Norwegian businesses facing cyberattacks are urged to take immediate action to limit damage and prevent further disruptions. The provided advice, crafted by law enforcement officers experienced in cybercrime investigations and informed by the National Security Authority (NSM), aims to guide businesses in responding effectively. However, it’s emphasized that professional incident management firms should be consulted for comprehensive guidance.
Key Recommendations:
- Assessment: Gain a clear understanding of the situation by identifying affected computers/devices, systems, and user accounts. Review logs and user accounts to detect anomalies, especially from users with elevated operational privileges.
- Damage Control: Consider disconnecting or shutting down affected systems, isolating networks to contain malware spread, and preventing attackers from accessing other parts of the system. Mandatory password changes for all user accounts should be executed. Limit the number of accounts authorized to execute software. Disable outdated login options. Evaluate insider threat possibilities. If feasible, restrict external access to company systems. If not, monitor all incoming external traffic and block traffic from non-essential countries. Monitoring outbound traffic can reveal data leaks.
- Notification: Inform all affected parties internally and externally. Disseminate accurate information swiftly to ensure everyone has the necessary details. Follow guidelines for notification from the “Emergency Poster for Digital Attacks,” available on the website of the Norwegian Council for Security in Business (External link: https://www.nsr-org.no/aktuelt/nodplakat). Additional guidance for handling and recovery can also be found there.
- Backup: Safeguard an offline copy of existing backups, especially if stored in the cloud or accessible through compromised systems. Bear in mind that the latest backup might be compromised, so consider securing an older version. During recovery, utilize backups that are certain to be uncompromised. Employ an updated malware scanner that can detect the specific threat your business is facing.
- Secure Evidence: If possible, preserve all accessible information about the cyberattack, including logs and other data that sheds light on the incident. This data assists in implementing improvements and security measures afterward. Such information is vital if the business wishes for law enforcement to investigate the cyberattack.
- Mitigate Future Risk: Identify the attacker’s entry point and any system vulnerabilities to prevent future cyberattacks. Enhance security by implementing two-factor authentication, ensuring infrastructure and software are up to date.
Businesses are encouraged to treat cybersecurity as a top priority and seek expert help in responding to and recovering from cyberattacks to safeguard sensitive information and maintain operations.