In the event of a cyberattack, immediate actions must be taken to limit damage and prevent further operational disruptions.
The advice provided in the attached document has been crafted by law enforcement personnel from the Oslo Police District with experience in investigating cybercrime. It also draws on information from the National Security Authority (NSM). However, please note that this advice does not replace guidance from a professional incident management company specializing in cybersecurity.
Read the Cyberattack Advice (PDF)
Additionally, the Business Security Council has prepared an emergency poster for reference.
Remember, cybersecurity is a shared responsibility, and being prepared is the first line of defense.
In the face of a cyberattack, swift action is imperative to minimize damage and prevent further operational disruptions. The following guidance, formulated by law enforcement personnel with experience in cybercrime investigations and in consultation with the National Security Authority (NSM), aims to assist you. Please note that while these recommendations are valuable, they do not replace advice from professional incident management companies specializing in cybersecurity.
1. Assessment
Gain a comprehensive understanding of the situation. Identify affected computers/devices, systems, and user accounts. Review logs and user accounts for irregularities and changes made by the attacker, particularly those with elevated operational privileges.
2. Damage Mitigation
Consider disconnecting or shutting down affected systems and isolating networks to halt the spread of malware and prevent the attacker from gaining further access to other parts of the system. Implement mandatory password changes for all user accounts. Limit the number of user accounts with the ability to execute software. Disable outdated login methods. Assess the risk of insider threats. If feasible, restrict external access to your organization’s data systems. If not possible, monitor all incoming external traffic and block traffic from countries deemed unnecessary. Monitoring outgoing traffic can also reveal potential data exfiltration.
3. Notification
Inform all relevant parties internally and externally. Ensuring that everyone affected receives accurate information promptly is crucial. Follow the notification guidelines outlined in the “Emergency Poster for Digital Attacks,” available on the Business Security Council’s website (link). The website also provides further advice on handling and recovery.
4. Data Backups
Secure an offline copy of existing backups if they are stored in the cloud or accessible through the compromised system. Note that the latest backup may be compromised, so consider securing an older one. During the restoration process, only use backups that are known to be uncompromised. Employ an updated malware scanner capable of detecting the specific malware affecting your organization.
5. Preserve Logs/Evidence
If possible, retain all available information related to the cyberattack, including logs and other data that can shed light on what transpired. This information is crucial if your organization wishes to involve the police in investigating the cyberattack.
6. Reduce the Risk of Future Attacks
Identify the attacker’s entry points and any weaknesses/vulnerabilities in your organization’s data systems. Address these issues to prevent future cyberattacks. Implement two-factor authentication. Maintain up-to-date infrastructure and software.
Remember that cybersecurity is a shared responsibility, and being prepared is your primary line of defense against cyber threats.