Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face.
While we can’t equate the potential impact of a cyberattack to that of a hurricane, there is much that security leaders and teams can learn from existing physical disaster preparedness and recovery plans and can apply in a cyber crisis.
So how can organizations use the fundamentals taught by natural disasters to respond to a paralyzing ransomware attack?
Early in my career, I had an opportunity to work on the security team at the Florida Department of Health responding to cybersecurity incidents, as well as served as a member of the Emergency State Function (ESF) 8 (Health and Medical) team through Florida’s Department of Emergency Management. As you can imagine, Florida is quite experienced in dealing with highly disruptive natural crises.
Managing Chaos with Command Structures
Working with the State of Florida, I was required to take multiple courses in FEMA’s National Incident Management System (NIMS) principles, structures, and processes. These courses taught responders the basics of NIMS including the concept of Incident Command Systems (ICS), and the National Response Framework (NRF) to ensure everyone understood how their role and responsibilities supported the overall effort.
The concept of an ICS is an approach to command, control, and coordinate incident management by providing a common hierarchy within various disciplines. The five major functional areas according to FEMA’s NIMS Doctrine include Command, Operations, Planning, Logistics, and Finance/Administration. A single incident commander is assigned the responsibility of overall incident management.
A similar hierarchy can be applied to an organization responding to a crisis-level cyber event (i.e., ransomware), which is defined as a cyberattack that escalates beyond traditional incident response and threatens the entirety of an organization. Each functional business unit (communications, legal, risk and compliance, etc.) must work in unison to effectively respond. An incident commander must be assigned (traditionally the CISO) who manages the overall response effort. By applying this battle-tested methodology, companies can use the existing wisdom gained from very complex disruptive events to plan for potential disruption for the many ways cyberattacks can very suddenly impact their operations.
One of the aspects I got to work on, and which was meaningful to me, was to ensure the Department of Health was prepared for a hurricane by ensuring business continuity processes and tooling was available and properly displaced throughout the state. Each year, we would refresh our “hurricane” laptops to ensure each one was up-to-date, secure, and ready at a moment’s notice to be deployed into the field. We would ensure that all regional sites within the state had the required equipment available to support all county health departments, children’s medical services, and rapid response strike teams throughout the State of Florida.
Likewise, today’s organizations must also be prepared for cyberattacks using their business continuity processes and tooling. Having proper system backups is essential when dealing with a cyberattack. These backups must be maintained and tested regularly to ensure their ability to restore operations. Organizations should also test any alternative communication mediums if the primary network is compromised or unavailable. IBM Security X-Force Incident Response recommends organizations establish secondary communications using the P.A.C.E. model (Primary, Alternative, Contingency, and Emergency). The same can easily apply to having extra staff on call, and any other aspect of the business that requires a fallback.
Where Do I Start? Have a Plan
Step one in preparing for a natural disaster is to have a plan, this is where business continuity and disaster recovery plans come in handy. These plans help businesses prepare for the worst and help develop processes and procedures to effectively respond to any event including natural, man-made, and cyber crises. During cyber events, it is also important to have plans. Organizations should have incident response plans for technical response and cyber crisis management plans for a whole-of-business response along with accompanying playbooks. These plans can help organizations like yours respond and minimize its impact.
Test Your Plans
Hurricane season may only last 6 months out of a year, but preparation goes on year-round. As a member of the ESF-8, we were constantly participating in training exercises both statewide, as well as agency specific, to test our equipment, processes, and procedures.
Similarly, organizations should be constantly preparing for when that cyber crisis event will happen. Reviewing and testing all plans (incident response, cyber crisis management, business continuity and disaster recovery) and playbooks, both technical (ransomware, data exfiltration, etc.) and functional (crisis communications, legal, etc.) at least annually is recommended.
Communication is key when dealing with a hurricane. Emergency management teams have dedicated functional sections that focus on communications. They monitor social media, coordinate public statements, and provide various approved communications to ensure all affected parties have the information needed. Sometimes, they even set up call centers to provide victims an opportunity to answer potential life-threatening questions.
In a successful ransomware attack, the make-or-break moment for an organization is its ability to communicate. Waiting too long to address customers, impacted individuals, and the public can destroy an organization’s reputation and customer loyalty. Getting ahead of the story, helps an organization get a chance to explain what is happening and what they are doing about it to help their customers as much as they can.
To cut down on the time it takes them to break the news before the attacker does, organizations should have a crisis communications plan, which includes a defined communication process, dedicated roles and responsibilities, and pre-approved response templates that can be quickly modified (and approved) to be released.
Organizations that train incident responders instill generalized concepts and frameworks to help effectively respond to natural disasters and other crises. These same concepts and frameworks can also be used to help organizations think about crisis response in a structured manner. But whether you are getting ready to deal with a cyber crisis or a hurricane, don’t wait until it’s too late to prepare.
To learn more about IBM’s Incident Response team and services, check out www.ibm.com/security/incident-response
Senior Consultant, IBM X-Force IR