Cyber incident response

It was the middle of lockdown when cyber-criminals attacked a German manufacturing conglomerate. The breach wasn’t detected for two weeks, and by then it had spread throughout their network.

December 13, 2021

They had well drilled cyber incident response plans and they swung into action, analysing the situation, then working to secure the perimeter, contain the attack, and assess the damage. But their CISO was frustrated: whatever they did, the attackers were one step ahead.

Why did it take so long? It wasn’t because their team was dragging their feet. It turned out the attackers had penetrated their productivity tools, including the well-known collaboration app the incident response team were using to co-ordinate their efforts. The attackers could listen to calls, read messages. Whatever the response team tried, the attackers were prepared.

Bad things #2 and #3

The CISO received authorisation to sever all access to their productivity and collaboration environment to keep the attackers out. But this left employees unable to communicate too, and prevented the CEO from letting everyone know what was going on. The organisation had become tremendously dependent on their digital communication and collaboration tools following their accelerated digital transformation during the pandemic. Critical activities ground to a halt, causing financial losses and reputational damage with their customers and industry partners.

This bold step contained the attack, and IT teams could finally focus on securing the network and begin restoring primary systems and data. This process would take several weeks – the future looked bleak, but their industry partners and other third parties rallied round the stricken company offering them practical help and support. They didn’t ask for payment, but a promise: please help us when it’s our turn.

Business continuity

During this period of disruption, the business purchased several licenses for another collaboration tool to try and restart communication and begin restoring their critical activities. This had limited success, however, as they had tens of thousands of scheduled collaboration meetings every day, along with a further complex web of information contained in their primary collaboration tool.

In total, it took around 6 weeks from detection of the breach until primary systems being up and running again.

A worrying trend

While I found their story extraordinary, this German business is clearly not unique in suffering from a cyber-attack. Worryingly, cyber-attacks are growing in sophistication and frequency, increasing their impact for victims. This is particularly true for ransomware attacks, which rose by 148% in 2020, with the record for ransom payments recently being broken at $40 million for a single ransom by a US insurer.

Resilient businesses are reacting to this evolving threat by reviewing their cybersecurity posture to predict and prevent cyber-attacks, while improving their cyber incident response plans to ensure that if the worst happens, they’re ready.

A team effort

It’s clear to me that effectively responding to a cyber incident is a team game. It’s been a joy to assist clients, like the German business above, with a solution that they can put in their toolbox to help them excel during their most stressful hours. That tool is StarLeaf Standby.

At its core, Standby is a digital communications and collaboration failover service which can be enabled to replicate your primary environment in an instant, then notify your colleagues via email and SMS about the disruption, allowing them to remain productive and allow your business to meet recovery time objectives for critical activities. This core functionality is augmented with a suite of tools that assist crisis management and cyber response teams through the incident, where effective collaboration is key at every step.

I’ll run you through how Standby could have helped through the attack discussed above.

Confidential, secure, and robust

Throughout the lifecycle of the cyber incident, Standby provides a confidential, secure, and robust environment for cyber incident responders to collaborate. As it is operationally air-gapped from your primary platform, it protects against would-be snoopers, and as a standalone cloud service, it can even be installed on personal devices as an added layer of security.

Cyber incident response is a team game, so Standby supports cross-organisational collaboration. This allows your response team to work with third parties, such as your backup and disaster recovery providers, to ensure that your response is both effective and swift.

Act decisively

By providing collaboration failover, Standby allows incident response teams to act decisively to contain an attack, even if this means removing employee access from their primary office productivity and collaboration platform. They can take this drastic measure safe in the knowledge that any impact on critical activities is mitigated. StarLeaf also work with business continuity professionals with this single goal in mind – protecting critical activities that are dependent on digital communication and collaboration tools – cyber incidents are one of many threats facing these activities.

Realistic recovery times

With critical activities able to continue using Standby, recovery operations can take place on a realistic timescale. This may even provide an option to not pay a ransom and restore from backup, where otherwise the time taken to recover would have caused damages in excess of the ransom value.

Ready to protect your business with StarLeaf Standby? Find out more or book a demo

Book a demo

Steve Raffe,<br />
VP Strategy & Global Alliance, StarLeaf
Steve Raffe,
VP Strategy & Global Alliance, StarLeaf