Professional Documents
Culture Documents
24/2022
Traficom publications 24/2022
Contents
1 Introduction ....................................................................................................... 2
1.1 Purpose of the instructions .......................................................................... 2
1.2 What does a data breach mean? .................................................................. 2
2 Preparation......................................................................................................... 3
2.1 Administrative measures ............................................................................ 3
2.2 Technical measures .................................................................................... 4
3 Detecting an information security breach ........................................................... 5
4 Instructions ........................................................................................................ 6
4.1 Workflow of an information security breach investigation ................................ 6
4.2 Immediate measures ................................................................................. 8
4.3 Investigating an information security breach ................................................10
4.4 Recovery .................................................................................................12
5 Post-incident review of an information security breach .................................... 14
1
Traficom publications 24/2022
1 Introduction
1.1 Purpose of the instructions
The purpose of these instructions drawn up by the National Cyber Security Centre Finland of
the Finnish Transport and Communications Agency Traficom is to offer advice to organisations
in situations in which it is suspected that there has been a data breach. The instructions are
focused on how to deal with the special characteristics of this type of information security inci-
dent. In order to resolve the situation completely, the organisation should maintain the inci-
dent response plan it has drawn up in case of information security incidents and follow it.
These instructions offer guidance on a general level on how to act in case of an information se-
curity breach and recover from it. It is recommended that the organisation draw up a separate
guide for its own use that takes its technological and operational environment into account in
more detail. The project is funded by the National Emergency Supply Agency.
Data breaches cause a loss of reputation and financial losses to the targeted organisation. In
addition, the normal operation of the organisation may be interrupted for a long time due to
repairs or reinstalling the environment. Data breaches are also used for invoice fraud (business
email compromise), in which case the financial losses may be significant. Unlike in typical
cases of CEO fraud, if an organisation has become the victim of a data breach, a forged invoice
can be sent from within the organisation, which makes it more likely to be approved.
Sometimes a data breach may be exploited a long time after the intrusion occurred. In that
case, the organisation may no longer have log data from the time of the intrusion available,
which makes investigating the incident considerably more difficult.
2
Traficom publications 24/2022
2 Preparation
Preparing for security incidents is a key method of reducing their severity and making it possi-
ble to recover quickly and continue the business. Organisations can assess their own readiness
by using the Kybermittari (Cybermeter) cyber security evaluation tool of the National Cyber
Security Centre Finland, for instance. 1 An incident response plan that has been drawn up in ad-
vance is a good starting point for what to do in case of a security incident. The organisation
must also ensure that measures such as locking user IDs, isolating servers and terminal de-
vices from the network and restricting network traffic to harmful IP addresses or domain
names are technically possible and that the personnel have the expertise required to carry
them out.
Gathering, compiling and monitoring log data is important in order to detect incidents in time.
Log data also make it possible to investigate incidents thoroughly, which speeds up the clean-
ing and restoration of the environment, if necessary. The National Cyber Security Centre Fin-
land has drawn up a guide on how to collect and use log data. 2 Depending on the systems
used by the organisation, comprehensive monitoring typically also requires network- and sys-
tem-level solutions in addition to this.
• Train the personnel on how to act during information security breaches such as those de-
scribed in these instructions.
• Find out in advance how you can report an information security breach to the National Cyber
Security Centre Finland. 3 Start monitoring the news by the National Cyber Security Centre
Finland. 4
• Review attack scenarios together with the company’s management and agree on the practical
measures as well as management responsibilities and authority in case of an information
security breach.
• Develop 5 the incident response plan and practice it regularly with tabletop exercises, in which
responsible persons and interest groups practice the information security incident response
process in imaginary scenarios.
• Identify the components critical to the business and create and maintain lists of what needs
to be protected.
• Specify the necessary access rights carefully based on the needs of the users and the tech-
nical functionalities.
• Consider establishing a security operations centre or purchasing a similar service. The pur-
pose of the security operations centre is to monitor the network traffic of your company and
information security events in the systems.
1
https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/kybermit-
tari-cybermeter
2
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news/instructions-and-guides/collecting-and-using-log-data
3
https://www.kyberturvallisuuskeskus.fi/en/report
4
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news
5
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
3
Traficom publications 24/2022
• Test the functioning of the backups regularly and practice restoring the backups of at least
the critical systems.
• Take advantage of network segmentation, data encryption and access control to ensure that
the attack surface of your company and the amount of material exposed to an attack at the
same time are as small as possible.
• Aim to detect attacks as early as possible by using different kinds of centralised monitoring
solutions and make sure that their functionality is also tested regularly.
• Install anti-malware software (Endpoint Detection and Response, EDR) on terminal devices
that can be used to restrict the running of programs, investigate suspected information se-
curity breaches and isolate the computer from the network, if necessary.
• Implement mechanisms for filtering out emails that contain harmful content, spam and un-
wanted network traffic.
4
Traficom publications 24/2022
• Unexpected measures have been taken in the system, and none of the employees admit to
carrying them out.
• The organisation is notified about the attack by a party outside the organisation via social
media, customers, partners or the authorities, for example.
• A serious vulnerability is found in the system, and when it is corrected, it is discovered that
the vulnerability has already been exploited.
Report the information security breach to the National Cyber Security Centre Finland.6 We ad-
vise you confidentially and free of charge on how to limit the damage, analyse the incident and
take recovery measures. At the same time, you support the national information security situ-
ation awareness and make it possible to help and warn other potential victims.
See the guide on how to detect data breaches by the National Cyber Security Centre Finland
(in Finnish). 7
6
https://www.kyberturvallisuuskeskus.fi/en/report
7
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen
5
Traficom publications 24/2022
4 Instructions
Use the attached checklist to find measures to help you if you suspect that you have become a
victim of a data breach. The checklist helps organisations to prioritise and use a phased ap-
proach when investigating information security incidents.
The gathering of potential evidence should also be documented carefully. You should record
who gathered the data, what it was, and when and how it was gathered. A carefully drawn up
event log makes the investigation as well as the cooperation with the police and information
security investigators significantly easier.
6
Traficom publications 24/2022
7
Traficom publications 24/2022
8
Traficom publications 24/2022
8
https://dfir.fi/
https://www.fisc.fi/fi/about-us
https://www.hansel.fi/yhteishankinnat/tiedonhallinnan-ja-digiturvallisuuden-asiantuntija/ (in Finnish)
9
https://poliisi.fi/en/report-a-crime
10
https://www.kyberturvallisuuskeskus.fi/en/report
11
https://www.kyberturvallisuuskeskus.fi/en/services/report-security-incident-nis-notification-obligation
9
Traficom publications 24/2022
Identify harmful activity and Identification information is collected to The identification information gath-
collect identification infor- make it possible to map how widely the ered includes, among other things,
mation infection has spread to devices and how the time when the incident occurred,
the stolen access rights have been when a login to the server occurred,
used. or when a certain command was run
on the server.
Once attackers have gained a foothold,
they may use different kinds of attack The malware often communicates
methods. In fact, identification infor- with the attacker’s command and
mation should be collected extensively control server. By studying the net-
and signs of their use should be studied work traffic of infected devices or
carefully to ensure that the cleaning of domain name resolution (DNS logs),
the environment can be done reliably. the source IP addresses or domain
names used by the attacker can be
Recovery can only start after the at- identified.
tacker has been removed from the en-
vironments. When harmful files are identified,
their hashes (MD5/SHA256) can be
extracted and used to identify harm-
ful files on other devices, too.
10
Traficom publications 24/2022
12
https://www.kyberturvallisuuskeskus.fi/en/news/transmitting-e-mail-and-sending-samples-national-cyber-security-
centre-finland
11
Traficom publications 24/2022
4.4 Recovery
Goals of Start the recovery from the systems that are the most critical to the business. The organisation
the phase should aim to restore the business back to normal as quickly as possible, but only after the recovery
can be carried out safely.
Phase Purpose Measures
Restore the infected systems The aim is to restore the systems Restore the systems from backups.
from backups and return them to normal opera- Also take account of the risk that
tion. Restoring the systems should previous daily (incremental) backups
be done as safely as possible to en- may already have been infected.
sure that the attacker cannot get When restoring old backups, keep in
back into the system. mind that the backup may include
the vulnerabilities that the attacker
used in the attack. You can try to
prevent the risk by restoring the
systems without a network connec-
tion and updating the operating sys-
tem and its applications before con-
necting to the network.
12
Traficom publications 24/2022
Restore the infected records If it is suspected that the attacker Take advantage of the database and
has edited the contents of the data- interface logs to determine if the at-
base, the database must be restored tacker has edited records. If the ac-
from a backup copy to invalidate the curacy of the logs is not sufficient
attacker’s changes, if cleaning the for cleaning up the changes, restore
data is not possible. the data in the database from the
latest safe backup.
13
Traficom publications 24/2022
During the post-incident review, the activities during the crisis are studied: what measures
were done well, what could have been done better, and how the plans and the security level
could be improved. A report should be drawn up on the post-incident review that examines at
least the following questions in addition to the course of the events:
What was the reaction to the alarms like? Was the information about alarms trans-
mitted to the right responsible persons?
Were the responsibilities of the crisis management team assigned to the right people?
How successful was limiting the scope of the attack and removing the attacker?
How successful were the communications of the crisis management team? How were
the interest groups taken into account?
Recovery:
Post-incident review:
Have the course of events and the investigation work been documented?
Was the technical investigation of the incident sufficient? Has it been possible to sub-
mit sufficient data on the attack for the use of the authorities, for example?
Evaluate the actions of the service providers. Were the response time and the services
that were agreed upon sufficient for the investigation of the incident?
The organisation should update its own incident response plan and more detailed playbooks
designed for combating different types of security incidents after the fact. Practicing different
scenarios at regular intervals is also recommended to ensure that you can benefit from them in
crisis situations.
The National Cyber Security Centre Finland hopes that the companies and organisations share
the most important lessons they have learned from the incident with the Centre, too. With inci-
dent reports, the National Cyber Security Centre Finland can help other organisations in Fin-
land as well as internationally to investigate similar cases. The lessons learned from recovery
help with developing the preparedness of all organisations.
14
Finnish Transport and Communications Agency
Traficom
National Cyber Security Centre Finland
PO Box 320, FI-00059 TRAFICOM
tel. +358 29 534 5000
kyberturvallisuuskeskus.fi
ISBN 978-952-311-816-4
Instructions –
Denial-of-service attack
25/2022
Traficom publications 25/2022
Contents
1 Introduction ....................................................................................................... 2
1.1 Purpose of the instructions .......................................................................... 2
1.2 What does a denial-of-service attack mean? ................................................. 2
2 Preparation......................................................................................................... 3
2.1 Administrative measures ............................................................................ 3
2.2 Technical measures .................................................................................... 4
2.3 Preparation and training in practice .............................................................. 4
3 Detecting an information security breach ........................................................... 5
4 Instructions ........................................................................................................ 6
4.1 Workflow of an information security breach investigation ................................ 6
4.2 Immediate measures ................................................................................. 8
4.3 Investigating an information security breach ................................................10
4.4 Recovery .................................................................................................11
5 Post-incident review of an information security breach .................................... 12
1
Traficom publications 25/2022
1 Introduction
1.1 Purpose of the instructions
The purpose of these instructions drawn up by the National Cyber Security Centre Finland of
the Finnish Transport and Communications Agency Traficom is to offer advice to organisations
in situations in which it is suspected that a denial-of-service attack has occurred or a denial-of-
service attack prevents normal operations. The instructions are focused on how to deal with
the special characteristics of this type of information security incident. In order to resolve the
situation completely, the organisation should maintain the incident response plan it has drawn
up in case of information security incidents and follow it.
These instructions offer guidance on a general level on how to act in case of an information se-
curity breach and recover from it. It is recommended that the organisation should draw up a
separate guide for its own use that takes its technological and operational environment into
account in more detail. The project is funded by the National Emergency Supply Agency.
Denial-of-service attacks are usually carried out by overloading the target purely due to a large
traffic volume, or alternatively by sending the kind of traffic that makes the target device use
more memory or computing resources to handle the traffic than normal, in which case the vol-
ume of traffic does not need to be especially high. Attacks of this type may not cause abnor-
mal growth in the amount of traffic.
In application layer denial-of-service attacks, the target may be, for instance, a database run-
ning behind the application that is overloaded by sending large amounts of queries via the ap-
plication itself.
Today, a denial-of-service attack does not require any great technical expertise, because such
an attack can be purchased affordably as a service over the darknet, for example. Attacks are
often used for blackmail, bullying or political harassment (so-called hacktivism), in which case
the attack is usually ordered and carried out by different parties.
There are many different ways to execute the attack, but all of them have the same end re-
sult. One classic method involves the use of distributed TCP SYN flood attacks, in which a bot-
net sends large numbers of TCP SYN packages to the target while failing to send ACK pack-
ages. This leads to a situation in which the target’s TCP stack fills up with incomplete TCP
handshakes, and neither the server nor the device can accept any more new handshake re-
quests. In preparing for an attack, you should focus on combating the most common attack
methods.
2
Traficom publications 25/2022
2 Preparation
Typically, the IT service provider is responsible for correcting any disruptions in telecommuni-
cations, which means that quick recovery from a disruption requires a service level agreement
(SLA) that obliges the service provider to restore the service level quickly.
In case of a denial-of-service attack, a separate agreement for mitigating the effects in case of
an attack may be necessary. The software of the network devices and servers should also be
kept up to date, because some denial-of-service attacks exploit the vulnerabilities of software.
Organisations can assess their own readiness by using the Kybermittari (Cybermeter) cyber
security evaluation tool of the National Cyber Security Centre Finland, for instance. 1 The Na-
tional Cyber Security Centre Finland has also published separate instructions for preventing
and combating denial-of-service attacks in particular (in Finnish). 2
• Train the personnel on how to act during security incidents such as the ones described in the
playbook.
- Also offer basic training for regular employees, advising them on how to act if a denial-
of-service attack cripples the services of the company.
• Find out in advance how you can report an information security breach to the National Cyber
Security Centre Finland. 3 Start monitoring the news by the National Cyber Security Centre
Finland. 4
• Review attack scenarios together with the company’s management and agree on the practical
measures as well as management responsibilities and authority in case of an information
security breach.
• Develop 5 an incident response plan and practice it regularly with tabletop exercises, in which
responsible persons and interest groups practice the information security incident response
process in imaginary scenarios.
• Identify the components critical to the business and create and maintain lists of what needs
to be protected.
• Specify the necessary access rights carefully based on the needs of the users and the tech-
nical functionalities.
1
https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/kybermit-
tari-cybermeter
2
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Ohje_3_2016_Palvelunestohyokkaysten_eh-
kaisy_ja_torjunta_0.pdf
3
https://www.kyberturvallisuuskeskus.fi/en/report
4
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news
5
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
3
Traficom publications 25/2022
• Consider establishing a security operations centre (SOC) or purchasing a similar service. The
purpose of the security operations centre is to monitor the network traffic of your company
and information security events in the systems.
• Make sure that the agreements with the service providers cover the prevention of denial-of-
service attacks.
• Keep the server software up to date and check that the configurations are in accordance with
the recommendations. The right configurations can mitigate the impact of denial-of-service
attacks.
• Configurations that mitigate the impact of denial-of-service attacks may include features
such as limiting the speed of individual connections (rate limiting), extending the TCP con-
nection processing queue (backlog queue), recycling incomplete TCP connections (half-open
connection recycling) or implementing SYN cookies. Find out which of these methods are the
best suited to your server environment and implement them as needed.
• The National Cyber Security Centre Finland has published a technical guide on how to defend
yourself against denial-of-service attacks (in Finnish). 6
For instance, the scenario in this case could be a situation in which a denial-of-service attack
has crippled a critically important information system, preventing the use and operation of the
system completely.
What would your organisation do in case of an information security breach like the one de-
scribed? Practice at least the following steps of this playbook:
• Reporting the security breach and escalating the situation
• Notifying the essential service providers and other interest groups of the situation
In connection with all of the steps being practiced, you should think about how the organisa-
tion leads the information security breach management, how the internal communications
work and who is the person responsible or their deputy at which stage. It is also recommended
that you study the materials of the National Cyber Security Centre Finland related to exer-
cises. 7
6
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Ohje_3_2016_liite_1_Palvelunestohyok-
kaysten_tekniikkaa_puolustajille_0.pdf
7
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
4
Traficom publications 25/2022
Report the information security breach to the National Cyber Security Centre Finland. 8 We ad-
vise you confidentially and free of charge on how to limit the damage, analyse the incident and
take recovery measures. At the same time, you support the national information security situ-
ation awareness and make it possible to help and warn other potential victims.
8
https://www.kyberturvallisuuskeskus.fi/en/report
5
Traficom publications 25/2022
4 Instructions
Use the attached checklist to find measures to help you if you suspect that you have become
the target of a denial-of-service attack. The checklist helps your organisation to prioritise and
use a phased approach when investigating information security incidents.
The gathering of potential evidence should also be documented carefully. You should record
who gathered the data, what it was, and when and how it was gathered. A carefully drawn up
event log makes the investigation as well as the cooperation with the police and information
security investigators significantly easier.
6
Traficom publications 25/2022
7
Traficom publications 25/2022
8
Traficom publications 25/2022
Contact your IT/ICT service Often a part of the organisation’s IT infra- Report the incident to your IT or
provider structure has been outsourced to a service ICT service provider, depending
provider. The harmful traffic almost always on which service is the target of
passes through the service provider’s net- the attack. If the attack is volu-
work, in which case the service provider is metric, meaning that it is based
able to filter traffic if agreements on the is- on a large traffic volume, the
sue have been drawn up in advance. service provider can help with
stopping the attack by restrict-
ing the traffic to and from the
service with a packet washer.
Notify the partners in cooper- The security breach may cause the part- Notify the contact persons in
ation and interest groups that ners, customers and service providers risks case of crisis situations of differ-
may be affected by the inci- or problems with the availability of services. ent interest groups about the in-
dent about the information cident if you believe that it may
security breach affect the availability of their
services.
9
https://dfir.fi/
https://www.fisc.fi/fi/about-us
https://www.hansel.fi/yhteishankinnat/tiedonhallinnan-ja-digiturvallisuuden-asiantuntija/ (in Finnish)
10
https://poliisi.fi/en/report-a-crime
11
https://www.kyberturvallisuuskeskus.fi/en/report
12
https://www.kyberturvallisuuskeskus.fi/en/services/report-security-incident-nis-notification-obligation
9
Traficom publications 25/2022
Identify the targets of the attack It is important to identify which part Check the log data of the server that
of the infrastructure was targeted by was targeted in the attack. If it is a
the denial-of-service attack. For ex- website server, the attack may be
ample, in case of a network service, visible as an increased number of
it is essential to find out if the attack handshakes in the log.
focused directly on a website server
or the network devices connected to If there has been a TCP SYN flood
it, for instance. attack or another lower level proto-
col attack, the investigation may be
difficult without the help of the IT
service provider.
Determine the type of attack It is important to determine the type If the attack was carried out by ex-
of attack so that the service can be ploiting a vulnerability in the target,
protected better in the future. It the target system must be updated
may involve an application layer at- to remove the vulnerability. If an
tack, such as HTTP, or a network application that the organisation has
layer protocol attack, such as TCP, ordered from a third party is in-
or the attacker may have exploited a volved, the party that provided the
software vulnerability in the target. application should be contacted to
correct the vulnerability.
10
Traficom publications 25/2022
4.4 Recovery
Goals of Denial-of-service attacks last for less than 15 minutes on average, but sometimes they may drag on
the phase for several hours. The operation of the services is usually restored automatically after the attack.
Phase Purpose Measures
Check the different parts of the The denial-of-service attack may Check the status of the targeted
targeted service in case of a have caused a malfunction in the servers and network devices. Also
malfunction targeted server or network device, check that the applications function
which means that it is good to check normally.
that the servers and the applications
that run on them operate normally.
Check that the software and con- The denial-of-service attack may Review the application versions of
figuration of servers are up to have exploited a vulnerability in an the server targeted in the attack and
date application or a server, which is why update them to a newer version, if
it is good to check that the server’s necessary.
updates are up to date.
Based on the application’s logs, find
out what kind of calls the application
has received to determine which
calls may have been used as a part
of the attack.
11
Traficom publications 25/2022
During the post-incident review, the activities during the crisis are studied: what measures
were done well, what could have been done better, and how the plans and the security level
could be improved. A report should be drawn up on the post-incident review that examines at
least the following questions in addition to the course of the events:
• Root causes of the incident:
• What was the reaction to the alarms like? Was the information about alarms trans-
mitted to the right responsible persons?
• Were the responsibilities of the crisis management team assigned to the right people?
• How successful was limiting the scope of the attack and removing the attacker?
• How successful were the communications of the crisis management team? How were
the interest groups taken into account?
• Recovery:
• Post-incident review:
• Have the course of events and the investigation work been documented?
• Was the technical investigation of the incident sufficient? Has it been possible to sub-
mit sufficient data on the attack for the use of the authorities, for example?
• Evaluate the actions of the service providers. Were the response time and the services
that were agreed upon sufficient for the investigation of the incident?
The organisation should update its own incident response plan and more detailed playbooks
designed for combating different types of security incidents after the fact. Practicing different
scenarios at regular intervals is also recommended to ensure that you can benefit from them in
crisis situations.
The National Cyber Security Centre Finland hopes that the companies and organisations share
the most important lessons they have learned from the incident with the Centre, too. With inci-
dent reports, the National Cyber Security Centre Finland can help other organisations in Fin-
land as well as internationally to investigate similar cases. The lessons learned from recovery
help with developing the preparedness of all organisations.
12
Traficom publications 25/2022
13
Finnish Transport and Communications Agency
Traficom
National Cyber Security Centre Finland
PO Box 320, FI-00059 TRAFICOM
tel. +358 29 534 5000
kyberturvallisuuskeskus.fi
ISBN 978-952-311-817-1
Instructions –
Leaked IDs
Traficom Publications
22/2022
Traficom publications 22/2022
Contents
1 Introduction ....................................................................................................... 2
1.1 Purpose of the instructions .......................................................................... 2
1.2 What do leaked IDs mean? ......................................................................... 2
2 Preparation......................................................................................................... 3
2.1 Administrative measures ............................................................................ 3
2.2 Technical measures .................................................................................... 4
2.3 Preparation and training in practice .............................................................. 4
3 Detecting an information security breach ........................................................... 5
4 Instructions ........................................................................................................ 6
4.1 Workflow of an information security breach investigation ................................ 6
4.2 Immediate measures ................................................................................. 8
4.3 Investigating an information security breach ................................................10
4.4 Recovery .................................................................................................12
5 Post-incident review of an information security breach .................................... 13
1
Traficom publications 22/2022
1 Introduction
1.1 Purpose of the instructions
The purpose of these instructions drawn up by the National Cyber Security Centre Finland of
the Finnish Transport and Communications Agency Traficom is to offer advice to organisations
in situations in which it is suspected that IDs have leaked to unauthorised persons or parties
and that they have been exploited in a cyber attack. The instructions are focused on how to
deal with the special characteristics of this type of information security incident. In order to re-
solve the situation completely, the organisation should maintain the incident response plan it
has drawn up in case of information security incidents and follow it.
These instructions offer guidance on a general level on how to act in case of an information se-
curity breach and recover from it. It is recommended that the organisation should draw up a
separate guide for its own use that takes its technological and operational environment into
account in more detail. The project is funded by the National Emergency Supply Agency.
Leaked IDs are one of the most common ways attackers can use to penetrate the information
systems of your organisation. Leaked IDs are often used to gain the first foothold in attacks.
User IDs are traded on marketplaces used by criminals, and they are shared publicly as large
databases.
IDs most commonly fall into the wrong hands due to a third-party data leak, reuse of pass-
words or phishing messages. It is extremely important that the password practices of your or-
ganisation are up to date and that the personnel are trained to minimise the risks.
In CEO fraud (business email compromise), an employee in charge of the financial transactions
of the company is deceived into paying an invoice or making another kind of bank transfer
from the company’s fund to the account of the criminals. Cyber criminals buy user IDs from
darknet markets and exploit them to log in to an employee’s email and monitor the email traf-
fic, looking for opportunities to do things like change the content of existing email threads,
such as account numbers. They can also create completely new invoices and direct the pay-
ments to their own accounts.
2
Traficom publications 22/2022
2 Preparation
Preparing for security incidents is a good way to reduce their severity and make it possible to
recover quickly and continue the business. Organisations can assess their own readiness by
using the Kybermittari (Cybermeter) cyber security evaluation tool of the National Cyber Secu-
rity Centre Finland, for instance 1. An incident response plan that has been drawn up in ad-
vance is a good starting point for what to do in case of a security incident. The organisation
must also ensure that measures such as locking user IDs, isolating servers and terminal de-
vices from the network and restricting network traffic to harmful IP addresses or domain
names are technically possible and that the personnel have the expertise required to carry
them out.
Gathering, compiling and monitoring log data is important in order to detect incidents in time.
Log data also make it possible to investigate incidents thoroughly, which speeds up the clean-
ing and restoration of the environment, if necessary. The National Cyber Security Centre Fin-
land has drawn up a guide on how to collect and use log data. 2 Depending on the systems
used by the organisation, comprehensive monitoring typically also requires network- and sys-
tem-level solutions in addition to this.
A common password policy of the company, imposing restrictions on login sources and multi-
factor authentication are excellent ways of preventing the exploitation of leaked IDs.
• Design a password policy for your organisation that defines the minimum requirements for a
password.
• Find out in advance how you can report an information security breach to the National Cyber
Security Centre Finland 3. Start monitoring the news by the National Cyber Security Centre
Finland. 4
• Review attack scenarios together with the company’s management and agree on the practical
measures as well as management responsibilities and authority in case of an information
security breach.
• Develop 5 the incident response plan and practice it regularly with tabletop exercises, in which
responsible persons and interest groups practice the information security incident response
process in imaginary scenarios.
• Specify the necessary access rights carefully based on the needs of the users and the tech-
nical functionalities.
• Consider establishing a security operations centre or purchasing a similar service. The pur-
pose of the security operations centre is to monitor the network traffic of your company and
information security events in the systems.
1
https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/kybermit-
tari-cybermeter
2
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news/instructions-and-guides/collecting-and-using-log-data
3
https://www.kyberturvallisuuskeskus.fi/en/report
4
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news
5
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
3
Traficom publications 22/2022
• Restrict login sources from countries in which your organisation does not do business.
• By using a virtual private network (VPN), you can prevent login attempts from outside the
network to the most critical systems.
• Aim to detect attacks as early as possible with different kinds of centralised monitoring so-
lutions and test their functionality regularly.
One important part of preparation is practicing threat scenarios. By practicing scenarios such
as the one found in these instructions in advance, your organisation can make sure that it is
ready to meet situations like the one described. Training ensures, among other things, that the
personnel of your organisation understand what the different parts of the workflow and check-
list in the instructions mean and they have the capability to act according to the instructions.
It is also recommended that you study the materials of the National Cyber Security Centre Fin-
land related to exercises. 6
One example scenario is a situation in which the IDs of one of the company’s employees have
ended up in the hands of cyber criminals. The IDs have been used to log in to email, which has
then been used to send forged invoices. The information security breach is revealed when a
partner notices that the invoices they have received contain suspicious details.
How would your organisation act in a situation like the one described? Practice at least the fol-
lowing steps of these instructions:
• Using the identification information gathered to check other user IDs in case of infection.
In connection with all of the steps being practiced, you should think about how the organisa-
tion leads the information security breach management, how the internal communications
work and who the person responsible or their deputy are at which stage.
6
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
4
Traficom publications 22/2022
• The organisation is notified about a suspicious activity or email via social media, customers,
partners or the authorities, for example.
Report the information security breach to the National Cyber Security Centre Finland. 7 We ad-
vise you confidentially and free of charge on how to limit the damage, analyse the incident and
take recovery measures. At the same time, you support the national information security situ-
ation awareness and make it possible to help and warn other potential victims.
See the guide on how to detect data breaches by the National Cyber Security Centre Finland
(in Finnish). 8
7
https://www.kyberturvallisuuskeskus.fi/en/report
8
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen
5
Traficom publications 22/2022
4 Instructions
Use the attached checklist to find measures to help you when you detect an information secu-
rity breach related to user IDs. The checklist helps organisations to prioritise and use a phased
approach when investigating the security breach.
The gathering of potential evidence should also be documented carefully. You should record
who gathered the data, what it was, and when and how it was gathered. A carefully drawn up
event log makes the investigation as well as the cooperation with the police and information
security investigators significantly easier.
6
Traficom publications 22/2022
7
Traficom publications 22/2022
Find out what rights the user User IDs can be exploited in different ways Find out what rights the user
IDs have depending on what rights they have. IDs have.
Evaluate whether you need The organisation may need help with organ- Technical measures to handle
external help to handle the in- ising measures, managing the security the incident may require exter-
formation security breach or breach and technical measures. If your nal expertise. Such measures
not own organisation or IT service providers do may include collecting identifica-
not have the necessary expertise, you tion information and investigat-
should consider getting external help. ing the threat based on it.
9
https://dfir.fi/
https://www.fisc.fi/fi/about-us
https://www.hansel.fi/yhteishankinnat/tiedonhallinnan-ja-digiturvallisuuden-asiantuntija/ (in Finnish)
10
https://poliisi.fi/en/report-a-crime
11
https://www.kyberturvallisuuskeskus.fi/en/report
12
https://tietosuoja.fi/en/data-breach-notification
8
Traficom publications 22/2022
13
https://www.kyberturvallisuuskeskus.fi/en/services/report-security-incident-nis-notification-obligation
9
Traficom publications 22/2022
10
Traficom publications 22/2022
quire more detailed information on the se- hashes from them to ensure
curity incident as well as evidence for the this.
investigation.
Try to take samples of the mal-
ware detected and store them.
They should be handled with ex-
treme care. Professional exper-
tise is often required to store
them safely. Send the samples
to the National Cyber Security
Centre Finland. 14
Interview the user Confirm the observations by interviewing Interview the user whose user
the user that owns the leaked IDs. IDs were found to be linked to
unusual activity and try to find
The user may be able to provide infor- out why the IDs leaked.
mation on how the IDs leaked. For exam-
ple, the user may have downloaded files on
their computer, clicked a link in an email
message or opened a remote connection to
an attacker impersonating an IT support
person.
14
https://www.kyberturvallisuuskeskus.fi/en/news/transmitting-e-mail-and-sending-samples-national-cyber-security-
centre-finland
11
Traficom publications 22/2022
4.4 Recovery
Goals of the The aim is to regain control of all of the leaked IDs and ensure that the IDs are safe again. Operat-
phase ing models are improved so that such an incident could be avoided in the future.
Phase Purpose Measures
Change the password of the Ensure that the login information of all of Change the password and ask
user ID the infected IDs is changed so that the at- the user to change the password
tacker can no longer use the IDs to access again themselves when they log
the organisation’s systems. in for the first time.
Impose stricter login require- The exploitation of leaked user IDs can be Set the login requirements to a
ments on users restricted by imposing stricter login require- suitable level by implementing
ments. the following:
• Multi-factor authentication
• Certificate-based login
• Domain-linked terminal de-
vice or one that is otherwise
controlled by the company
• Restrictions based on the
source IP address
Evaluate the current pass- By maintaining password practices, you can Evaluate and update the in-
word practices set minimum requirements on the complex- structions related to password
ity of the password. practices.
12
Traficom publications 22/2022
During the post-incident review, the activities during the crisis are studied: what measures
were done well, what could have been done better, and how the plans and the security level
could be improved. A report should be drawn up on the post-incident review that examines at
least the following questions in addition to the course of the events:
• What was the reaction to the alarms like? Was the information about alarms trans-
mitted to the right responsible persons?
• Were the responsibilities of the crisis management team assigned to the right people?
• How successful was limiting the scope of the attack and removing the attacker?
• How successful were the communications of the crisis management team? How were
the interest groups taken into account?
• Recovery
• Post-incident review
• Have the course of events and the investigation work been documented?
• Was the technical investigation of the incident sufficient? Has it been possible to sub-
mit sufficient data on the attack for the use of the authorities, for example?
• Evaluate the actions of the service providers. Were the response time and the services
that were agreed upon sufficient for the investigation of the incident?
The organisation should update its own incident response plan and more detailed playbooks
designed for combating different types of security incidents after the fact. Practicing different
scenarios at regular intervals is also recommended to ensure that you can benefit from them in
crisis situations.
The National Cyber Security Centre Finland hopes that the companies and organisations share
the most important lessons they have learned from the incident with the Centre, too. With inci-
dent reports, the National Cyber Security Centre Finland can help other organisations in Fin-
land as well as internationally to investigate similar cases. The lessons learned from recovery
help with developing the preparedness of all organisations.
13
Finnish Transport and Communications Agency
Traficom
National Cyber Security Centre Finland
PO Box 320, FI-00059 TRAFICOM
tel. +358 29 534 5000
kyberturvallisuuskeskus.fi
ISBN 978-952-311-814-0
Instructions –
Ransomware
23/2022
Traficom publications 23/2022
Contents
1 Introduction ....................................................................................................... 2
1.1 Purpose of the instructions .......................................................................... 2
1.2 What does ransomware mean? .................................................................... 2
2 Preparation......................................................................................................... 3
2.1 Administrative measures ............................................................................ 3
2.2 Technical measures .................................................................................... 4
2.3 Preparation and training in practice .............................................................. 4
3 Detecting an information security breach ........................................................... 6
4 Instructions ........................................................................................................ 7
4.1 Workflow of an information security breach investigation ................................ 7
4.2 Immediate measures ................................................................................. 9
4.3 Investigating an information security breach ................................................12
4.4 Recovery .................................................................................................14
5 Post-incident review of an information security breach .................................... 16
1
Traficom publications 23/2022
1 Introduction
1.1 Purpose of the instructions
The purpose of these instructions drawn up by the National Cyber Security Centre Finland of
the Finnish Transport and Communications Agency Traficom is to offer advice to organisations
in situations in which it is suspected that ransomware has caused an attack or prevents normal
operations. The instructions are focused on how to deal with the special characteristics of this
type of information security incident. In order to resolve the situation completely, the organi-
sation should maintain the incident response plan it has drawn up in case of information secu-
rity incidents and follow it.
These instructions offer guidance on a general level on how to act in case of an information se-
curity breach and recover from it. It is recommended that the organisation should draw up a
separate guide for its own use that takes its technological and operational environment into
account in more detail. The project is funded by the National Emergency Supply Agency.
Criminals have found ransomware an effective way to benefit financially, because organisa-
tions unprepared for the threat are easy targets. Paying the ransom to resolve the situation is
not the right solution, however. Payment does not necessarily guarantee that the data will be
restored or even prevent the blackmail or other attacks from continuing. The attacker’s objec-
tive may also be simply to destroy the data, which means that the blackmail is just a
smokescreen. In that case, the data cannot be restored even by paying the ransom.
The right kind of preparation for ransomware attacks clearly improves the level of information
security of organisations and their resilience against ransomware as well as other potential at-
tacks. In addition to these instructions, the National Cyber Security Centre Finland has also
published instructions for the management on what to do in case of a ransomware incident. 1
1
https://www.kyberturvallisuuskeskus.fi/en/publications/what-do-case-ransomware-incident-instructions-manage-
ment
2
Traficom publications 23/2022
2 Preparation
Preparing for security incidents is a good way to reduce their severity and make it possible to
recover quickly and continue the business. Organisations can assess their own readiness by
using the Kybermittari (Cybermeter) cyber security evaluation tool of the National Cyber Secu-
rity Centre Finland, for instance. 2 An incident response plan that has been drawn up in ad-
vance is a good starting point for what to do in case of a security incident. The organisation
must also ensure that measures such as locking user IDs, isolating servers and terminal de-
vices from the network and restricting network traffic to harmful IP addresses or domain
names are technically possible and that the personnel have the expertise required to carry
them out.
Gathering, compiling and monitoring log data is important in order to detect incidents in time.
Log data also make it possible to investigate incidents thoroughly, which speeds up the clean-
ing and restoration of the environment. The National Cyber Security Centre Finland has drawn
up a guide on how to collect and use log data. 3 Depending on the systems used by the organi-
sation, comprehensive monitoring typically also requires network- and system-level solutions
in addition to this.
Immediate actions
• Draw up an incident response plan for your organisation in case of a ransomware attack.
• Train the personnel on how to act during incidents like those described in these instructions.
- Also offer basic training for regular employees advising them on how to act if a ran-
somware attacks the employee’s own terminal device.
• Find out in advance how you can report an information security breach to the National Cyber
Security Centre Finland. 4 Start monitoring the news by the National Cyber Security Centre
Finland. 5
• Review attack scenarios together with the company’s management and agree on the practical
measures as well as management responsibilities and authority in case of an information
security breach.
• Develop 6 the incident response plan and practice it regularly with tabletop exercises, in which
responsible persons and interest groups practice the information security incident response
process in imaginary scenarios.
• Consider whether your organisation should have a cyber insurance policy that may cover the
damage caused by a ransomware attack. Contact insurance companies for further infor-
mation. However, do not under any circumstances state publicly that your organisation has
a cyber insurance policy, because cyber criminals may choose such organisations as targets
of their attacks, hoping that they are more likely to pay the ransom.
2
https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/kybermit-
tari-cybermeter
3
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news/instructions-and-guides/collecting-and-using-log-data
4
https://www.kyberturvallisuuskeskus.fi/en/report
5
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news
6
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
3
Traficom publications 23/2022
• Make sure that your organisation and subcontractors have implemented continuous vulner-
ability and update management.
• Specify the necessary access rights carefully based on the needs of the users and the tech-
nical functionalities.
• Consider establishing a security operations centre or purchasing a similar service. The pur-
pose of the security operations centre is to monitor the network traffic of your company and
information security events in the systems.
• Test the functioning of the backups regularly and practice restoring the backups of at least
the critical systems.
• Take advantage of network segmentation, data encryption and access control to ensure that
the attack surface of your company and the amount of material exposed to an attack at the
same time are as small as possible.
• Aim to detect attacks as early as possible by using different kinds of centralised monitoring
solutions and make sure that their functionality is also tested regularly.
• Install anti-malware software on terminal devices that can be used to restrict the running of
programs, investigate suspected information security breaches and isolate the computer
from the network, if necessary.
• Implement mechanisms for filtering out emails that contain harmful content, spam and un-
wanted network traffic.
One important part of preparation is practicing threat scenarios. By practicing the scenario be-
low in advance, you can make sure that your organisation is ready to meet situations like the
one described. Training ensures, among other things, that the personnel of the organisation
understand what the different parts of the workflow and checklist in the instructions mean and
they have the capability to act according to the instructions.
For instance, the scenario in this case could be a situation in which ransomware has locked the
files of a system critical to operations while preventing the use and operation of the system.
This becomes apparent to the organisation when the system stops working. The attackers have
breached the organisation through a phishing message and managed to navigate to a critical
system via an infected workstation by taking advantage of a vulnerability in the server. The
personnel and customers overload the IT and customer support, and the pressure to restore
operations or find alternative ways to operate increases.
What would your organisation do in a situation like the one described? With the help of prac-
tice, try to assign responsibilities and allocate sufficient resources to the four parallel lines of
activities that are key to a fast recovery:
2. Finding the root cause and preventing further damage (investigation and corrective
measures).
4
Traficom publications 23/2022
4. Communication between the team reacting to the incident as well as the rest of the per-
sonnel, interest groups, management and the public, providing information and coordi-
nation (coordination).
- Is it possible to find out how and where the malware came from?
• Using the identification information gathered to check other servers and terminal devices in
case of infection.
In connection with all of the tasks being practiced, you should think about how the organisa-
tion leads the incident management, how the internal communications work and who is the
person responsible or their deputy at which stage. It is also recommended that you study the
materials of the National Cyber Security Centre Finland related to exercises. 7
7
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
5
Traficom publications 23/2022
• The organisation is notified about the attack by a party outside the organisation via social
media, customers, partners or the authorities, for example.
• The organisation’s files cannot be opened from a network drive, for instance, or they are
otherwise corrupted.
Report the information security breach to the National Cyber Security Centre Finland.8 We ad-
vise you confidentially and free of charge on how to limit the damage, analyse the incident and
take recovery measures. At the same time, you support the national information security situ-
ation awareness and make it possible to warn other potential victims.
See the guide on how to detect data breaches by the National Cyber Security Centre Finland
(in Finnish). 9
8
https://www.kyberturvallisuuskeskus.fi/en/report
9
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen
6
Traficom publications 23/2022
4 Instructions
Use the attached checklist to find measures to help you, if you suspect that you have become
a victim of ransomware. The checklist helps organisations to prioritise and use a phased ap-
proach when investigating information security incidents.
The gathering of potential evidence should also be documented carefully. You should record
who gathered the data, what it was, and when and how it was gathered. A carefully drawn up
event log makes the investigation as well as the cooperation with the police and information
security investigators significantly easier.
7
Traficom publications 23/2022
8
Traficom publications 23/2022
9
Traficom publications 23/2022
Notify the partners in cooper- The security breach may cause the part- Notify the contact persons in
ation and interest groups that ners, customers and service providers risks case of crisis situations of differ-
may be affected by the inci- or problems with the availability of services. ent interest groups about the in-
dent about the information An attack against the delivery chain may cident if you believe that it may
security breach also endanger the safety of all partners. affect their data or the availabil-
ity of the services, or if there is
a chance that the malware may
spread between organisations.
10
https://dfir.fi/
https://www.fisc.fi/fi/about-us
https://www.hansel.fi/yhteishankinnat/tiedonhallinnan-ja-digiturvallisuuden-asiantuntija/ (in Finnish)
11
https://poliisi.fi/en/report-a-crime
12
https://www.kyberturvallisuuskeskus.fi/en/report
13
https://tietosuoja.fi/en/data-breach-notification
10
Traficom publications 23/2022
14
https://www.kyberturvallisuuskeskus.fi/en/services/report-security-incident-nis-notification-obligation
11
Traficom publications 23/2022
Identify harmful activity and col- Identification information is collected The identification information gath-
lect identification information to make it possible to map how ered includes, among other things,
widely the infection has spread to the time when the incidents oc-
devices and how the stolen access curred, such as when a login to the
rights have been used. server occurred, or when a certain
command was run on the server.
Once attackers have gained a foot-
hold, they may use different kinds of The malware often communicates
attack methods. In fact, identifica- with the attacker’s command and
tion information should be collected control server. By studying the net-
extensively and signs of their use work traffic of infected devices or
should be studied carefully to ensure domain name resolution (DNS logs),
that the cleaning of the environment the source IP addresses or domain
can be done reliably. names used by the attacker can be
identified.
Recovery can only start after the at-
tacker has been removed from the When harmful files are identified,
environments. their hashes (MD5/SHA256) can be
extracted and used to identify harm-
ful files on other devices, too.
12
Traficom publications 23/2022
15
https://www.kyberturvallisuuskeskus.fi/en/news/transmitting-e-mail-and-sending-samples-national-cyber-security-
centre-finland
13
Traficom publications 23/2022
4.4 Recovery
Goals of Start the recovery from the systems that are the most critical to the business. The organisation
the phase should aim to restore the business back to normal as quickly as possible, but only after the recovery
can be carried out safely.
Phase Purpose Measures
Restore the infected systems The aim is to restore the systems Restore the systems from backups.
from backups and return to normal operation. Re- Also take account of the risk that
storing the systems is done as safely previous daily (incremental) backups
as possible to ensure that the at- may already have been infected.
tacker cannot get back into the sys- When restoring old backups, keep in
tem. mind that the backup may include
the vulnerabilities that the attacker
used in the attack. You can try to
prevent the risk by restoring the
systems without a network connec-
tion and updating the operating sys-
tem and its applications before con-
necting to the network.
14
Traficom publications 23/2022
15
Traficom publications 23/2022
During the post-incident review, the activities during the crisis are studied: what measures
were done well, what could have been done better, and how the plans and the security level
could be improved. A report should be drawn up on the post-incident review that examines at
least the following questions in addition to the course of the events:
• Root causes of the incident:
• What was the reaction to the alarms like? Was the information about alarms trans-
mitted to the right responsible persons?
• Were the responsibilities of the crisis management team assigned to the right people?
• How successful was limiting the scope of the attack and removing the attacker?
• How successful were the communications of the crisis management team? How were
the interest groups taken into account?
• Recovery:
• Post-incident review:
• Have the course of events and the investigation work been documented?
• Was the technical investigation of the incident sufficient? Has it been possible to sub-
mit sufficient data on the attack for the use of the authorities, for example?
• Evaluate the actions of the service providers. Were the response time and the services
that were agreed upon sufficient for the investigation of the incident?
The organisation should update its own incident response plan and more detailed playbooks
designed for combating different types of security incidents after the fact. Practicing different
scenarios at regular intervals is also recommended to ensure that you can benefit from them in
crisis situations.
The National Cyber Security Centre Finland hopes that the companies and organisations share
the most important lessons they have learned from the incident with the Centre, too. With inci-
dent reports, the National Cyber Security Centre Finland can help other organisations in Fin-
land as well as internationally to investigate similar cases. The lessons learned from recovery
help with developing the preparedness of all organisations.
16
Traficom publications 23/2022
17
Finnish Transport and Communications Agency
Traficom
National Cyber Security Centre Finland
PO Box 320, FI-00059 TRAFICOM
tel. +358 29 534 5000
kyberturvallisuuskeskus.fi
ISBN 978-952-311-815-7
Instructions –
Supply chain attack
21/2022
Traficom publications 21/2022
Contents
1 Introduction ....................................................................................................... 2
1.1 Purpose of the instructions .......................................................................... 2
1.2 What does a supply chain attack mean? ....................................................... 2
2 Preparation......................................................................................................... 3
2.1 Administrative measures ............................................................................ 3
2.2 Technical measures .................................................................................... 4
3 Detecting an information security breach ........................................................... 5
4 Instructions ........................................................................................................ 6
4.1 Workflow of an information security breach investigation ................................ 6
4.2 Immediate measures ................................................................................. 8
4.3 Investigating an information security breach ................................................11
4.4 Recovery .................................................................................................14
5 Post-incident review of an information security breach .................................... 16
1
Traficom publications 21/2022
1 Introduction
1.1 Purpose of the instructions
The purpose of these instructions drawn up by the National Cyber Security Centre Finland of
the Finnish Transport and Communications Agency Traficom is to offer advice to organisations
in situations in which a supply chain attack is suspected. The instructions are focused on how
to deal with the special characteristics of this type of information security incident. In order to
resolve the situation completely, the organisation should maintain the incident response plan it
has drawn up in case of information security incidents and follow it.
These instructions offer guidance on a general level on how to act in case of an information se-
curity breach and recover from it. It is recommended that the organisation draw up a separate
guide for its own use that takes its technological and operational environment into account in
more detail. The project is funded by the National Emergency Supply Agency.
The aim of a supply chain attack is to gain a foothold in different organisations along the sup-
ply chain. Once a foothold has been secured, it can be used in different kinds of further at-
tacks, such as data breaches and ransomware attacks.
Detection and management of supply chain attacks is important, because they have a major
impact on the reputation and trust of the organisation in the network. The victims of a supply
chain attack include both the supplier and the customer. Managing the situation often requires
transparency and cooperation from the parties.
2
Traficom publications 21/2022
2 Preparation
Preparing for security incidents is a good way to reduce their severity and make it possible to
recover quickly and continue the business. Organisations can assess their own readiness by
using the Kybermittari (Cybermeter) cyber security evaluation tool of the National Cyber Secu-
rity Centre Finland, for instance 1. An incident response plan that has been drawn up in ad-
vance is a good starting point for what to do in case of a security incident. The organisation
must also ensure that measures such as locking user IDs, isolating servers and terminal de-
vices from the network and restricting network traffic to harmful IP addresses or domain
names are technically possible and that the personnel have the expertise required to carry
them out.
Gathering, compiling and monitoring log data is important in order to detect incidents in time.
Log data also make it possible to investigate incidents thoroughly, which speeds up the clean-
ing and restoration of the environment. The National Cyber Security Centre Finland has drawn
up a guide on how to collect and use log data. 2 Depending on the systems used by the organi-
sation, comprehensive monitoring typically also requires network- and system-level solutions
in addition to this.
• Train the personnel on how to act during security incidents such as the ones described in
these instructions.
• Find out in advance how you can report an information security breach to the National Cyber
Security Centre Finland. 3 Start monitoring the news by the National Cyber Security Centre
Finland. 4
• Review attack scenarios together with the company’s management and agree on the practical
measures as well as management responsibilities and authority in case of an information
security breach.
• Develop 5 the incident response plan and practice it regularly with tabletop exercises, in which
responsible persons and interest groups practice the information security incident response
process in imaginary scenarios.
• Identify the components critical to the business and create and maintain lists of what needs
to be protected.
• Maintain a list of the licences and software used by the organisation and their versions.
• Specify the necessary access rights carefully based on the needs of the users and the tech-
nical functionalities.
• Evaluate the status of the cyber security of suppliers. By ensuring that all suppliers provide
a full description of their security measures, you can establish an idea of the safety of their
1
https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/kybermit-
tari-cybermeter
2
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news/instructions-and-guides/collecting-and-using-log-data
3
https://www.kyberturvallisuuskeskus.fi/en/report
4
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news
5
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
3
Traficom publications 21/2022
products. You can also ask a cyber security professional to review the information provided
by suppliers to find out whether the security solutions are sufficient and appropriate.
• Consider establishing a security operations centre or purchasing a similar service. The pur-
pose of the security operations centre is to monitor the network traffic of your company and
information security events in the systems.
• Test the functioning of the backups regularly and practice restoring the backups of at least
the critical systems.
• Take advantage of network segmentation, data encryption and access control to ensure that
the attack surface of your company is as small as possible.
• Protect the connections of your partners with strong encryption settings and implement
multi-factor authentication.
• Aim to detect attacks as early as possible by using different kinds of centralised monitoring
solutions and make sure that their functionality is also tested regularly.
• Install anti-malware software on terminal devices that can be used to restrict the running of
programs, investigate suspected information security breaches and isolate the computer
from the network, if necessary.
• Implement mechanisms for filtering out emails that contain harmful content, spam and un-
wanted network traffic.
• Centralised log management should be deployed to enable efficient detection and investiga-
tion of cyber threats.
4
Traficom publications 21/2022
• An attempt is made to use the IDs of partners to log in to services they would not normally
log in to.
• An information security product or service provider sends an alarm, which is usually caused
by a trusted application.
• The organisation is notified about the attack by a party outside the organisation, such as
social media, customers, partners or the authorities, for example.
Report the information security breach to the National Cyber Security Centre Finland.6 We ad-
vise you confidentially and free of charge on how to limit the damage, analyse the incident and
take recovery measures. At the same time, you support the national information security situ-
ation awareness and make it possible to help and warn other potential victims.
See the guide on how to detect data breaches by the National Cyber Security Centre Finland
(in Finnish). 7
6
https://www.kyberturvallisuuskeskus.fi/en/report
7
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen
5
Traficom publications 21/2022
4 Instructions
Use the attached checklist to find measures to help you if you suspect that you have become a
victim of supply chain attack. The checklist helps organisations to prioritise and use a phased
approach when investigating information security incidents.
The gathering of potential evidence should also be documented carefully. You should record
who gathered the data, what it was, and when and how it was gathered. A carefully drawn up
event log makes the investigation as well as the cooperation with the police and information
security investigators significantly easier.
6
Traficom publications 21/2022
7
Traficom publications 21/2022
8
Traficom publications 21/2022
8
https://dfir.fi/
https://www.fisc.fi/fi/about-us
9
Traficom publications 21/2022
9
https://poliisi.fi/en/report-a-crime
10
https://www.kyberturvallisuuskeskus.fi/en/report
11
https://www.kyberturvallisuuskeskus.fi/en/services/report-security-incident-nis-notification-obligation
10
Traficom publications 21/2022
Identify signs of harmful activi- Identification information is collected Collect the following identification in-
ties and collect identification in- to make it possible to map how formation:
formation widely the infection has spread to
devices and how the stolen access • When the login to the server oc-
rights have been used. curred
• From which IP address the login
Once attackers have gained a foot- was carried out
hold, they may use different kinds of • At what time was a specific
attack methods. In fact, identifica- command run on the server
tion information should be collected • What the command in question
extensively and signs of their use caused on the server
should be studied carefully to ensure
that the cleaning of the environment The malware often communicates
can be done reliably. with the attacker’s command and
control server. By studying the net-
Recovery can only start after the at- work traffic of infected devices or
tacker has been removed from all of domain name resolution (DNS logs),
the environments. you can identify the source IP ad-
dress or domain name used by the
attacker.
11
Traficom publications 21/2022
12
Traficom publications 21/2022
12
https://www.kyberturvallisuuskeskus.fi/en/news/transmitting-e-mail-and-sending-samples-national-cyber-security-
centre-finland
13
Traficom publications 21/2022
4.4 Recovery
Goals of The recovery starts from the systems that are the most critical to the business. The organisation
the phase should aim to restore the business back to normal as quickly as possible, but only after the recovery
can be carried out safely.
Phase Purpose Measures
Reactivate the connections and The aim is to return the partners’ re- Before activating the connections,
start the applications mote connections or software make sure that they are safe and
needed for business back to opera- that the partners have also been
tion. able to clean their own systems and
IDs.
14
Traficom publications 21/2022
15
Traficom publications 21/2022
During the post-incident review, the activities during the crisis are studied: what measures
were done well, what could have been done better, and how the plans and the security level
could be improved. A report should be drawn up on the post-incident review that examines at
least the following questions in addition to the course of the events:
• What was the reaction to the alarms like? Was the information about alarms trans-
mitted to the right responsible persons?
• Were the responsibilities of the crisis management team assigned to the right people?
• How successful was limiting the scope of the attack and removing the attacker?
• How successful were the communications of the crisis management team? How were
the interest groups taken into account?
• Recovery
• Post-incident review
• Have the course of events and the investigation work been documented?
• Was the technical investigation of the incident sufficient? Has it been possible to sub-
mit sufficient data on the attack for the use of the authorities, for example?
• Evaluate the actions of the service providers. Were the response time and the services
that were agreed upon sufficient for the investigation of the incident?
The organisation should update its own incident response plan and more detailed instructions
designed for combating different types of security incidents after the fact. Practicing different
scenarios at regular intervals is also recommended to ensure that you can benefit from them in
crisis situations.
The National Cyber Security Centre Finland hopes that the companies and organisations share
the most important lessons they have learned from the incident with the Centre, too. With inci-
dent reports, the National Cyber Security Centre Finland can help other organisations in Fin-
land as well as internationally to investigate similar cases. The lessons learned from recovery
help with developing the preparedness of all organisations.
16
Finnish Transport and Communications Agency
Traficom
National Cyber Security Centre Finland
PO Box 320, FI-00059 TRAFICOM
tel. +358 29 534 5000
kyberturvallisuuskeskus.fi
ISBN 978-952-311-813-3