Ransomware and Cyber DEFCON: How to prevent cyber attacks and guarantee corporate operativity

The ransomware which paralyzed Italy’s Lazio region highlights once again the key nature of all Cybersecurity strategies: it is not a case of if, but when you will suffer a cyber-attack, whether you operate in the public or corporate sphere.

The immediate effect of this specific attack was to knock a series of essential services for residents offline, including the Covid-19 vaccination management service. But that was not all: by encrypting the data relating to vaccinations, the attack also compromised their integrity.

In this heated period of exhausting work, the institutions immediately set in motion numerous investigations to try to understand how this attack could have happened, in order to determine its causes, the perpetrators, anyone behind them, and the ultimate goals or reasons for it. But above all how to prevent episodes of this type and to determine the steps required to restart the compromised services in the shortest possible timeframe.

Preventive actions and a structured Cyber Event Recovery process in the event of an attack in order to guarantee high levels of Business Resiliency and restore institutions’ operations following a ransomware attack are now essential.

The questions asked by everyone today relate to Prevention, Disaster Recovery and Business Continuity:

• If it had happened to our company, would we have been able to prevent this attack?
• How would we have coped in managing this situation?
• Are there other elements from the investigations carried out by the Lazio region available to us to allow for preventive checks to be performed on our infrastructure?

Fully aware of the importance of preventive actions, Lutech has developed a model for dealing with hacker, ransomware and malware attacks.

“Cyber DEFCON” is the name of the process we have created in order to allow us to adopt and assume a defined level of defense preparedness at the time of such attacks, putting in place extraordinary protections and compensatory measures particularly suited to controlling and preventing a disastrous situation like the one described above.

How to structure a complete Cyber Resilience plan, incorporating prevention, protection, monitoring, and recovery processes?

Within the process, which is in any case tailored to the client, some of the possible measures we can implement depending on the Cyber DEFCON level are as follows:

• Analysis of the IT functional reporting and business processes
• Drafting of emergency intervention plans (incident/data breach management, Disaster Recovery)
• Creation of a multi-disciplinary crisis management team
• Reviewing of the incident and data breach management procedures with the team members so that personnel are ready to follow a defined process
• Implementing rapid intervention measures such as:
  • Forcing password changes for ADS with strategic roles even if this is before the expiry date mandated by policy (Firewall, AD, IDS/IPS, SIEM)
  • Adoption of more secure ADS passwords for specific systems
  • Impromptu backups of the most critical systems outside of schedules
  • Analysis of the results of the VAPT or vulnerability search scans to assess the critical patches which cannot be installed, what compensation measures exist and how a potential workaround can be implemented etc.
  • AV scans on critical servers
• Supporting the company with external communications
• Full support from a forensic and legal standpoint (for example as regards notifying the data protection authority etc.)

Lutech’s Advisory services provide consultancy and support to clients in all phases of the prevention and operations recovery management processes following crises and disasters caused by cyber attacks.