Cyber-crisis drill organized by the CLUSIF
Date : September 07, 2017
In June 2017, the CLUSIF (a French non for profit organization dedicated to information security topics) organized a cyber-crisis drill named “ECRANS 2017”.
It was a table top exercise simulating a crisis day, condensed into 3 hours. The scenario chosen was very realistic with regard to the current threats: a medical analysis laboratory (SME), located in Bordeaux, is suddenly attacked by a crypto-ransomware which blocks a number of computers in its information system. It can no longer deliver the medical analysis needed by a Paris hospital it works for. The drill involved 2 teams of players: the laboratory crisis team and the hospital crisis team.
We summarize below the presentations made by CLUSIF at the feedback conference held in Paris on the 28th of September 2017. The full conference is available (in French) on the CLUSIF website.
Note: CLUSIF also issued a guide (also in French) on cyber crisis management in February 2017.
The Organization Team must also be prepared...
A team of 10 people was mobilized to design and then lead the exercise. In particular, it included ANSSI (French national CERT) and BEFTI (French police force for IT crime) stakeholders who played their own roles. Other participants were involved to generate other stimuli (press contacts, patient phone calls, etc.) in order to "put pressure" on the players' teams and create a realistic exercise.
Creating and testing the exercise is therefore a consequent task. In particular, the test phase is essential to ensure that the exercise runs smoothly and, if necessary, to improve it. In terms of logistics, a video recording of the crisis rooms was made, and the "OpenEx" software (originally developed by ANSSI people) was used (see the project website, as well as this article from the Luatix.org website).
Cert-IST comment: We can also name the Hynesim tool, developed by Diateam, which allows simulating technical platforms and thus carrying out cyber-attacks technical exercises.
Which organization for the crisis, especially cyber?
This presentation begins with the theoretical aspects of cyber crisis management:
- Crisis management teams: Decision-Making Crisis Team and Operational Crisis Team,
- Roles: Crisis Director, Project Management Office (PMO), Advisers (to provide experts point of view),
- The need for processes and means.
It then gives a series of advices, like:
- Identify the actors and their deputies.
- Take a step back and put yourself in the attacker's shoes, because unlike most other types of crisis (natural disaster, etc.), the opponent is here a human being.
- Control communication and remain discreet about defence strategy.
French legal obligations with institutional bodies
The cyber crisis is often related to an intrusion into the company's networks. In recent years, legal constraints have obliged some companies to report security incidents to a relevant authority. As part of this feedback on crisis management, ANSSI explained the "who, what and how" in the field of security incident reporting. In short:
- Individuals, small and medium-sized enterprises (SMEs) outside the OIV, and local authorities outside the OIV have no reporting obligations. To assist these populations, the www.cybermalveillance.gouv.fr website has just been opened.
- OIVs (Vital Importance Operators) are obliged to report their incidents to the ANSSI.
- In the event of an incident involving personal data, telecommunications operators are obliged to notify the CNIL (French National Commission for Privacy) of the incidents.
This last category will evolve with the introduction of the RGPD (European Data Protection Regulation) in May 2018.
Note: The speaker indicated that the LPM (Loi de Programation Militaire) and the obligations imposed on OIVs will serve as a model for transposing the European NIS (Network Information Security) Directive into French law. It will therefore (slightly) widen the perimeter to which the LPM applies: it will then be referred to as OSE (Operator of Essential Services) rather than OIV.
Communication, a strategic dimension of crisis management
Communication is not always properly taken into account in crisis units. The speaker gave the following advice:
- Don't deny that there is a crisis. Otherwise, there is a risk of creating a crisis in the crisis: a communication crisis in addition to the cyber crisis.
- Separate internal and external communication.
- Establish contact points that have the right to communicate with the outside world. This will avoid inconsistent communication, which occurs if several uncoordinated people speak.
- Avoid clumsiness (e. g. not answering or saying too much), and have an authentic speech: to reassure, you have to say what you know and what you do.
Cyber attack? What about customer/supplier contracts?
This short presentation focuses on the contractual aspects of cyber crises: what does the contract with a provider plan about a cyber crisis?
Generally speaking, little is planned. If 20 years ago, cyber crisis could be considered as cases of force majeure, now it is clearly no longer the case since cyber-attacks has become “regular” events.
It is therefore necessary to work on this subject and reflect on the contractual commitments that can be defined with suppliers (Result commitment? Service down-time? Obligation to provide logs or resources, etc.). There is still a long way to go to reach a satisfactory situation
The costs of a cyber crisis
This presentation provides examples of costs for recent incidents (Sony PSN, NotPetya). These costs vary greatly, depending on what is taken into account and the size of the company:
- What costs are taken into account?
- How to take into account the non-measurable costs (e. g. loss of confidence of suppliers, partners and customers)?
In fact, we quickly reach a limit and come to point where the survival of the company is in question: do we have sufficient resources to cover the measurable cost, but above all can we survive the non-measurable cost?
The speaker also noted that the arrival next year of the RGDP would introduce new costs: the fine (maximum 4% of the annual revenue) and the cost of notification. Finally, the cost of correcting the defects that caused the crisis (in the case of a computer vulnerability) must also be taken into account.
Judicialization of a cyber attack
BEFTI (French police force for IT crime) provides a set of advice on the filing of a complaint and the legal follow-up. Apart from the administrative aspects (who in the company must file the complaint? within what timeframe? with which administrative elements? etc.), very concrete elements were also proposed:
- Anticipate the crisis situation by clearly defining who is involved in crisis management, their missions and their replacements (absence management).
- Clearly identify the provider companies on which the information systems are based (in case of externalized services).
- Make sure that the logs are time stamped and unambiguous (sources clearly identified).
- Define with the service providers under what conditions (time and cost) the logs will be provided if necessary.
- Create a unique email address allowing BEFTI to contact the company when processing the complaint. All the stakeholders involved (legal, administrative and techniques) will thus be able to be contacted via this unique channel.
Note: for the crypto-ransomware Locky, on which BEFTI was the centralizing body in France, the following figures were quoted by the speaker: 1 500 victims in France (Kaspersky estimate) and fewer than 100 complaints lodged.
Cert-IST comment: While the victim/complaint ratio (<10%) is not really surprising, the number of victims (1 500) seems extremely low. It was impossible for us to confirm this figure, because the figures announced on the Internet are extremely variable: 469 ? 2372 ? 200 000 attempts/month?
Cert-IST’s conclusion:
With the growing number of cyber-attacks, more and more companies are looking to better prepare for this kind of crisis. CLUSIF's efforts in the area of crisis management are remarkable. The proposed models (see the guide mentioned at the beginning of this article) and the sharing of experience with the community are extremely useful to all.