Incident Resolution When You WannaCry

DZone 's Guide to

Incident Resolution When You WannaCry

If your communications systems are based on your internal network, and that network comes under attack, your ability to fight back will be limited.

· Security Zone ·
Free Resource

Crisis Communications for the Cybersecurity Age

On May 12th, an unknown hostile actor wreaked havoc on the British government’s National Health Service as well as FedEx, Telefonica, and Deutsche Bahn with its WannaCry worm. While the attack was eventually disarmed, it was not before it crippled institutions in Europe and Asia.

Preparing for cyberattacks like WannaCry has unfortunately become the sort of eventuality every CISO and IT needs to do. While it is not something anyone wants to do, it is becoming necessary because it is no longer "if" your system will suffer an attack, but "when." [1]

But imagine if IT was able to coordinate their response during a cyberattack so that the impact of business interruptions was managed? What if IT was able to continue to effectively communicate during an incident so that critical files and infrastructure could be brought back online more quickly?

The goal of this article is to:     

  • Highlight the need for strong communication protocols.

  • Look into what a plan needs to encompass.

  • Examine the components of a strong post-attack plan.

Employ Robust Communication Protocols and Devices

Practically speaking, the threat to data – both personal and corporate – is making the need for secure messaging and other options a priority for many IT professionals who are looking for newer, smarter ways to develop defense plans. [2]

Most companies rely on internal email to communicate in the event of a crisis, despite the fact that a cyberattack might impact the email network. Effected officials also rely on fax and phone although those technologies are also easily compromised during an attack.

However, the technologies used in the case of an attack should be a secure, cloud-based, robust platform for communication that can be used on a smartphone. By having a cloud-based platform, the communication platform will not be under attack like the rest of the company’s communications tools which are PC-based.

The solution [for communications during a cyberattack] is to have a critical communications platform entirely independent of the company’s internal network that can be deployed in an emergency, ensuring that the bilateral lines of communication between management and staff remain open.[3]

These prerequisites are exactly what is found in a strong smartphone-enabled, secure texting platform.

While it is important to consider the security of smartphones, it should also be noted that the security of smartphone devices is much easier to update than that of typical laptops and desktops. Security guru Bruce Scheiner noted that organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons. [4] However, smartphones are isolated from these concerns and, with proper protocols in place, can have security updated much more easily.

Establish a Plan

In this day and age, you should have a plan of action in the event of a cyberattack. If you haven’t thought about what you need to do during an attack, it’s time to take a step back and rethink things. [5]

By most definitions, a cybersecurity attack is unexpected, even if businesses know that they can be a target of a cyber criminal. Given the knowledge that they could easily be a target, companies need to plan for the unexpected. More importantly, they need to consider how best to ensure critical functionality and communications in the event of a cyberattack. Readiness spells the difference between an organization that suffers major breaches with harmful effects and an organization that will recover quickly with minimal impact.

To be sure, malware protection, network security, password security, user privilege and monitoring are important components of this culture. However, they are important discussions that need to be had before the attack occurs. Once the attack occurs, companies need an incident response plan to detail how teams should react and communicate. Indeed, communication is the most important part of any plan.

In the event of an emergency, effective communication is crucial. When IT systems go down, an organization needs to be able to communicate with its employees and coordinate an effective response. The longer this process takes the bigger impact the crisis will have.[6]

The plan for communications during the attack needs to provide for how team members will be notified and updated during the attack. Communications need to focus on: 

  • Roles and responsibilities during the attack.

  • Making sure all employees are informed and alerted.

  • Making sure infected technologies are disabled.

  • Executing the disaster recovery plan.

In the process of executing on this plan, teams need to use a strong incident alert management tool to communicate and ensure action is taken. The incident alert management tool needs to be able to:

  • Enable secure messaging.

  • Provide for the ability to handle individuals and group scheduling.

  • Provide message escalations. If the individual contacted is not available, the message should escalate to the next individual on the schedule.

  • Enable attachment of voice messages and images.

  • Create persistent alerting to ensure critical messages get read.

By using this sort of secure messaging platform, users have access to encrypted data that is unreadable by anyone other than the intended user and recipient. Through this method, the confidentiality of the message remains intact at all times.

Post Attack Plan

To prevent cyberattacks from happening again, you have to understand how it happened. The best way to effect this outcome is to launch a post-mortem review[7].

A post-mortem analysis should be part of your incident response plan. Teams should schedule a post-mortem as soon after the incident as possible, so that recall and responses taken are not forgotten.

A security incident can be a galvanizing event that provides the momentum to improve incident response plans, fix flaws in your processes, and harden your defenses against a community of cyber criminals who are constantly refining their skills and techniques. By having a post-mortem, businesses can translate that energy into a positive working plan to protect against future attacks.

After the attack has occurred, there needs to be a concerted effort by the team to see what went right and what needs to be changed for next time. By answering these questions, teams can improve their practices for security and communication for next time and increase their resilience. Indeed, while another attack is always around the corner, it does not need to be a given that the cyberattack overwhelms your business and shuts it down.


Cybersecurity incidents are a persistent menace. Businesses need to consider incident response plans that address the possibility of degraded operation while also considering how to achieve an efficient restoration and recovery. Clearly, maintaining strong communications during the course of a cyberattack is an important part of returning to business as normal.  To achieve this goal, businesses are best served by employing encrypted cloud-based communications.

cyberattack, cybersecurity, it security, security, wannacry

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}