting to companies’ challenges and needs.

[16] In Voyage au Congo (Travels in the Congo), published by Éditions Gallimard in 1927.

[17] See French Ministry of Justice (2014) and General Secretariat for Defence and National Security (SGDSN) (2015).