Your Agency Experienced a Cyberattack — Now What?
Posted on September 24, 2021 by Bob Kaelin
MCP’s website is updated regularly with content pertaining to cybersecurity. So far, all of it has been focused on helping our clients prevent cyberattacks, or at least reducing their likelihood by the greatest extent possible. Of particular importance are the threat assessments that we regularly issue, and the “cyber chats” conducted each month by Mike Beagles, MCP’s director of technology and cybersecurity services, who is a certified Cisco CyberOps associate.
One of our clients recently suffered a significant cybersecurity breach that caused extensive damage to its networks and systems. (It’s important to note at this juncture that MCP is providing numerous services to this client, but none related to cybersecurity.) The city only discovered that it had been hacked when Federal Bureau of Investigation (FBI) agents visited its information technology (IT) department.
The FBI had been monitoring the dark web and found numerous indicators that something nefarious was happening. Digging further, aided by a white-hat hacker firm, they discovered that the cyberattacker not only had wormed his or her way into the city’s network infrastructure but also had been there for some time and had infiltrated many aspects of the city’s network. It was a very sophisticated attack that affected numerous organizations.
A Sophisticated and Devastating Attack
It also was a devastating attack. The city’s network infrastructure was destroyed, many network servers and devices were infected, and the Active Directory structure, which enables IT administrators, to organize network elements into a hierarchical containment structure, was severely impacted. One of the outcomes was that the city’s 911 center had to operate without its computer-aided dispatch (CAD) system for a month — talk about stress! And because the network infrastructure was destroyed and the Active Directory was compromised severely, IT personnel in every affected agency had to touch every physical and virtual network device to assess and correct the damage, which complicated the recovery effort and lengthened the timeline. For example, the city’s police department had to reimage every device in use, e.g., in-vehicle laptops and in-station desktops, and then reload them with all of the requisite applications — now multiply this scenario across dozens of city agencies.
This event got me thinking, and the first thought that popped into my head was that no matter how vigilant an organization is, there’s a very good chance that a cyberattack will be successful. That’s because cyberattackers have become very sophisticated, they are very good at what they do, and their tactics evolve rapidly, seemingly by the hour. They also can be very persistent and patient and are highly motivated. In this way, a cyberattacker is very much like a burglar, who will spend weeks observing a target to determine whether it is worth breaching and if so, the best time and approach for doing so. And if a burglar really wants what is inside, he is going to find a way in.
Lessening the Severity of Cyberattacks When They Do Occur
All of that is not to say that you should give up on cybersecurity — it’s still good thinking to do everything possible to prevent cyberattacks. But it’s equally good thinking to develop a strategy and tactics designed to lessen the severity of such an attack if it occurs. Here’s where to start:
- It is imperative that a disaster-recovery plan that addresses, on a high level, the agency’s IT assets exists — it should be an element of the agency’s continuity-of-operations plan. It should be as comprehensive as possible, event to the point of contemplating scenarios that are highly unlikely. The DR plan should be exercised and updated regularly, at least annually.
- Expect that the DR plan doesn’t work exactly how you envisioned it — that’s why you exercise it, to discover the bugs and then fix them.
- It’s a good idea to place backup servers, applications, and databases in the cloud. In this example, the city’s on-premises primary and backup infrastructure — i.e., physical and virtual servers — was attacked and compromised, but everything that resided in the cloud came away unscathed.
- If a cyberattack occurs, immediately assess the specific damage, because the sooner that you do, the sooner that you can develop a post-attack mitigation plan. This seems intuitive but planning often is neglected in the heat of the moment. Think of this in terms of a structure fire — firefighters never are sent into a burning building unless size-up has occurred and a plan for attacking the blaze has been developed. The temptation is to rush in and extinguish the blaze, but that’s exactly the wrong thing to do — if it’s an oil fire, you don’t want to pour water on the flames, or if the structure has been compromised, you don’t want to send firefighters to the roof. It works the same way when responding to a cyberattack.
- The mitigation plan should prioritize each IT capability category and determine the order that they are brought back online. In this example, the city identified three major categories — the network, the Active Directory, and the servers and applications that run on the network.
- After the initial prioritization occurs, the next step is to prioritize within each major category that has been identified. In this example, the 911 system, particularly the CAD system, was the top priority in the servers-and-applications category.
- After the mitigation plan is drafted, bring all stakeholders together to ensure that the priorities are correct, and they understand the plan’s timing.
- During the restoration process, be overly cautious and thorough — you don’t want to miss something and in doing so cause a reinfection.
MCP has numerous subject-matter experts who can help you develop strategies for preventing cyberattacks and mitigating them if they occur — please reach out.
Bob Kaelin is MCP’s vice president, public safety. He can be emailed at RobertKaelin@MissionCriticalPartners.com.
