What happens when a cyber crisis breaks out?

Article written by Amine Baba Aissa for Numerama.

What happens when a cyber crisis breaks out?

We had the opportunity to experience a major cyber crisis from the inside, at least in simulation, in conditions close to reality. A training method inspired by military strategies, increasingly adopted in the world of cybersecurity, all the way to the Ministry of the Armed Forces.

Esplanade de la Défense, Cyber Campus, 13th floor. Standing on the stage of the Skylounge, Stéphanie Ledoux, founder of Alcyconie, an agency specializing in crisis management, explains what awaits the participants in the next hour and a half.

In front of her, IT managers from large groups, SME managers and employees who have come to train in cyber crisis management. The panel, overwhelmingly male, is studious and attentive to this life-size scenario.

We must quickly ignore the beautiful July sun that floods the bay windows of the towers of La Défense: the fictitious electricity transmission company that employs them is at the heart of a major cyber crisis. Two critical software programs are no longer responding.

As in a game of Werewolf, the roles are assigned at random. ” I’m a little stressed, I’m not technical and I find myself CISO ,” confides a participant in the group that will make up the SME group.

Scattered in other corners of the room, two other groups of about ten people meet around round tables. They are made up of employees of large French groups, sometimes from very strategic sectors, such as transport. This time, it is information systems security managers (CISOs) who take on the role of communications director or HR director for a little less than two hours. The same scenario is distributed to the three teams. Silence quickly fell.

Entering the crisis, adopting the right reflexes

The first few minutes are those of the introductions. The majority of the participants do not know each other or know very little. One of the teams made up of large companies begins with a round table where each one announces the role they will have to play in the crisis. ” It may seem academic, but it’s very important at the beginning of a crisis, especially cyber, to remind everyone of their field of action. Even in companies where people know each other. It allows us to organize ourselves and it creates a tipping point: we are entering the crisis ,” says Stéphanie Ledoux, who has 10 years of experience in crisis management in critical sectors.

A few meters away, notifications are pouring in on the PIA platform, Alcyconie’s simulation tool that reproduces real-world communication tools. On the social networks “Y” and “Instgrum”, the hashtag #panne is gaining momentum. ” Someone else has a power cut in the area of Toulouse South?” asks @Kim_b365, already 19 retweets.

“Someone else has a power cut in the area of Toulouse South?”

All over France, fictitious users report power cuts in entire neighborhoods and the company’s account is mentioned publicly. The phones also start ringing. On the other end of the line? Alcyconie’s hosts who play in turn a journalist, a worried business partner or a computer scientist trying to solve the problem.
” The pollution of attention is multiplied in crisis. It’s important to train to have good reflexes. They are deliberately overwhelmed with notifications and calls. (…) One of the worst mistakes would be to put the phone on speaker,” explains Anaïs Fauré, team leader at Alcyconie. Knowing how to separate tasks, manage your scope of action and not disturb your partners around the table is essential. The exercise focuses on decision-making roles, each with different priorities.

A good student, the CISO of one of the groups leaves the room to take the call from his technical teams while the noise level starts to rise in the next room. The diagnosis was made: it was ransomware from the Medusa group. What to do and where to start? Relaunch operations? Check backups? Notify the CNIL? The ANSSI? Communicate?

Acting quickly, under the eye of the new European Directives

As in reality, each role tries to influence decisions according to its responsibilities. The operational side is pushing for a rapid restart of the software, while the legal department is worried about the consequences. What data was stolen? Why can’t I generate invoices? We even hear that consumers have been directly contacted by the hackers, who threaten to disclose their personal information if they refuse to send them the equivalent of 150 euros in bitcoins.

The aim of the exercise? To get out of this situation as best as possible, but also to train in the new European directives that will soon govern cyber crisis management.

The new NIS2 directive, which covers more than 18 sectors of activity (compared to 6 for NIS 1), is already in force in France, and the companies concerned have until the end of 2027 to comply. Among the new obligations: to notify the ANSSI within 24 hours of the discovery of the incident, or to quickly inform the people concerned about the nature of the incident, its potential consequences and the measures taken.

” We decided not to communicate at all ,” confided a participant who was not very NIS2-friendly. It’s not easy to find solutions in less than two hours. A real cyber crisis can last several months, and the format of the day is particular. ” Often, the workshops last at least 3-4 hours or even up to a whole week ,” says Stéphanie Ledoux.

No one has really reached the end of the incident, but it is already time for the three groups to take stock. Some are pleased to have identified the source of the leak, others to have kept the incident log, so valuable when it comes to presenting the management of the incident to the authorities or insurance companies.

Different strategies and methods have emerged, but all groups agree on one thing: not to pay the ransom. “ We didn’t even try to get in touch with the hackers. It would be a first step towards them that should not be taken ,” said one participant. The last feedback on the stage, an employee of a large CAC 40 group welcomes the initiative: ” It can’t be improvised, it’s training “. Anaïs Fauré takes the microphone to conclude: