How to respond to a large-scale cyber attack

Guest blog by Tim Brown, CISO & Vice President of Security at SolarWinds #techUKCyber2023

October is cybersecurity awareness month. A dedicated month for the public and private sectors to work together to raise awareness about the importance of cybersecurity. And for me, it’s a reminder to reflect and learn from the past.

In early December 2020, nation-state threat actors exploited SolarWinds software in what would later be known as SUNBURST. With cybersecurity month upon us, I thought it would be a good time to reflect and share the lessons I learned being part of an organisation that experienced such a large-scale cyber attack and our response.

Preparation is key

I often refer to the days immediately following the attack as ‘controlled chaos.’

While the specific incident was certainly unexpected, the idea of an attack absolutely wasn’t unanticipated. We had planned extensively for an incident like this to happen. As a result, for all the chaos, we were prepared and felt in control.

As part of our preparations, we ran tabletop exercises, planned for different scenarios, mapped out hypothetical intrusions, tested our response methods, and looked for and plugged potential security holes. We also built an incident response team made up of representatives from across the company. It included members from our security, legal, marketing, IT, and engineering teams, and our board of directors.

When I talk to others who are looking at planning their threat response, this is what I tell them to consider:

Do you have a cybersecurity incident response playbook?
Have you performed tabletop exercises and run various attack scenarios?
Do you have the right people on the incident response team—a good mix of strategic and tactical expertise?
Do you have ways to contact people, even on the weekend (or during a pandemic)?
Do you have a list of backup contacts in case someone isn’t available?
Do you have alternative communication methods established in case you cannot trust your existing ones?

Creating an agile team is vital for your response

Having one big team is not the answer for an effective response to a cyberattack. Splitting our team into multiple smaller teams overseen by leaders within their respective department was vital for allowing us to work independently. Each evening we reconvened to share learnings and discuss solutions and ideas.

We found this step absolutely necessary for planning what we did next. We needed the entire team to focus on their area of the response, whether it was the engineering team focusing on how the attack affected our build, or our communications team creating responses for customers, partners, and the press.

But this didn’t come without its complexities. We quickly learned it was difficult to organise our teams without third-party support, so we brought in an external organisation to coordinate our teams’ work – from setting up meetings to sharing knowledge and information at crucial times.

It’s important to ask yourself questions, such as: do we have a plan in place to get teams together? Do we have enough teams to cover every aspect of our business?

For us, having teams in place really made the difference but realising quickly that we needed extra third-party support to organise our teams allowed us to be agile, together, and fully committed to one another.

Misinformation spreads like wildfire

I remember particular things about the attack, and one big problem we had was the amount of misinformation on social media.

To help, we partnered with reputable and experienced organisations like the Cybersecurity and Infrastructure Agency (CISA), Krebs Stamos Group, and others. These organisations performed forensics while helping us to simplify the truth about the attack. People needed to understand that this was not just an isolated incident. These organisations allowed us to focus on our customers – answering their questions, assuring them, and making sure they were secure and protected. One thing I like to share with others is bringing in the right partner can help you stay focussed and protect your customers at a critical time.

Always push for more

Finally, I think it’s important that we did more than simply fixing the issue, including finding the source for SUNBURST and making it publicly available. We testified before Congress in the United States. We implemented assistance programmes to help our customers. We held briefings with the FBI and other global law enforcement agencies.

We wanted to ensure the world knew what we were doing and why we were doing it.

We were helping others to understand what we experienced, so they could be better prepared for the future. We were transparent, and we came out of the attack stronger, creating products and services that others were happy to use; making them Secure by Design.

Supply chain security is now front of mind for many. Executive orders and cyber security strategies are leading us toward attestation for software security. Executive and boardroom conversations have security as a necessary topic, and the security defenders of the world are being looked upon for guidance in managing cyber risk.

We are now stronger and more resilient than ever – and I hope that what I have shared here helps make your organisation stronger this cybersecurity awareness month.

Cyber Security Programme

The Cyber Security Programme provides a channel for our industry to engage with commercial and government partners to support growth in this vital sector, which underpins and enables all organisations. The programme brings together industry and government to overcome the joint challenges the sector faces and to pursue key opportunities to ensure the UK remains a leading cyber nation, including on issues such as the developing threat, bridging the skills gap and secure-by-design.

Learn more