In the immediate stages following an incident you may not know for sure whether you are experiencing a 'normal' technical incident or a cyber attack.
The first thing you will need to do is assess what has been impacted and determine whether a cyber incident is likely.
Even where an attack is confirmed, some of the potential implications might not be immediately obvious. Threat actors continue to adapt their techniques. For example, a ransomware attack may have prioritised exfiltration of sensitive data rather than encryption of your systems.
Seek expert advice to help you assess the nature of the incident, potential impacts and decide on the immediate steps to take.
Once you know that you have or are experiencing an attack you need to act. Key steps to take include:
- Engaging expert help from a cyber response partner. You may also be able to access the MHCLG Cyber Incident Response service, which can provide support from an NCSC-assured provider. Access is based on the severity of the incident and is triggered following a report to the NCSC.
- Isolating affected systems / systems at risk.
- Secure access, including resetting accounts where compromise is suspected.
- Deciding which systems and services are safe to leave in operation. For example cloud-based services such as email, telephony and your website might appear to be unaffected but you may still need to take steps to ensure accounts haven’t been compromised. Seek professional advice where needed.
Remember, even after an initial incident has occurred attackers may still remain active in your systems and network.
- Report the incident to the National Cyber Security Centre (NCSC) as early as possible using their incident reporting portal.
- Based on this report, MHCLG will assess whether your incident meets the threshold for support through the Cyber Incident Response (CIR) service. If activated, an NCSC-assured provider will contact you to begin containment and eradication.
- If the incident does not meet the threshold, support and coordination may still be provided through existing government channels.
Use your existing plans as a starting point but be prepared to adapt those as needed. Depending on the specific details of the incident, your normal disaster recovery arrangements may not be available to you. Use your own technical experts and external cyber response partners to determine what actions can be taken immediately, and where you will need to do more detailed analysis before you can decide on the right steps to take.
Prepare the coordination of your response
Plan how you will organise your response and consider how you will establish effective leadership and coordination. Make sure you are clear about the dependencies across your technical recovery, your business continuity response and the plans you will need to make for data breach risk mitigation. Make sure you establish clear arrangements to manage coordination across these.
Consider how you should best align your people with the work that will be needed through your response. The recovery is likely to be intensive and complex. Plan for how you can best use your team’s skills. Set up workstreams that will help you organise your work and don’t underestimate the work involved in your data breach response, which can be just as complex as the technical recovery and business continuity measures that you will be putting in place.
Make sure that you are setting clear priorities for your response and recovery. Depending on the nature of the incident you may have large numbers of systems unavailable and many critical services impacted. Your incident response plan should already help you set priorities, but be prepared for the need to reassess this once you are clear about the scale of the impacts. Make sure that you have clear principles that will guide your priorities and enable your teams to make decisions.
Set up processes for maintaining records of your response
As with any significant incident response, make sure that you maintain records of the decisions you make, the information you have considered and the costs that you incur. Setting up effective processes to do this from the start of your response will enable you to have accurate contemporaneous records and assist with any later review and cost recovery. Consider assigning team members dedicated to making sure you have good records from your recovery and coordination meetings to assist with this.
Building a clear picture of the attack
As you work with your expert response partner to investigate the attack you will build a clearer picture of how the attack was executed and the vulnerabilities which have been exploited. This is critical as it will help you to make sure that you are taking the right steps to recover as quickly and safely as possible.
Be prepared for this to take time to complete and make sure that you are dedicating the right expert members of your team to support this work. Ensure you spend time communicating progress on this in non-technical language to leadership as part of any updates you give.
Managing your technical recovery
As your understanding of the impacts of the attack and how it was carried out becomes clearer, use this to validate your disaster recovery plans and confirm that you will be able to deploy them as expected (or make any changes needed to reflect what you learn).
As you progress with your recovery, make sure that you are considering the whole service, not just the systems. Assess the impacts of any lost data based on your restore point, plan how data created during business continuity will be reincorporated into recovered systems, and coordinate closely with service teams to align system recovery with continuity and service restoration work.
Keep prioritisation under regular review to make sure that this is reflecting your technical investigations and remains consistent with the principles that you have set. You may need to reprioritise your work to take account of obstacles, opportunities and the changing position with services. For example, depending on timings you may find that specific events such as forthcoming elections or year-end work will alter the priorities that you would otherwise make or have planned for.
Making sure that you are recovering safely
Balance the urgency of restoring services against the need to make sure that you are recovering safely. Recovery may need to be slowed to ensure that necessary security testing and mitigations can be carried out as systems are restored. Make sure that no system is returned into live use before you are confident that it is secure and any vulnerabilities that attackers could exploit have been mitigated. Work with your expert cyber response partner to do this.
Plotting a path back to normal
As your recovery progresses the intensity of your work will reduce and the steps needed to achieve a return to normal service delivery will become clearer. Review whether you can reduce the cadence of updates and monitoring meetings, but make sure that you don’t step down the effective coordination of your response prematurely.
Keep your recovery focused on full restoration of services, not just systems. Provide support to service teams as data is brought back up to date and backlogs of work are resolved. This will require continued senior leadership focus, ongoing technical support and continued coordination and record keeping.
As you step down your emergency response arrangements, make sure that these steps are carefully considered and supported by clear recorded decisions to reduce the intensity of coordination. This will help you to make sure you don’t miss important steps and will support your communications with residents, local businesses, staff and partners.