When the last wall falls: 4 lessons from 2017 cyber-crisis management

#cybercrisis #crisis management #cyberattack #Wannacry #NotPetya

I was recently asked by a French multinational to present the main lessons learnt from 2017 cyber-crises. Here are my four take-aways.

LESSON 1: What you see might be what the attacker wants you to see…

205: this is the jaw-dropping median number of days a hacking group is present on a victim’s network before being detected! What’s worse, only 31% of hacking victims discover the breach themselves (the remaining 69% being notified by an external party). When you reach the crisis stage, it is highly likely that the hacker has been able to carefully craft his attack and anticipate your reactions. But then, he knows the countdown is ticking for him. Suddenly, all attacked resources turn against him. Those first minutes after he is spotted are his last time window to roll out his attack. He knows more than you do… for a brief moment. Be sure he will use them with great, pre-planned care to hurt the most. It is also anticipated that he will have designed some diversions to cover his main action. In this pivotal moment, be mindful that what you see might be what he wants you to see the most.

LESSON 2: By thinking ahead, you decrease the odds against you.

Sound cyber-crisis response strategy invariably include 4 steps:

– Detection, identification and qualification
– Containment
– Remediation & eradiction
– Recovery

However, depending on the attack scenario, the actions within each step may vary in content and extent. Planning ahead these responses (typically between 6 and 10) within that general 4-step framework allows to gain precious minutes when there are most needed (Cf. Lesson 1).

LESSON 3: We are not alike when dealing with a crisis.

I have played a crisis quizz game with various audiences across a wide variety of industries that always yield comparable results: when asked to choose one of three possible crisis management strategies derived from real-life cases, crisis management team members never unanimously choose one winning strategy. Their answers usually spread between two of the three possible answers in proportions that varies from 70/30 to 50/50, depending on the case. Whether you like it or not, you “bring your mother” in the crisis room. Your reactions, behaviours and decision-making processes in crisis management are all heavily influenced by your personal history, your life experiences, your trauma, successes and risk appetite profile.

LESSON 4: If you (cyber) exercise regularly, your decision-making time will be divided by two.

The main lesson I learnt from coordinating over 50 crisis management exercises is that trained teams usually cut their response time by almost one half. The issue with most cyber-crisis exercises is that they fall short of conveying a real sense of urgency because they lack credibility. Use the best insiders to develop a memorable and immersive case. The more real the scenario, the more involved the participants. Preparing for a three-hour exercise may take as much as 100 mandays if the exercise includes several crisis teams spread across the globe, with a complex unfolding of technical events. And remember that the response capability grows parallel to an organization’s internalized memory of already-faced scenarios. Capitalizing on lessons learned during exercises greatly enhances the organization’s response library.

L’expertise au centre de notre stratégie de croissance