At hexegic we are well versed in the phrase “adapt, improvise and overcome” (with its origins in military strategy). Generally, we prefer not rely on such a mantra as so much in cyber security can be foreseen and tested with a proper Cyber Incident Response service rather than rapidly improvised. However occasionally we are called into action on incidents where we have no prior visibility and as such this mantra becomes our approach.
One such example was a call we received on a Sunday night from a CFO of a company we had not dealt with before, who had been passed our number on recommendation. He had been advised by his team that a sophisticated cyber attack had occurred resulting in data loss, and it was beyond their internal capabilities to deal with it.
We quickly organised a conference call with all relevant parties and started to enact one of our template Cyber Incident Response plans which we can use when the company has no such plans in place itself. We took the role of the Incident Response Director, Incident Technical Director and Incident Legal Director (with outside counsel) and had representation from the company on HR, Communications and Facilities to complete the Incident Response Core Team.
After deploying to site a number of hours later, our Operational and Forensics teams quickly set about working with the onsite IT team to isolate systems, identify the threat and the exploits they had used, and gather relevant forensics (although in this instance no criminal investigation followed). Meanwhile our Response Director worked with the Legal Director, C-Suite and the other heads of department to ascertain if a reporting threshold had been met and instigate internal and external communications to those effected.
By midday on Monday we were confident the situation had been recovered and we were moving to the mitigation phase, when our engineers noticed further behaviour symptomatic of another attack. This forced us directly back into the response phase and we quickly had to adapt, improvise and overcome the new move by the attackers. In responding to this new threat it became apparent that the onsite IT team had forgotten to tell us about several legacy systems that existed onsite and because we were not aware of them it allowed the attackers to get another foothold whilst we were dealing with the first attack.
By the early hours of Tuesday, we were ready to declare the end of both incidents but held back because we wanted to verify the entire system of systems ourselves. This took several days more but at the end of the mitigation phase the company had drastically improved its posture against any further attacks and we had tailored our template plan so it was applicable to the company going forward.
We now have a Cyber Incident Response contract with the business which enables us to proactively review the plans they have in place for Cyber Incident Response, Business Continuity and Disaster Recovery, and moreover it enables us to exercise these plans to make sure they are robust and there are no more hidden systems!