Learning from the Log4j threat to prepare for the next crisis?

How to be prepared for business vulnerabilities 

Now it's the Log4j vulnerability, next month it might be something completely different. Forewarned is forearmed. With the right information, your response to even the most drastic crisis such as a ransomware attack, can help you weather the storm, recover and emerge stronger.

Therefore, the question arises: what can you do to prepare? In this blog we provide you with an overview from a crisis organisation perspective:

1. Understand the business impact of a vulnerability

Often there is a disconnect between the business and IT of the organisation. In the situation of the Log4j vulnerability, IT should for instance worry about:

• Being aware of the infrastructure and potential attack surface
• Patching the affected software and appliances if possible.
• Limiting external access to appliances/servers where feasible. Moving these devices to a separate VLAN or other segregated network is a good start.
• Monitoring for malicious traffic or anomalous events across the impacted appliances/servers.
• Identifying threat actor post-exploitation behaviour.
• If the service is not mission critical consider shutting it down until the above recommendations can be put in place. 

As the Board however, you don't need to understand all the technical details of Log4j vulnerabilities and other vulnerabilities alike. What you do need is to understand the business impact that such a vulnerability can have, because it is not 'just an IT-party'. Herewith it is of utmost importance that you have highly skilled security professionals that you can trust during a cyber crisis and that are able to digest and communicate the threat.

2. Have a solid, but moreover resilient crisis management organisation, including:

• Clear roles and responsibilities
  Clear roles and responsibilities are crucial during a crisis. This means that a crisis team should be appointed, based on the right set of skills and capabilities. Not for every type of crisis an IT/security representative is needed, but be ready to have a seat at the table for this person in case the crisis is IT/security related.
  Also, be ready to have a 'devil's advocate' at the crisis response team table. This is someone who challenges the decisions that are being made, because a brain under stress might take shortcuts, focusing on the short term, resulting in bad decisions. Are you really going to pay for the ransom? 
• Back-up team
  From a technical point of view, it's important to have back-ups of your data and software. But this line is not about data, but about back-up crisis management team members. A crisis may take up several days to even weeks. No normal human being can make the right decisions after being on a stressful 12-hour shift. Therefore, make sure you have a back-up team in place that can take-over.
• Have your plans and procedures ready
  Although a crisis will always go beyond the expected, plans and procedures can serve as a solid baseline that guide you through the crisis. Have your working procedures ready, including a clear crisis definition as well as processes including aspects such as how to activate a crisis response team (in case email communication or other communication platforms are not available) and communication templates.
• Train your team & simulate
  It is crucial to have a well-trained team. With learning how to drive a car, you don't drive safely after just studying the theory book. The same applies to crisis management practices. Therefore it is important to periodically train the crisis management team, as well as simulating in order to rehearse quality-decision making in pressured situations as well as learning about team dynamics.

3. The golden hour - the moment when there is still room for maneuver

In case a ransomware crisis (or any other crisis) strikes, the golden hour is the time that organisations need to alert their key people and gather key facts about the crisis. It is crucial to take a moment to organise your crisis management team, before rushing into actions and making unfounded decisions. Yes, there is no time to lose in a situation such as a ransomware attack, but getting yourself organised serves as the fundament for further response procedures.

4. Act according to your organisation's values

When making decisions during a crisis, validate them according to your organisation's values. Is one of your organisation's values 'teamwork'? Consider if you have taken into consideration the critical, but worthy comment of your security engineer. When acting according to your values, you can always explain why you made certain decisions when challenged afterwards. 

5. Long term vision

Especially in a leadership position, keep in mind the long term vision of your organisation and how short term decisions can impact your long term position. Your team will better understand the why of your plan as integral to your organisational vision and purpose. 

In today's interconnected landscape threats such as the Log4j vulnerability will continue to  occur. Being prepared for the consequences and potential crisis such threats may cause, nevertheless makes you and your organisation resilient.