Incident Management and Recovery After Cyberattacks

When the Attack Happens, Not If

Not "if" an attack happens, but "when". Understanding this changes the approach: from "prevent at any cost" to "prevent as much as possible + prepare for responding".

Incident Response Lifecycle (NIST SP 800-61)

1. Preparation: CIRT (Computer Incident Response Team); response plan; playbooks for typical incidents; communication chains; contacts for insurer, lawyer, PR.

2. Detection and Analysis: sources: SIEM alerts, user complaints, external notifications (partners, regulators). Assessment: scope, type, severity.

3. Containment: immediate (isolate infected systems — disconnect from network) and long-term (determine root cause, eliminate attack vector).

4. Eradication: remove malware, close vulnerabilities, change compromised credentials.

5. Recovery: gradual return of systems to operation, monitoring for re-infection.

6. Post-Incident Review: what happened? How were we breached? What did we do right/wrong? What changes are we making?

Ransomware: To Pay or Not to Pay?

Dilemma: paying the ransom — quick restoration, but: financing criminals; no guarantee of decryption; repeated attacks (you are an "easy target"). Not paying: requires reliable backups; may take weeks.

Companies with mature backup systems (3-2-1: 3 copies, 2 media, 1 offsite) can recover without paying the ransom.

Practical Assignment

A manufacturing company has become a victim of ransomware. All files are encrypted, the demand is $500,000 in Bitcoin. The company has backups that are 3 days old. (1) What is your first step? (2) Who should be notified (internal, external, regulatory)? (3) Should you pay or restore from backups — weigh the arguments. (4) How can you ensure that the attack does not recur?