Pierre-Luc Robert, Incident Response Expert, was speaker during the Forensik Conference 2020. We took advantage of his participation to ask him questions about his conference, which focused on the steps to take in the event of a cybersecurity incident.

For this 4th episode of season 2 of our INTRASEC podcast, we discussed:

  • the growth of cyber threats;
  • the importance of incident response plans to limit impacts and be able to react more quickly;
  • and finally on how companies can equip themselves to respond effectively to potential attacks.

During your presentation, you talked about a phishing or ransomware incident response playbook … Can you clarify those two terms?

Phishing is malicious emails that come to us. Often this is a vector of infection, while ransomware usually is the last stage of infection. We’re going to encrypt your data and demand a ransom by saying “if you want to get your data back, you have to pay us [a certain] number of bitcoins.”

As part of your conference, you also focused on small and medium-sized businesses. Is there a specific reason? Are the attacks increasing for these types of businesses, or are they businesses that are unaware of the risks?

Either way, the answer is yes. SMEs are more and more victims of cyberattacks. For example, 1 in 5 SMEs have already encountered a cybersecurity incident. And these small companies are targeted because they are easy prey.

When you’re a multinational, an IBM of this world, Microsoft, etc., these big companies have big budgets allocated to cybersecurity. This allows them to be agile and prepare for cyber attacks. This allows them to have one or more cyber attack response playbooks prepared by large teams of security experts. However, an SME does not have the same human and financial resources. In recent years, I have accompanied many SMEs who were not ready to face this type of event. So that’s kind of why I wanted to make this presentation at the Forensik Conference, it’s to help SMEs.

Before getting to the heart of your presentation, I wanted to talk about two statistics that jumped out at me, the cost of an attack for an SME and the time required to put the systems back in place. I know that was not the most important of your presentation, but do you have any idea why these increases were so marked?

First, I should clarify that these numbers are not strictly specific to small businesses. These are aggregate statistics. In terms of increases, that is my opinion and I have no sources to confirm it, but this could be explained by new ways of working. By switching to telework, for example, systems are more exposed to risks and therefore more vulnerable. And the more systems are affected, the more it costs.

There are also more and more targeted campaigns. These campaigns take longer to plan, but when executed, they do a full encryption of your data. And so there, they’re really going to have a global impact on the business.

That’s it … because you also mentioned that the phishing attacks were no longer those of Nigerian princes …

Indeed, I see more and more who are doing better and better. There are still root kegs with three word misspellings. But we see more and more attacks where we put the company logo and add something contextual, which will make the email even more believable. And unfortunately, this type of campaign is going to have a higher success rate.

And so, the purpose of your talk was to cover the basics of a playbook … So what exactly is a playbook? Is this a list of how to respond to this type of incident?

When we talk about playbooks, we can think of basketball coaches. This is a hypothetical situation list, depending on the situation. This is my team, this is what we are going to do, etc. Simply put, we’ve taken the term and applied it to cybersecurity.

We replace the team with a bad guy and say “here are the steps” that will allow us to reach our goal. In this case, it’s not about gaining points, but being able to get back to our regular operations.

Generally, what are the steps in a good playbook? What do SMEs often forget?

The playbook I shared is pretty conventional and covers a lot of important points. But for me the most important lesson is a bit like everyday life: “if you don’t know what to do, stop and go get help”.

It can be an external team, it can be documentation, whatever. You just have to take the time to analyze the situation properly and then choose how to react.

I have had clients in the past whose first instinct was to erase everything and reinstall the server from a healthy image. The problem with that is, you were able to get back on your feet, but you don’t know what happened and you can’t tell. In other words, we cannot even learn from experience, nor identify vulnerabilities …

Thinking back to your stages during your conference, you recommend to “stop everything”, then to contact the experts. To my surprise, the technical expert is only the third in the list, the first being the insurer and the second being the lawyer.

The insurer may have their own requirements and they may also recommend technical experts to us. And since we also want to be reimbursed or for part of the costs to be borne by the insurer, we make sure that he is happy!

That being said, the order isn’t absolute, but it’s worth knowing what can be done. And the lawyer and the insurer are the ones who can help you in this kind of situation.

Because the lawyer may also have requirements on what to look for or what to say?

For example, the lawyer wants to make sure that the case submitted to the insurer is solid, so he will be able to help you know what you need to collect.

If I understand correctly, if we just dwell on the answer, we will treat the incident as an infrastructure problem, whereas with a lawyer, it will no longer be treated as a business problem, which has strategic implications?

Malicious software, we agree, is never exclusively a technical issue. As a result, in my opinion, legal advice is always required.

There are so many impacts that are difficult to assess when in the heat of the moment. In addition, malware (or malware) rarely happens on its own. Often the goal is to leak information. Some might say they don’t have confidential information, but I don’t know of a company that actually does not have any confidential information. If only those of employees, some of which relate to personal information. And this is where the help of a lawyer becomes essential.

When a problem arises, you must stop to avoid introducing problems. The second step is to take notes on the incident response. What should these notes look like?

The thread of the event, for example. It has never happened to me to have too much information. If we have screenshots, I want them, etc. At a minimum, it takes a timeline of events. What has happened in the last few hours, days, months …? So much can be happening in this time.

Without a note, it is clear that this question cannot be answered reliably. If you don’t have a date or time, for example, to know the previous connections before the encryption, it will be very difficult to find what you are looking for; it would be like looking for a needle in a haystack.

So all of this documentation is going to be useful … all the time. Because we might want to stop and check if we worked in the right order, especially if there is a reinfection.

How do we close the loop? What is the last step?

In fact, that’s a really good point because the last step is where you can add value. Before that, it mostly cost money to investigate, to get back on track, etc.
Usually I like to do that with a meeting. We discuss with the various stakeholders on what worked, what did not work, etc. Just discussing it allows points to be cleared.The timeline of events is also going to be super important at this point. Review everything we did, in what order, question, etc. And the result becomes the starting point of our playbook.

Because usually there aren’t any before that?

Few small businesses have it …

Because of the lack of documentation, the lack of a designated leader, we come up with calls where everyone is on the line trying to speak with the technical team. In short, playbooks are something I highly recommend. Besides, it doesn’t have to be complex. If we just take my slides, print them out, and decide it’s our playbook, it’s already better than if we had nothing. And the next iteration is going to be even better.

There are also existing playbooks. For example, on Société Générale’s GitHub you can find their incident response playbooks. There is documentation, you just have to look for it!

You presented 6 steps during your conference. 1. Prepare and get in touch with the right experts, 2- Identify the perimeter, 3 – Isolate infected machines, 4- Eradicate and remedy, 5 – Restore by ensuring that no machine re-enters the network without evaluation and 6 – Do the post-mortem and learn from it. Are these 6 steps common to any type of incident?

These 6 steps are pretty standard especially in the event of a ransomware attack…. By the way, I looked at the Société Générale playbook, and it also covers these 6 steps! In any case, at least in the event of a cyber incident, you should call the insurer and the lawyer, and if possible a technical team – external or internal – with whom you can work.

Need help helping you develop your cybersecurity incident response plans? Contact our experts now!

Find the full interview in French with Pierre-Luc Robert on Ausha, Spotify, Apple Podcasts, Google Podcasts and Podcast Addict.