Instructions For Recovering From Cyberattacks

Instructions – Data breach
Traficom Research Reports
24/2022
Traficom publications 24/2022
Contents
1 Introduction ....................................................................................................... 2
1.1 Purpose of the instructions .......................................................................... 2
1.2 What does a data breach mean? .................................................................. 2
2 Preparation......................................................................................................... 3
2.1 Administrative measures ............................................................................ 3
2.2 Technical measures .................................................................................... 4
3 Detecting an information security breach ........................................................... 5
4 Instructions ........................................................................................................ 6
4.1 Workflow of an information security breach investigation ................................ 6
4.2 Immediate measures ................................................................................. 8
4.3 Investigating an information security breach ................................................10
4.4 Recovery .................................................................................................12
5 Post-incident review of an information security breach .................................... 14
1
1 Introduction
1.1 Purpose of the instructions
The purpose of these instructions drawn up by the National Cyber Security Centre Finland of
the Finnish Transport and Communications Agency Traficom is to offer advice to organisations
in situations in which it is suspected that there has been a data breach. The instructions are
focused on how to deal with the special characteristics of this type of information security inci-
dent. In order to resolve the situation completely, the organisation should maintain the inci-
dent response plan it has drawn up in case of information security incidents and follow it.
These instructions offer guidance on a general level on how to act in case of an information se-
curity breach and recover from it. It is recommended that the organisation draw up a separate
guide for its own use that takes its technological and operational environment into account in
more detail. The project is funded by the National Emergency Supply Agency.
1.2 What does a data breach mean?

A data breach refers to unauthorised access to an information system, service or device or un-
authorised use of an application by means of acquired access codes. Often the aim of a data
breach is also to gain financial benefit, such as by stealing information that can be sold further.
Sometimes the attackers do not steal anything themselves, but instead they sell access to the
server to another criminal. An environment that has been hacked can also be used to distrib-
ute harmful material, or the operation of the hacked environment can be paralysed with ran-
somware. Attackers can use the environment they have hacked as a part of other attacks,
such as a denial-of-service attack.
Data breaches cause a loss of reputation and financial losses to the targeted organisation. In
addition, the normal operation of the organisation may be interrupted for a long time due to
repairs or reinstalling the environment. Data breaches are also used for invoice fraud (business
email compromise), in which case the financial losses may be significant. Unlike in typical
cases of CEO fraud, if an organisation has become the victim of a data breach, a forged invoice
can be sent from within the organisation, which makes it more likely to be approved.
Sometimes a data breach may be exploited a long time after the intrusion occurred. In that
case, the organisation may no longer have log data from the time of the intrusion available,
which makes investigating the incident considerably more difficult.
2
2 Preparation
Preparing for security incidents is a key method of reducing their severity and making it possi-
ble to recover quickly and continue the business. Organisations can assess their own readiness
by using the Kybermittari (Cybermeter) cyber security evaluation tool of the National Cyber
Security Centre Finland, for instance. 1 An incident response plan that has been drawn up in ad-
vance is a good starting point for what to do in case of a security incident. The organisation
must also ensure that measures such as locking user IDs, isolating servers and terminal de-
vices from the network and restricting network traffic to harmful IP addresses or domain
names are technically possible and that the personnel have the expertise required to carry
them out.
Gathering, compiling and monitoring log data is important in order to detect incidents in time.
Log data also make it possible to investigate incidents thoroughly, which speeds up the clean-
ing and restoration of the environment, if necessary. The National Cyber Security Centre Fin-
land has drawn up a guide on how to collect and use log data. 2 Depending on the systems
used by the organisation, comprehensive monitoring typically also requires network- and sys-
tem-level solutions in addition to this.
2.1 Administrative measures

• Draw up an incident response plan for your organisation in case of a data breach.
• Train the personnel on how to act during information security breaches such as those de-
scribed in these instructions.
• Find out in advance how you can report an information security breach to the National Cyber
Security Centre Finland. 3 Start monitoring the news by the National Cyber Security Centre
Finland. 4
• Review attack scenarios together with the company’s management and agree on the practical
measures as well as management responsibilities and authority in case of an information
security breach.
• Develop 5 the incident response plan and practice it regularly with tabletop exercises, in which
responsible persons and interest groups practice the information security incident response
process in imaginary scenarios.
• Implement continuous vulnerability and update management.
• Identify the components critical to the business and create and maintain lists of what needs
to be protected.
• Specify the necessary access rights carefully based on the needs of the users and the tech-
nical functionalities.
• Consider establishing a security operations centre or purchasing a similar service. The pur-
pose of the security operations centre is to monitor the network traffic of your company and
information security events in the systems.
1
https://www.kyberturvallisuuskeskus.fi/en/our-services/situation-awareness-and-network-management/kybermit-
tari-cybermeter
2
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news/instructions-and-guides/collecting-and-using-log-data
3
https://www.kyberturvallisuuskeskus.fi/en/report
4
https://www.kyberturvallisuuskeskus.fi/en/ncsc-news
5
https://www.kyberturvallisuuskeskus.fi/en/our-services/exercises
3
2.2 Technical measures

• Back up your critical systems regularly and automatically by following the 3-2-1 rule. That
is, have at least three copies in two different formats and keep one of these copies completely
outside the network.
• Test the functioning of the backups regularly and practice restoring the backups of at least
the critical systems.
• Take advantage of network segmentation, data encryption and access control to ensure that
the attack surface of your company and the amount of material exposed to an attack at the
same time are as small as possible.
• Aim to detect attacks as early as possible by using different kinds of centralised monitoring
solutions and make sure that their functionality is also tested regularly.
• Install anti-malware software (Endpoint Detection and Response, EDR) on terminal devices
that can be used to restrict the running of programs, investigate suspected information se-
curity breaches and isolate the computer from the network, if necessary.
• Implement mechanisms for filtering out emails that contain harmful content, spam and un-
wanted network traffic.
• Implement centralised log management to make effective detection and investigation of

cyber threats possible.
4
3 Detecting an information security breach

The possibilities of detecting an attack depend largely on the method the attackers used to
penetrate the system. The intrusion may have been carried out by exploiting a vulnerability in
the server, a configuration error or a vulnerability in an application, or the attacker may have
acquired credentials suitable for the server through phishing, for example.
An attack can be detected in the following ways, for instance:
• The system stops working or is not available.
• Unexpected measures have been taken in the system, and none of the employees admit to
carrying them out.
• An information security product or service provider sends an alarm.
• The organisation is notified about the attack by a party outside the organisation via social
media, customers, partners or the authorities, for example.
• A serious vulnerability is found in the system, and when it is corrected, it is discovered that
the vulnerability has already been exploited.
• The attacker tries to blackmail the organisation with stolen information.
Report the information security breach to the National Cyber Security Centre Finland.6 We ad-
vise you confidentially and free of charge on how to limit the damage, analyse the incident and
take recovery measures. At the same time, you support the national information security situ-
ation awareness and make it possible to help and warn other potential victims.
See the guide on how to detect data breaches by the National Cyber Security Centre Finland
(in Finnish). 7
6
7
https://www.kyberturvallisuuskeskus.fi/fi/julkaisut/opas-tietomurtojen-havaitsemiseen
5
4 Instructions
Use the attached checklist to find measures to help you if you suspect that you have become a
victim of a data breach. The checklist helps organisations to prioritise and use a phased ap-
proach when investigating information security incidents.
4.1 Workflow of an information security breach investigation

The flow chart below describes the right order of measures when investigating the security
breach. The flow chart supports the use of the checklist. During the investigation, it is also cru-
cially important to keep an accurate event log of the measures taken. The log should show the
measure taken, the timestamp and the party that implemented the measure.
The gathering of potential evidence should also be documented carefully. You should record
who gathered the data, what it was, and when and how it was gathered. A carefully drawn up
event log makes the investigation as well as the cooperation with the police and information
security investigators significantly easier.
6
7
4.2 Immediate measures

Goals of the The accuracy and speed of the measures are both important. The goal of the immediate measures
phase is to protect the critical data in the environment, stop the malware from spreading, prevent the at-
tackers from gaining a foothold in the network and prepare for the start of the recovery process.
Phase Purpose Measures
Isolate the infected device The aim of isolating the infected device Isolate the device by using the
from other data networks is to stop the at- endpoint detection and response
tack from progressing and protect the data features. If necessary, discon-
in the system. nect the network cables of the
device.
The isolation must also ensure

that the device cannot access
the internet to prevent the at-
tacker from stealing data from
the server.
Contact your IT service pro- Often a part of the organisation’s IT infra- Contact the service provider’s
vider structure has been outsourced to a service contact person in case of crisis
provider. The assistance of service provid- situations. Among other things,
ers may be needed for some of the you may have to ask your ser-
measures related to limiting the scope of vice provider to disconnect your
the incident. servers from networks, restore
them, or send their logs.
IT service providers often also

have experienced personnel who
can help with resolving the situ-
ation.
Find out what connections Servers often have active connections to If the server has active connec-
were active on the server other systems. Such connections may in- tions to other systems, ensure
clude a database connection or different the integrity of the data by re-
kinds of API calls and keys. The integrity of viewing the logs of the con-
the connected systems must be verified as nected systems.
soon as possible to determine how serious
the situation is. Issues to check may include, for
instance, the size of database
searches carried out or a large
number of interface calls while
the attacker was on the server.
Change the IDs of the con-
nected services, such as the da-
tabase ID used by the infected
server as well as the interface
keys and certificates used for
the connections.
Notify those partners in coop- The security breach may cause the part- Notify the contact persons in
eration and interest groups ners, customers and service providers risks case of crisis situations of differ-
that may be affected by the or problems with the availability of services. ent interest groups about the in-
incident about the information cident if you believe that it may
security breach affect the availability of their
services.
If the server has also had con-

nections to other organisations,
notify them about the issue,
too. This will allow them to in-
validate the IDs, keys or certifi-
cates used on the infected
server. It is also important that
they verify the integrity of their
own data.
Evaluate whether you need The organisation may need help with tech- Technical measures to handle
external help to handle the in- nical measures, managing the security inci- the security breach may require
formation security breach or dent and organising measures. If the nec- external expertise. External ex-
not essary expertise is not available within the pertise may be required e.g. for
organisation itself or directly from the IT collecting identification infor-
service providers, you should consider get- mation and investigating the
ting external help. threat based on it. External as-
sistance may also be useful with
checking whether the attacker
8
was able to obtain data im-

portant to the business, and if
so, what kind of data.
The National Cyber Security

Centre Finland can help organi-
sations especially during the
first response to the incident as
well as by offering additional in-
formation on similar cases in
Finland and abroad.
You can find Finnish service pro-

viders in the resources listed in
the footnote. 8
Report the information secu- If there is a risk that personal data may Submit a preliminary notification
rity breach to the Office of the have ended up in the hands of the attacker about a personal data breach
Data Protection Ombudsman as a part of the data breach, the incident immediately, because you can
must be reported to the Office of the Data supplement the notification
Protection Ombudsman without undue de- later.
lay and, if possible, within 72 hours of when
the organisation found out about the infor- The controller must assess the
mation security breach. level of risk caused by the infor-
mation security breach to the
persons targeted by it. The level
of risk determines the measures
that the controller must take
later.
Document all personal data

breaches as well as their impact
and the corrective measures im-
plemented. The log data from
the time of the incident affecting
the information system also fall
within the scope of the docu-
mentation obligation. The Data
Protection Ombudsman may ask
for the log data for processing
the notification of the infor-
mation security breach.
Also report the incident to the Report the incident to the authorities. The File a report of an offence about
other authorities organisation may have an obligation to re- the incident with the police. 9
port the incident based on regulations or Also notify the National Cyber
the terms of the cyber insurance. Security Centre Finland of the
incident 10 to maintain situation
awareness and get help.
The infrastructure operators and

service providers critical to the
security of supply that are sub-
ject to the NIS directive of the
EU on the security of network
and information systems must
notify the authorities about in-
formation security incidents in
network and information sys-
tems. 11
8
https://dfir.fi/
https://www.fisc.fi/fi/about-us
https://www.hansel.fi/yhteishankinnat/tiedonhallinnan-ja-digiturvallisuuden-asiantuntija/ (in Finnish)
9
https://poliisi.fi/en/report-a-crime
10
11
https://www.kyberturvallisuuskeskus.fi/en/services/report-security-incident-nis-notification-obligation
9
4.3 Investigating an information security breach

Goals of the The goal of investigating the security breach is to determine the extent of the attack and its im-
phase pact on the organisation. A thorough investigation ensures that malware and potential backdoors
have been removed from the environment.
Identify harmful activity and Identification information is collected to The identification information gath-
collect identification infor- make it possible to map how widely the ered includes, among other things,
mation infection has spread to devices and how the time when the incident occurred,
the stolen access rights have been when a login to the server occurred,
used. or when a certain command was run
on the server.
Once attackers have gained a foothold,
they may use different kinds of attack The malware often communicates
methods. In fact, identification infor- with the attacker’s command and
mation should be collected extensively control server. By studying the net-
and signs of their use should be studied work traffic of infected devices or
carefully to ensure that the cleaning of domain name resolution (DNS logs),
the environment can be done reliably. the source IP addresses or domain
names used by the attacker can be
Recovery can only start after the at- identified.
tacker has been removed from the en-
vironments. When harmful files are identified,
their hashes (MD5/SHA256) can be
extracted and used to identify harm-
ful files on other devices, too.
Authentication events related to in-

fected devices and measures taken
by the user accounts linked to them
can be used to determine the IDs
used to spread the malware.
Endpoint detection and response of-

ten has features for collecting and
using the identification information
mentioned above. Otherwise, the
measures should be taken manually
by using a centralised log server. If
no such server is available, either,
the logs of individual servers and
terminal devices should be exam-
ined.
Use the identification infor- The identification information can be Identification information can be
mation to help with identify- used to find out how far into the organ- used to find infected devices, such
ing all infected systems isation the attacker was able to pene- as by using the endpoint detection
trate. By collecting identification infor- and response features that often of-
mation and searching for it in the tar- fer the option of searching for
get systems, it is possible to ensure events on devices based on different
that all infected devices and identifiers identifiers.
are found and cleaned.
If the organisation has also imple-
mented centralised log manage-
ment, it can be used to search for
events efficiently based on identifi-
ers from several different devices at
the same time.
If neither of the solutions mentioned

above is available, identifiers should
be searched separately from each
device. Different kinds of remote
control solutions can be used for the
purpose, however; they often enable
running PowerShell commands sim-
ultaneously on several servers, for
instance.
There is a risk that the attackers
have attempted to cover their tracks
10
by disabling logging after gaining ac-

cess to a device. In that case, it may
not be possible to find all of the col-
lected identification information in
the device logs. For this reason, it is
important to aim to use a wide vari-
ety of identification information and
event sources.
Find out if critical data have As a part of the investigation, it should Find out if the IDs, certificates or
become endangered be determined whether the attackers keys used for the connections have
were able to access important data of been used to log in from a place
the organisation or potentially the per- other than the server on which they
sonal data of customers or employees. should be used.
Find out if the attacker was able to

access the data and steal them by
reviewing the database or interface
logs. Based on the overload or the
searches made, you can determine if
the attacker intended to retrieve in-
formation.
Review the network device logs to

find out if there are any abnormali-
ties in the traffic of the infected
server. Unusually high traffic may
indicate e.g. that the attacker has
been able to steal information.
Note that even if attackers have not

destroyed or stolen the data, they
may have edited them. The attacker
may also have stolen data with a
small size but great importance,
such as IDs.
Save all available log files and The aim of collecting and storing evi- Save log files that contain infor-
other evidence on a hard drive dence is to guarantee a high-quality in- mation relevant to the investigation
isolated from the network for vestigation after the incident so that of the incident on a hard drive iso-
later investigation the root causes of the incident can be lated from the network. Also collect
determined. harmful email and other messages,
if any.
Evidence may be needed for filing a re-
port of an offence and the court pro- Aim to keep the evidence, such as
ceedings. complete disk images and memory
samples, as intact as possible. Ex-
If the organisation has a cyber insur- tract integrity hashes from them to
ance policy, the insurance company ensure this.
may also require more detailed infor-
mation on the security incident as well Aim to save samples of the malware
as evidence for the investigation. detected. They should be handled
with extreme care. Professional ex-
pertise is often required to carry it
out safely. Send the samples to the
National Cyber Security Centre Fin-
land. 12
12
https://www.kyberturvallisuuskeskus.fi/en/news/transmitting-e-mail-and-sending-samples-national-cyber-security-
centre-finland
11
4.4 Recovery
Goals of Start the recovery from the systems that are the most critical to the business. The organisation
the phase should aim to restore the business back to normal as quickly as possible, but only after the recovery
can be carried out safely.
Restore the infected systems The aim is to restore the systems Restore the systems from backups.
from backups and return them to normal opera- Also take account of the risk that
tion. Restoring the systems should previous daily (incremental) backups
be done as safely as possible to en- may already have been infected.
sure that the attacker cannot get When restoring old backups, keep in
back into the system. mind that the backup may include
the vulnerabilities that the attacker
used in the attack. You can try to
prevent the risk by restoring the
systems without a network connec-
tion and updating the operating sys-
tem and its applications before con-
necting to the network.
If there is no suitable backup availa-

ble, do a clean install of the operat-
ing system and its applications,
starting from scratch. Also take the
risk factors mentioned in the previ-
ous section into account.
Do not try to clean an infected sys-

tem by using anti-malware or auto-
mated tools, because there is no
guarantee that they will be able to
clean the system completely.
Check the systems with anti-mal-

ware software before connecting
them back to the network again.
Restore the infected IDs and en- Ensure that the login information of Change the passwords of infected
sure that the system administra- all of the potentially infected IDs is IDs and start using the IDs again.
tor IDs are safe. changed so that the attacker can no
longer use the IDs to access the or- To make sure, change the password
ganisation’s systems. of administrator accounts and ser-
vice accounts in case some of them
Make the user login requirements have fallen into the hands of the at-
stricter, if possible. tackers.
Deliver the new passwords to users

either verbally in person, in a text
message or by telephone. Do not
use the organisation’s email or in-
stant messenger, because the at-
tacker may still have access to
them.
Consider adding two-factor authenti-

cation to administrator accounts as
well as the IDs that were exploited
during the attack. In addition, moni-
tor the IDs used in the attack more
carefully after the attack in case the
attacker gains control of them again.
If it is still unclear to the organisa-

tion how the attacker was able to
gain control of certain IDs, consider
creating completely new IDs. In this
way, you can ensure that the at-
tacker cannot gain control of the IDs
again by using the method that
could not be identified.
12
Restore the infected records If it is suspected that the attacker Take advantage of the database and
has edited the contents of the data- interface logs to determine if the at-
base, the database must be restored tacker has edited records. If the ac-
from a backup copy to invalidate the curacy of the logs is not sufficient
attacker’s changes, if cleaning the for cleaning up the changes, restore
data is not possible. the data in the database from the
latest safe backup.
If the attacker has stolen data, all of

the passwords contained by the sto-
len data must be changed. This
should also be done even if pass-
words were only stored in the form
of hashes.
Notify the people whose data have

been compromised in connection
with the breach, so that they can
prepare in case of the potential mis-
use of their data. Also notify them
that it has been necessary to restore
data to an older version starting
from a specific date so that the in-
terested parties can update their
data.
13
5 Post-incident review of an information security breach

When the crisis is over and business operations have returned to normal, it is important to
start the post-incident review of the attack and learn as much as possible about what hap-
pened for the future. At the same time, crisis management systems should be updated based
on the observations made. The organisation may become a victim of a similar attack again, if
the root causes of the incident cannot be determined and no lessons are learned from it.
During the post-incident review, the activities during the crisis are studied: what measures
were done well, what could have been done better, and how the plans and the security level
could be improved. A report should be drawn up on the post-incident review that examines at
least the following questions in addition to the course of the events:
Root causes of the incident:
What technical or functional weaknesses led to the situation?
Effectiveness of the organisation’s own protection:
Were the controls used to detect attacks sufficient?
Did the attacker’s actions raise any alarms?
What was the reaction to the alarms like? Was the information about alarms trans-
mitted to the right responsible persons?
Actions during the crisis:
Was the crisis plan followed? How usable was it?
Were the responsibilities of the crisis management team assigned to the right people?
How successful was limiting the scope of the attack and removing the attacker?
How successful were the communications of the crisis management team? How were
the interest groups taken into account?
Recovery:
How did the recovery of critical information and services go?
Post-incident review:
Have the course of events and the investigation work been documented?
Was the technical investigation of the incident sufficient? Has it been possible to sub-
mit sufficient data on the attack for the use of the authorities, for example?
Evaluate the actions of the service providers. Were the response time and the services
that were agreed upon sufficient for the investigation of the incident?
The organisation should update its own incident response plan and more detailed playbooks
designed for combating different types of security incidents after the fact. Practicing different
scenarios at regular intervals is also recommended to ensure that you can benefit from them in
crisis situations.
The National Cyber Security Centre Finland hopes that the companies and organisations share
the most important lessons they have learned from the incident with the Centre, too. With inci-
dent reports, the National Cyber Security Centre Finland can help other organisations in Fin-
land as well as internationally to investigate similar cases. The lessons learned from recovery
help with developing the preparedness of all organisations.
14
Finnish Transport and Communications Agency
Traficom
National Cyber Security Centre Finland
PO Box 320, FI-00059 TRAFICOM
tel. +358 29 534 5000
kyberturvallisuuskeskus.fi
ISBN 978-952-311-816-4
Instructions –
Denial-of-service attack
25/2022
Contents
1 Introduction ....................................................................................................... 2
1.2 What does a denial-of-service attack mean? ................................................. 2
2 Preparation......................................................................................................... 3
2.3 Preparation and training in practice .............................................................. 4
4 Instructions ........................................................................................................ 6
4.4 Recovery .................................................................................................11
1
1 Introduction
in situations in which it is suspected that a denial-of-service attack has occurred or a denial-of-
service attack prevents normal operations. The instructions are focused on how to deal with
the special characteristics of this type of information security incident. In order to resolve the
situation completely, the organisation should maintain the incident response plan it has drawn
up in case of information security incidents and follow it.
curity breach and recover from it. It is recommended that the organisation should draw up a
separate guide for its own use that takes its technological and operational environment into
account in more detail. The project is funded by the National Emergency Supply Agency.
1.2 What does a denial-of-service attack mean?

A denial-of-service attack is an attack in which a malicious actor tries to prevent the use of a
network resource or service by disrupting its operation. The attack can be implemented by
overloading the targeted service or network traffic with extra traffic or using a vulnerability in
the service or network device. Currently most of the denial-of-service attacks are distributed,
meaning that the traffic is sent to the target simultaneously from several sources. There is of-
ten a botnet controlled by the attacker behind distributed attacks; it consists of several devices
connected to the internet that have been hijacked to be used in the attack without the
knowledge of the owners of the devices.
Denial-of-service attacks are usually carried out by overloading the target purely due to a large
traffic volume, or alternatively by sending the kind of traffic that makes the target device use
more memory or computing resources to handle the traffic than normal, in which case the vol-
ume of traffic does not need to be especially high. Attacks of this type may not cause abnor-
mal growth in the amount of traffic.
In application layer denial-of-service attacks, the target may be, for instance, a database run-
ning behind the application that is overloaded by sending large amounts of queries via the ap-
plication itself.
Today, a denial-of-service attack does not require any great technical expertise, because such
an attack can be purchased affordably as a service over the darknet, for example. Attacks are
often used for blackmail, bullying or political harassment (so-called hacktivism), in which case
the attack is usually ordered and carried out by different parties.
There are many different ways to execute the attack, but all of them have the same end re-
sult. One classic method involves the use of distributed TCP SYN flood attacks, in which a bot-
net sends large numbers of TCP SYN packages to the target while failing to send ACK pack-
ages. This leads to a situation in which the target’s TCP stack fills up with incomplete TCP
handshakes, and neither the server nor the device can accept any more new handshake re-
quests. In preparing for an attack, you should focus on combating the most common attack
methods.
2
2 Preparation
Typically, the IT service provider is responsible for correcting any disruptions in telecommuni-
cations, which means that quick recovery from a disruption requires a service level agreement
(SLA) that obliges the service provider to restore the service level quickly.
In case of a denial-of-service attack, a separate agreement for mitigating the effects in case of
an attack may be necessary. The software of the network devices and servers should also be
kept up to date, because some denial-of-service attacks exploit the vulnerabilities of software.
In addition to the agreements, duplicating the telecommunications connections as well as po-

tential backup systems must be implemented, depending on how critical the system in ques-
tion is. In case of a disruption, you should have an operating model ready that guarantees a
smooth flow of communication between the company and the service providers as well as a
definition of situation management and documentation of the situation. The people involved in
correcting the disruption must have clear roles, and the lines of investigation must be clear
and appropriate.
Organisations can assess their own readiness by using the Kybermittari (Cybermeter) cyber
security evaluation tool of the National Cyber Security Centre Finland, for instance. 1 The Na-
tional Cyber Security Centre Finland has also published separate instructions for preventing
and combating denial-of-service attacks in particular (in Finnish). 2

• Draw up an incident response plan for your organisation in case of a denial-of-service attack.
• Train the personnel on how to act during security incidents such as the ones described in the
playbook.
- Also offer basic training for regular employees, advising them on how to act if a denial-
of-service attack cripples the services of the company.
Finland. 4
security breach.
• Develop 5 an incident response plan and practice it regularly with tabletop exercises, in which
to be protected.
1
tari-cybermeter
2
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Ohje_3_2016_Palvelunestohyokkaysten_eh-
kaisy_ja_torjunta_0.pdf
3
4
5
3
• Consider establishing a security operations centre (SOC) or purchasing a similar service. The
purpose of the security operations centre is to monitor the network traffic of your company
and information security events in the systems.
• Make sure that the agreements with the service providers cover the prevention of denial-of-
service attacks.

solutions and make sure that their functionality is also tested regularly. For example, IDS
solutions (Intrusion Detection System) detect attacks and often attempt to prevent them
automatically.
• Keep the server software up to date and check that the configurations are in accordance with
the recommendations. The right configurations can mitigate the impact of denial-of-service
attacks.
• Configurations that mitigate the impact of denial-of-service attacks may include features
such as limiting the speed of individual connections (rate limiting), extending the TCP con-
nection processing queue (backlog queue), recycling incomplete TCP connections (half-open
connection recycling) or implementing SYN cookies. Find out which of these methods are the
best suited to your server environment and implement them as needed.
• The National Cyber Security Centre Finland has published a technical guide on how to defend
yourself against denial-of-service attacks (in Finnish). 6
2.3 Preparation and training in practice

One important part of preparation is practicing threat scenarios. By practicing the scenario
found in these instructions in advance, an organisation can make sure that it is ready to meet
situations like the one described. Training ensures, among other things, that the personnel of
the organisation understand what the different parts of the workflow and checklist in the in-
structions mean and they have the capability to act according to the instructions.
For instance, the scenario in this case could be a situation in which a denial-of-service attack
has crippled a critically important information system, preventing the use and operation of the
system completely.
What would your organisation do in case of an information security breach like the one de-
scribed? Practice at least the following steps of this playbook:
• Reporting the security breach and escalating the situation
• Notifying the essential service providers and other interest groups of the situation
• Deploying a backup system
• Final investigation process of the security incident
In connection with all of the steps being practiced, you should think about how the organisa-
tion leads the information security breach management, how the internal communications
work and who is the person responsible or their deputy at which stage. It is also recommended
that you study the materials of the National Cyber Security Centre Finland related to exer-
cises. 7
6
https://www.kyberturvallisuuskeskus.fi/sites/default/files/media/file/Ohje_3_2016_liite_1_Palvelunestohyok-
kaysten_tekniikkaa_puolustajille_0.pdf
7
4

A denial-of-service attack is usually detected because services stop working. Comprehensive
monitoring may also detect an attack before it affects the availability of services, due to factors
such as the rapid increase of network traffic or the consumption of resources on a server.
Some denial-of-service attacks may try to cause a malfunction in individual network devices, in
which case there may not be major changes visible in the traffic volumes. For this reason, it is
important that the operation of individual network devices is within the scope of monitoring.
Report the information security breach to the National Cyber Security Centre Finland. 8 We ad-
8
5
4 Instructions
Use the attached checklist to find measures to help you if you suspect that you have become
the target of a denial-of-service attack. The checklist helps your organisation to prioritise and
use a phased approach when investigating information security incidents.

6
7

phase is to determine the cause of the telecommunications disruption and start the mitigating or correc-
tive measures as quickly as possible.
Check the status of the serv- The aim is to determine the cause of the Ask the application server ad-
ers in the service targeted by disruption as accurately as possible. For in- ministrator to check the status
the disruption stance, if there is a problem on a website, it of the application, the logs and
may have been caused by a malfunction of the use of the server’s re-
one of the site’s background servers. A de- sources. If there are any back-
nial-of-service attack may also cause one of ground services such as data-
the background applications to crash. bases linked to the application,
they should also be inspected
separately.
Check the traffic of the ser- In many cases, a denial-of-service attack Check if the application logs
vice involved in the disruption manifests in a clear growth of traffic vol- have more received queries
in case of incidents and iden- ume. For this reason, the growth of traffic than normal, and where the
tify the type of attack volume combined with the service not queries have come from. A sud-
working may be a sign of a denial-of-ser- den increase in queries from
vice attack. It is also important to identify foreign IP addresses, for in-
the type of denial-of-service attack to make stance, may be a sign of a de-
combating it easier. nial-of-service attack.
Today, most of the denial-of-

service attacks are carried out
by using the TCP SYN flood at-
tack method. These attacks are
more difficult to detect, because
they are not visible in the net-
work server logs. They can be
detected in real time in the TCP
connection list of the servers,
however, based on the number
of ‘SYN RECV’ rows being larger
than normal.
An application layer attack usu-

ally manifests as unusual HTTP
queries in the web server log, or
alternatively as an exceptionally
large number of normal queries.
This attack is the easiest to
carry out technologically, but it
also causes the least damage to
the target.
An amplified DNS attack is also

visible as an increased number
of HTTP queries in the log, but it
causes much more damage
compared to a normal applica-
tion layer HTTP attack. The at-
tacker implements it by sending
several name servers DNS que-
ries, in which the sender’s ad-
dress has been spoofed so that
it appears to come from the or-
ganisation targeted in the at-
tack. In that case, the servers
return the response to the tar-
get of the attack, overloading it.
You can identify the attack in
logs based on HTTP responses
that do not have a correspond-
ing query.
8
Contact your IT/ICT service Often a part of the organisation’s IT infra- Report the incident to your IT or
provider structure has been outsourced to a service ICT service provider, depending
provider. The harmful traffic almost always on which service is the target of
passes through the service provider’s net- the attack. If the attack is volu-
work, in which case the service provider is metric, meaning that it is based
able to filter traffic if agreements on the is- on a large traffic volume, the
sue have been drawn up in advance. service provider can help with
stopping the attack by restrict-
ing the traffic to and from the
service with a packet washer.
Notify the partners in cooper- The security breach may cause the part- Notify the contact persons in
ation and interest groups that ners, customers and service providers risks case of crisis situations of differ-
may be affected by the inci- or problems with the availability of services. ent interest groups about the in-
dent about the information cident if you believe that it may
security breach affect the availability of their
services.
Also communicate about the in-

cident internally, especially if
the attack limits the availability
of internal services, too.
Evaluate whether you need The organisation may need help with tech- Technical measures to handle
external help to handle the nical measures, managing the security the security breach may require
security breach or not breach and organising measures. If the external expertise. Such
necessary expertise is not available within measures may include collecting
the organisation itself or from the IT service identification information and in-
providers used, you should consider getting vestigating the threat based on
external help. it.

Finland and abroad.

the footnote. 9
Report the information secu- Report the security breach to the authori- File a report of an offence about
rity breach to the authorities ties. The organisation may have an obliga- the incident with the police. 10
tion to report the security breach based on Also notify the National Cyber
regulations or the cyber insurance. Security Centre Finland 11 of the
incident to maintain situation

security of supply must notify
the authorities of any infor-
mation security incidents in
their networks and information
systems. 12
9
https://dfir.fi/
10
11
12
9

Goals of the The goal of investigating the security breach is to find out how the attack caused the disruption
phase in the service and determine in this way how to protect the organisation from similar attacks in
the future.
Identify the targets of the attack It is important to identify which part Check the log data of the server that
of the infrastructure was targeted by was targeted in the attack. If it is a
the denial-of-service attack. For ex- website server, the attack may be
ample, in case of a network service, visible as an increased number of
it is essential to find out if the attack handshakes in the log.
focused directly on a website server
or the network devices connected to If there has been a TCP SYN flood
it, for instance. attack or another lower level proto-
col attack, the investigation may be
difficult without the help of the IT
service provider.
Determine the type of attack It is important to determine the type If the attack was carried out by ex-
of attack so that the service can be ploiting a vulnerability in the target,
protected better in the future. It the target system must be updated
may involve an application layer at- to remove the vulnerability. If an
tack, such as HTTP, or a network application that the organisation has
layer protocol attack, such as TCP, ordered from a third party is in-
or the attacker may have exploited a volved, the party that provided the
software vulnerability in the target. application should be contacted to
correct the vulnerability.
In volumetric attacks, the most ef-

fective defence is traffic filtering by
the IT or ICT service provider, which
requires a separate agreement with
the service provider.
You can try to combat application

layer protocol attacks independently,
such as by restricting handshakes
based on the IP address, domain
name, the browser’s user agent or
the geolocation of the IP.
Save all logs related to the inci- The aim of collecting and storing ev- Save all log files with information
dent for later investigation idence is to guarantee a high-quality relevant to the investigation of the
investigation after the incident so security breach on a hard drive iso-
that the root causes of the incident lated from the network.
can be determined.
Evidence may be needed in connec-

tion with filing a report of an offence
and for legal proceedings.
10
4.4 Recovery
Goals of Denial-of-service attacks last for less than 15 minutes on average, but sometimes they may drag on
the phase for several hours. The operation of the services is usually restored automatically after the attack.
Check the different parts of the The denial-of-service attack may Check the status of the targeted
targeted service in case of a have caused a malfunction in the servers and network devices. Also
malfunction targeted server or network device, check that the applications function
which means that it is good to check normally.
that the servers and the applications
that run on them operate normally.
Check that the software and con- The denial-of-service attack may Review the application versions of
figuration of servers are up to have exploited a vulnerability in an the server targeted in the attack and
date application or a server, which is why update them to a newer version, if
it is good to check that the server’s necessary.
updates are up to date.
Based on the application’s logs, find
out what kind of calls the application
has received to determine which
calls may have been used as a part
of the attack.
11

• Root causes of the incident:
• What technical or functional weaknesses led to the situation?
• Effectiveness of the organisation’s own protection:
• Were the controls used to detect attacks sufficient?
• Did the attacker’s actions raise any alarms?
• What was the reaction to the alarms like? Was the information about alarms trans-
• Actions during the crisis:
• Was the crisis plan followed? How usable was it?
• Were the responsibilities of the crisis management team assigned to the right people?
• How successful was limiting the scope of the attack and removing the attacker?
• How successful were the communications of the crisis management team? How were
• Recovery:
• How did the recovery of critical information and services go?
• Post-incident review:
• Have the course of events and the investigation work been documented?
• Was the technical investigation of the incident sufficient? Has it been possible to sub-
• Evaluate the actions of the service providers. Were the response time and the services
crisis situations.
12
13
Traficom
tel. +358 29 534 5000
ISBN 978-952-311-817-1
Instructions –
Leaked IDs
Traficom Publications
22/2022
Contents
1 Introduction ....................................................................................................... 2
1.2 What do leaked IDs mean? ......................................................................... 2
2 Preparation......................................................................................................... 3
4 Instructions ........................................................................................................ 6
4.4 Recovery .................................................................................................12
1
1 Introduction
in situations in which it is suspected that IDs have leaked to unauthorised persons or parties
and that they have been exploited in a cyber attack. The instructions are focused on how to
deal with the special characteristics of this type of information security incident. In order to re-
solve the situation completely, the organisation should maintain the incident response plan it
has drawn up in case of information security incidents and follow it.
1.2 What do leaked IDs mean?
Leaked IDs are one of the most common ways attackers can use to penetrate the information
systems of your organisation. Leaked IDs are often used to gain the first foothold in attacks.
User IDs are traded on marketplaces used by criminals, and they are shared publicly as large
databases.
IDs most commonly fall into the wrong hands due to a third-party data leak, reuse of pass-
words or phishing messages. It is extremely important that the password practices of your or-
ganisation are up to date and that the personnel are trained to minimise the risks.
1.2.1 CEO fraud
In CEO fraud (business email compromise), an employee in charge of the financial transactions
of the company is deceived into paying an invoice or making another kind of bank transfer
from the company’s fund to the account of the criminals. Cyber criminals buy user IDs from
darknet markets and exploit them to log in to an employee’s email and monitor the email traf-
fic, looking for opportunities to do things like change the content of existing email threads,
such as account numbers. They can also create completely new invoices and direct the pay-
ments to their own accounts.
2
2 Preparation
Preparing for security incidents is a good way to reduce their severity and make it possible to
recover quickly and continue the business. Organisations can assess their own readiness by
using the Kybermittari (Cybermeter) cyber security evaluation tool of the National Cyber Secu-
rity Centre Finland, for instance 1. An incident response plan that has been drawn up in ad-
them out.
ing and restoration of the environment, if necessary. The National Cyber Security Centre Fin-
land has drawn up a guide on how to collect and use log data. 2 Depending on the systems
used by the organisation, comprehensive monitoring typically also requires network- and sys-
tem-level solutions in addition to this.
A common password policy of the company, imposing restrictions on login sources and multi-
factor authentication are excellent ways of preventing the exploitation of leaked IDs.

• In case of security incidents related to a data leak containing user IDs, implement an incident
response plan that has clear instructions for the personnel on what to do.
• Design a password policy for your organisation that defines the minimum requirements for a
password.
• Train the personnel to identify phishing messages.
Security Centre Finland 3. Start monitoring the news by the National Cyber Security Centre
Finland. 4
security breach.
1
tari-cybermeter
2
3
4
5
3

• Enable multi-factor authentication.
• Restrict login sources from countries in which your organisation does not do business.
• Implement identity and access management (IAM) controls.
• By using a virtual private network (VPN), you can prevent login attempts from outside the
network to the most critical systems.
• Aim to detect attacks as early as possible with different kinds of centralised monitoring so-
lutions and test their functionality regularly.
• Implement features of existing systems or purchase an information security product capable

of filtering emails with harmful content, spam and unwanted network traffic.
One important part of preparation is practicing threat scenarios. By practicing scenarios such
as the one found in these instructions in advance, your organisation can make sure that it is
ready to meet situations like the one described. Training ensures, among other things, that the
personnel of your organisation understand what the different parts of the workflow and check-
list in the instructions mean and they have the capability to act according to the instructions.
It is also recommended that you study the materials of the National Cyber Security Centre Fin-
land related to exercises. 6
One example scenario is a situation in which the IDs of one of the company’s employees have
ended up in the hands of cyber criminals. The IDs have been used to log in to email, which has
then been used to send forged invoices. The information security breach is revealed when a
partner notices that the invoices they have received contain suspicious details.
How would your organisation act in a situation like the one described? Practice at least the fol-
lowing steps of these instructions:
• Reporting the security breach and escalating the situation.
• Locking down the infected IDs and disconnecting active sessions.
• Gathering identification information of login events and log analysis.
- Is it possible to find out how the user IDs leaked?
- Which user IDs have been compromised?
• Using the identification information gathered to check other user IDs in case of infection.
• Finding out the recipients of the phishing message.
• The post-incident review process.
In connection with all of the steps being practiced, you should think about how the organisa-
tion leads the information security breach management, how the internal communications
work and who the person responsible or their deputy are at which stage.
6
4

An information security breach caused by leaked IDs can be detected in the following ways, for
instance:
• The organisation is notified about a suspicious activity or email via social media, customers,
partners or the authorities, for example.
• An alarm is sent by an information security product or a service provider.
• A threat information service issues a notification of the leaked IDs.
Report the information security breach to the National Cyber Security Centre Finland. 7 We ad-
(in Finnish). 8
7
8
5
4 Instructions
Use the attached checklist to find measures to help you when you detect an information secu-
rity breach related to user IDs. The checklist helps organisations to prioritise and use a phased
approach when investigating the security breach.

6
7

phase is to stop the malware from spreading, prevent the attackers from gaining a foothold in the network
and prepare for the start the recovery process.
Lock the user ID By locking the user ID and disconnecting Lock the user ID so that it can-
active sessions you can prevent the user not be used. Disconnect all ac-
IDs from being exploited. tive sessions.
Find out what rights the user User IDs can be exploited in different ways Find out what rights the user
IDs have depending on what rights they have. IDs have.
Find out the answers to the questions:
• Which systems can you log in to with

the IDs?
• Do the IDs have administrator rights to
systems or other user IDs?
Evaluate whether you need The organisation may need help with organ- Technical measures to handle
external help to handle the in- ising measures, managing the security the incident may require exter-
formation security breach or breach and technical measures. If your nal expertise. Such measures
not own organisation or IT service providers do may include collecting identifica-
not have the necessary expertise, you tion information and investigat-
should consider getting external help. ing the threat based on it.

Finland and abroad.

the footnote. 9
Report the information secu- Report the incident to the authorities. The File a report of an offence about
rity breach to the authorities organisation may have an obligation to re- the incident with the police. 10
port the information security breach based Also notify the National Cyber
on regulations or the terms of the cyber in- Security Centre Finland of the
surance. incident 11 to maintain situation
If personal data or other infor-

mation subject to data protec-
tion legislation (GDPR) may
have ended up in the hands of
the attacker, report the incident
to the Office of the Data Protec-
tion Ombudsman 12.

9
https://dfir.fi/
10
11
12
https://tietosuoja.fi/en/data-breach-notification
8

notify the supervisory authori-
ties about information security
breaches in network and infor-
mation systems 13.
13
9

Goals of the The goal of investigating the security breach is to determine the extent of the attack and its impact
phase on the organisation. A careful investigation ensures that the attacker no longer has access to the
system and that all compromised IDs have been brought under control again.
Identify harmful activity and Identification information is used to find in- Look for abnormalities in the
collect identification infor- fected devices and IDs. Collecting identifi- available log data to determine
mation cation information carefully and using it to if the leaked IDs have been ex-
investigate the incident is vitally important ploited.
for cleaning the environment to a sufficient
level so that the recovery can start safely. Such abnormalities may include:
• Time of the login

• Source IP address
• Version of the operating
system or browser
Verify the observations by inter-

viewing the owner of the IDs to
ensure that they did not carry
out the measures.
Save the identification infor-

mation discovered in the abnor-
malities so that you can use
them to look for other user IDs
whose information may have
leaked.
Use identification information The identification information can be used You can use centralised moni-
to find all leaked IDs to find out how far into the organisation the toring software to look for
attacker was able to penetrate. By collect- leaked IDs. The software often
ing identification information and searching offers the option of searching
for it in the target systems, it is possible to for events on terminal devices
ensure that all infected devices and identifi- by using the desired identifiers.
ers are found and cleaned.
If the organisation has also im-
plemented centralised log man-
agement, it can be used to
search for events efficiently
from several different sources at
the same time.
If neither of the solutions men-

tioned above is available, identi-
fiers should be searched manu-
ally from all terminal devices
and servers.

have attempted to cover their
tracks by disabling logging after
gaining access to a device, in
which case their activities have
left no trace. For this reason, it
is important to review identifica-
tion information collected from
all of the different sources and
use it to try and establish an
overview of the attackers’ activi-
ties.
Save all available log files and The aim of collecting and storing evidence Save log files that contain infor-
other evidence on a hard drive is to guarantee a high-quality investigation mation relevant to the investi-
isolated from the network for after the incident so that the root causes of gation of the incident on a hard
later investigation the incident can be determined. drive isolated from the network.
Also collect harmful email and
Evidence may be needed for filing a report other messages, if any.
of an offence and the court proceedings.
Aim to keep the evidence, such
If the organisation has a cyber insurance as complete disk images and
policy, the insurance company may also re- memory samples, as intact as
possible. Extract integrity
10
quire more detailed information on the se- hashes from them to ensure
curity incident as well as evidence for the this.
investigation.
Try to take samples of the mal-
ware detected and store them.
They should be handled with ex-
treme care. Professional exper-
tise is often required to store
them safely. Send the samples
to the National Cyber Security
Centre Finland. 14
Interview the user Confirm the observations by interviewing Interview the user whose user
the user that owns the leaked IDs. IDs were found to be linked to
unusual activity and try to find
The user may be able to provide infor- out why the IDs leaked.
mation on how the IDs leaked. For exam-
ple, the user may have downloaded files on
their computer, clicked a link in an email
message or opened a remote connection to
an attacker impersonating an IT support
person.
When interviewing the user, they should

not be made to feel guilty about what hap-
pened, because their actions may not have
played any part in the data leak, and the
user may not necessarily have noticed any-
thing unusual.
14
centre-finland
11
4.4 Recovery
Goals of the The aim is to regain control of all of the leaked IDs and ensure that the IDs are safe again. Operat-
phase ing models are improved so that such an incident could be avoided in the future.
Change the password of the Ensure that the login information of all of Change the password and ask
user ID the infected IDs is changed so that the at- the user to change the password
tacker can no longer use the IDs to access again themselves when they log
the organisation’s systems. in for the first time.
Deliver the new passwords to

users either verbally in person,
in a text message or by tele-
phone, but do not use email or
the instant messengers used in
the organisation, because the
attacker may still have access to
them.
Consider adding two-factor au-

thentication to administrator ac-
counts as well as the IDs that
were exploited in the attack. In
addition, monitor the IDs used
in the attack more carefully af-
ter they have been restored in
case the attacker gains control
of them again.
If it is still unclear how the at-

tacker was able to gain control
of certain IDs, consider destroy-
ing them and creating com-
pletely new IDs. In this way,
you can ensure that the attacker
cannot use this unidentified
method to gain control of the
IDs again.
Also consider issuing a new

workstation to the owners of the
leaked IDs.
Check the redirect rules of CEO fraud often involves setting redirect Check the redirect rules of email
email accounts rules for email accounts that the criminals accounts related to the leaked
can use to monitor the email traffic of the IDs and remove any harmful
organisation. rules you find.
Impose stricter login require- The exploitation of leaked user IDs can be Set the login requirements to a
ments on users restricted by imposing stricter login require- suitable level by implementing
ments. the following:
• Multi-factor authentication
• Certificate-based login
• Domain-linked terminal de-
vice or one that is otherwise
controlled by the company
• Restrictions based on the
source IP address
Evaluate the current pass- By maintaining password practices, you can Evaluate and update the in-
word practices set minimum requirements on the complex- structions related to password
ity of the password. practices.
12

• Root causes of the incident
• Effectiveness of the organisation’s own protection
• Actions during the crisis
• Recovery
• Post-incident review
crisis situations.
13
Traficom
tel. +358 29 534 5000
ISBN 978-952-311-814-0
Instructions –
Ransomware
23/2022
Contents
1 Introduction ....................................................................................................... 2
1.2 What does ransomware mean? .................................................................... 2
2 Preparation......................................................................................................... 3
4 Instructions ........................................................................................................ 7
4.4 Recovery .................................................................................................14
1
1 Introduction
in situations in which it is suspected that ransomware has caused an attack or prevents normal
operations. The instructions are focused on how to deal with the special characteristics of this
type of information security incident. In order to resolve the situation completely, the organi-
sation should maintain the incident response plan it has drawn up in case of information secu-
rity incidents and follow it.
1.2 What does ransomware mean?

Ransomware is used in cyber attacks, in which cyber criminals aim to encrypt the organisa-
tion’s data with an encryption algorithm and demand a ransom to restore the data. Criminals
often also steal confidential information and may blackmail the organisation by threatening it
with data leaks.
Criminals have found ransomware an effective way to benefit financially, because organisa-
tions unprepared for the threat are easy targets. Paying the ransom to resolve the situation is
not the right solution, however. Payment does not necessarily guarantee that the data will be
restored or even prevent the blackmail or other attacks from continuing. The attacker’s objec-
tive may also be simply to destroy the data, which means that the blackmail is just a
smokescreen. In that case, the data cannot be restored even by paying the ransom.
The right kind of preparation for ransomware attacks clearly improves the level of information
security of organisations and their resilience against ransomware as well as other potential at-
tacks. In addition to these instructions, the National Cyber Security Centre Finland has also
published instructions for the management on what to do in case of a ransomware incident. 1
1
https://www.kyberturvallisuuskeskus.fi/en/publications/what-do-case-ransomware-incident-instructions-manage-
ment
2
2 Preparation
rity Centre Finland, for instance. 2 An incident response plan that has been drawn up in ad-
them out.
ing and restoration of the environment. The National Cyber Security Centre Finland has drawn
up a guide on how to collect and use log data. 3 Depending on the systems used by the organi-
sation, comprehensive monitoring typically also requires network- and system-level solutions
in addition to this.
Immediate actions
• Draw up an incident response plan for your organisation in case of a ransomware attack.
• Train the personnel on how to act during incidents like those described in these instructions.
- Also offer basic training for regular employees advising them on how to act if a ran-
somware attacks the employee’s own terminal device.
Finland. 5
security breach.
• Consider whether your organisation should have a cyber insurance policy that may cover the
damage caused by a ransomware attack. Contact insurance companies for further infor-
mation. However, do not under any circumstances state publicly that your organisation has
a cyber insurance policy, because cyber criminals may choose such organisations as targets
of their attacks, hoping that they are more likely to pay the ransom.
Measures that support cyber security more extensively

to be protected.
2
tari-cybermeter
3
4
5
6
3
• Make sure that your organisation and subcontractors have implemented continuous vulner-
ability and update management.

the attack surface of your company and the amount of material exposed to an attack at the
same time are as small as possible.
• Install anti-malware software on terminal devices that can be used to restrict the running of
programs, investigate suspected information security breaches and isolate the computer
from the network, if necessary.
One important part of preparation is practicing threat scenarios. By practicing the scenario be-
low in advance, you can make sure that your organisation is ready to meet situations like the
one described. Training ensures, among other things, that the personnel of the organisation
understand what the different parts of the workflow and checklist in the instructions mean and
they have the capability to act according to the instructions.
For instance, the scenario in this case could be a situation in which ransomware has locked the
files of a system critical to operations while preventing the use and operation of the system.
This becomes apparent to the organisation when the system stops working. The attackers have
breached the organisation through a phishing message and managed to navigate to a critical
system via an infected workstation by taking advantage of a vulnerability in the server. The
personnel and customers overload the IT and customer support, and the pressure to restore
operations or find alternative ways to operate increases.
What would your organisation do in a situation like the one described? With the help of prac-
tice, try to assign responsibilities and allocate sufficient resources to the four parallel lines of
activities that are key to a fast recovery:
1. Returning back to the normal status (recovery).
2. Finding the root cause and preventing further damage (investigation and corrective
measures).
4
3. Workarounds/stopgap measures used during recovery and dismantling them in a con-

trolled manner after recovery.
4. Communication between the team reacting to the incident as well as the rest of the per-
sonnel, interest groups, management and the public, providing information and coordi-
nation (coordination).
Practice at least the following steps of these instructions:
• Reporting the incident and escalating the situation.
• Isolating the devices identified from the network immediately.
• Locking down the infected IDs and disconnecting active sessions.
• Ensuring the continuity of operations during the information security breach.
• Gathering identification information of the malware and log analysis.
- Is it possible to find out how and where the malware came from?
- Which user IDs have been compromised?
• Using the identification information gathered to check other servers and terminal devices in
case of infection.
• Finding out the recipients of the phishing message.
- Who have opened a harmful attachment?
• Restoring the infected systems.
- Servers and terminal devices. Use of backups.
• Final investigation process of the security incident.
In connection with all of the tasks being practiced, you should think about how the organisa-
tion leads the incident management, how the internal communications work and who is the
person responsible or their deputy at which stage. It is also recommended that you study the
materials of the National Cyber Security Centre Finland related to exercises. 7
7
5

There are two types of attacks: a ransomware attack and a wiperware attack. The effect of
both types is the same: you cannot access files or systems important for the operations of
your organisation. An attack can be detected in the following ways, for instance:
• The attacker sends a blackmail message to the target organisation, or such a message ap-
pears on the display of a workstation.
• The organisation is notified about the attack by a party outside the organisation via social
media, customers, partners or the authorities, for example.
• The organisation’s files cannot be opened from a network drive, for instance, or they are
otherwise corrupted.
• The equipment in a factory or production environment stops working without a visible or

identifiable cause.
• An information security product or service provider sends an alarm.
ation awareness and make it possible to warn other potential victims.
(in Finnish). 9
8
9
6
4 Instructions
Use the attached checklist to find measures to help you, if you suspect that you have become
a victim of ransomware. The checklist helps organisations to prioritise and use a phased ap-
proach when investigating information security incidents.

The flow chart below describes the right order of measures when investigating the incident.
The flow chart supports the use of the checklist. During the investigation, it is also crucially im-
portant to keep an accurate event log of the measures taken. The log should show the meas-
ure taken, the timestamp and the party that implemented the measure.
7
8

phase is to stop the malware from spreading, prevent the attackers from gaining a foothold in the network
and prepare for the start of the recovery process. Do not go along with the attackers’ blackmail.
Paying the ransom does not guarantee that the situation would end or that data could be restored.
Identify the infected systems The aim is to identify all of the servers and In order to identify the infected
and user IDs terminal devices to which the ransomware devices and IDs, check the in-
has managed to spread. In addition, the fected computers with your
aim is also to identify the user IDs that may monitoring products.
have ended up in the hands of the attacker.
Check the users that have
logged in to the infected de-
vices, and find out where else
they have logged in. Among
other ways, you can do this
based on Active Directory logs,
by using an endpoint detection
and response product, or based
on identity management logs.
Isolate the devices identified By isolating devices that have been identi- Isolate the devices by using the
as infected fied as infected from all data networks, it features of endpoint detection
may be possible to stop the attack from and response. If necessary, dis-
spreading. connect the network cables of
the devices.
Keep the devices on after they

have been isolated. This will
make it possible to restore
them, if the encryption keys
used by the ransomware can
still be found in their memory.
Memory-based investigation is
also an effective way to investi-
gate information security
breaches.
Identify the IDs used in the Malware is often disseminated by using IDs Investigate how the malware
attack that have extensive access rights (such as ended up in the infected devices
administrator accounts) based on endpoint detection and
response or the logs of infected
devices. All IDs that are logged
in to the infected servers and
terminal devices must be
treated as lost.
Take also account of the local

IDs and service accounts of
servers and terminal devices
that may have ended up in the
hands of the attacker.
Attackers often use tools (e.g.

Mimikatz) to steal the IDs in the
memory of a device. This means
that such IDs should be locked,
too.
Contact your IT service pro- Often a part of the organisation’s IT infra- In this phase at the latest, find
vider structure has been outsourced to a service out what parts of the IT infra-
provider. In that case, the assistance of structure of your organisation
service providers may be needed for some have been outsourced to service
of the measures related to limiting the providers.
scope of the incident.
Contact the service provider’s
contact person in case of crisis
situations. Among other things,
you may have to ask your ser-
vice provider to disconnect your
servers from networks, restore
9

can help with resolving the se-
curity incident.
dent about the information An attack against the delivery chain may cident if you believe that it may
security breach also endanger the safety of all partners. affect their data or the availabil-
ity of the services, or if there is
a chance that the malware may
spread between organisations.
You should also communicate

actively about the incident inter-
nally. If the malware has al-
ready spread widely, it may be
a good idea to instruct the em-
ployees not to turn on their
computers if possible in order to
prevent further damage.
external help to handle the in- ising measures, managing the security the incident may require exter-
formation security breach or breach and technical measures. If your own nal expertise. Such measures
not organisation or IT service providers do not may include collecting identifica-
have the necessary expertise, you should tion information, investigating
consider getting external help. the threat based on it, identify-
ing the type of ransomware, and
carrying out memory analysis of
the infected devices.

Finland and abroad.

the footnote. 10
Report the information secu- Report the security breach to the authori- File a report of an offence about
rity breach to the authorities ties. The organisation may have an obliga- the incident with the police. 11
tion to report the security breach based on Also notify the National Cyber
regulations or the cyber insurance. Security Centre Finland 12 of the
incident to maintain situation
awareness and get help. If there
is a risk that personal data or
other information subject to
data protection legislation
(GDPR) have ended up in the
hands of the attacker, report
the incident to the Office of the
Data Protection Ombudsman. 13

10
https://dfir.fi/
11
12
13
https://tietosuoja.fi/en/data-breach-notification
10

notify the supervisory authori-
ties about information security
incidents in network and infor-
mation systems. 14
14
11

phase pact on the organisation. A careful investigation ensures that malware, access rights that have
fallen into the wrong hands and potential backdoors have been removed from the environment.
Identify harmful activity and col- Identification information is collected The identification information gath-
lect identification information to make it possible to map how ered includes, among other things,
widely the infection has spread to the time when the incidents oc-
devices and how the stolen access curred, such as when a login to the
rights have been used. server occurred, or when a certain
command was run on the server.
Once attackers have gained a foot-
hold, they may use different kinds of The malware often communicates
attack methods. In fact, identifica- with the attacker’s command and
tion information should be collected control server. By studying the net-
extensively and signs of their use work traffic of infected devices or
should be studied carefully to ensure domain name resolution (DNS logs),
that the cleaning of the environment the source IP addresses or domain
can be done reliably. names used by the attacker can be
identified.
Recovery can only start after the at-
tacker has been removed from the When harmful files are identified,
environments. their hashes (MD5/SHA256) can be
extracted and used to identify harm-
ful files on other devices, too.


ten has features for collecting and
using the identification information
mentioned above. Otherwise, the
measures should be taken manually
by using a centralised log server. If
no such server is available, either,
the logs of individual servers and
terminal devices should be exam-
ined.
If the malware was originally deliv-

ered into the organisation via email
or other means of communication,
the identification information of
messages should be collected. Im-
portant information includes the
timestamps, subjects, attachments,
senders and recipients of the mes-
sages as well as their content. This
information can be used to find all of
the parties that may have received a
harmful message and whose device
has become infected by malware in
that way.
Use the identification infor- The identification information can be Identification information can be
mation to help with identifying used to find out how far into the or- used to find infected devices, such
all infected systems ganisation the attacker was able to as by using the endpoint detection
penetrate. By collecting identifica- and response features that often di-
tion information and searching for it rectly offer the option of searching
in the target systems, it is possible for events on devices based on dif-
to ensure that all infected devices ferent identifiers.
and identifiers are found and
cleaned. If the organisation also has a cen-
tralised log server, it can be used to
search for events efficiently based
12
on identifiers from several different

devices at the same time.

above is available, identifiers should
be searched separately from each
device. Different kinds of remote
control solutions can be used for the
purpose, however; they often enable
instance.

cess to a device. In that case, it may
not be possible to find all of the col-
lected identification information in
the device logs. For this reason, it is
important to aim to use a wide vari-
ety of identification information and
event sources.
Save all available log files and The aim of collecting and storing ev- Save log files that contain infor-
other evidence on a hard drive idence is to guarantee a high-quality mation relevant to the investigation
isolated from the network for investigation after the incident so of the incident on a hard drive iso-
later investigation that the root causes of the incident lated from the network. Also collect
can be determined. harmful email and other messages,
if any.
Evidence may be needed during the
criminal investigation and for the Aim to keep the evidence, such as
court proceedings. complete disk images and memory
If the organisation has a cyber in- tract integrity hashes from them to
surance policy, the insurance com- ensure this.
pany may also require more detailed
information on the security incident Aim to save samples of the malware
as well as evidence for the investi- detected. They should be handled
gation. with extreme care. Professional ex-
pertise is often required to carry it
out safely. Send the samples to the
National Cyber Security Centre Fin-
land. 15
15
centre-finland
13
4.4 Recovery
Goals of Start the recovery from the systems that are the most critical to the business. The organisation
from backups and return to normal operation. Re- Also take account of the risk that
storing the systems is done as safely previous daily (incremental) backups
as possible to ensure that the at- may already have been infected.
tacker cannot get back into the sys- When restoring old backups, keep in
tem. mind that the backup may include
the vulnerabilities that the attacker
used in the attack. You can try to
prevent the risk by restoring the
systems without a network connec-
tion and updating the operating sys-
tem and its applications before con-
necting to the network.


mated tools, because there is no
guarantee that they will be able to
clean the system completely.
Save the encrypted files or hard

drives, in case a way to decrypt
them is found later.

ware tools before connecting them
back to the network again.
sure that the system administra- all of the infected IDs is changed so IDs and start using the IDs again.
tor IDs are safe. that the attacker can no longer use
the IDs to access the organisation’s To make sure, change the password
systems. of administrator accounts and ser-
Strengthen the user login require- have fallen into the hands of the at-
ments, if possible. tackers.

message or by telephone. Do not
use the organisation’s email or in-
stant messenger, because the at-
tacker may still have access to
them.

during the attack. In addition, moni-
tor the IDs used in the attack more
carefully after the attack in case the
attacker gains control of them again.
If it is still unclear to the organisa-

tion how the attacker was able to
gain control of certain IDs, consider
tacker cannot gain control of the IDs
14
again by using the method that

could not be identified.
If the organisation uses Active Di-

rectory and it is suspected that the
attacker has gained control of the
whole domain at some point, you
also need to change the password of
your KRBTGT account twice in order
to make the golden ticket expire.
Also re-provision the certificate ser-
vices of the Active Directory in case
the attacker obtained certificates
from the certificate service that can
be used for identification.
15

• Root causes of the incident:
• Effectiveness of the organisation’s own protection:
• Actions during the crisis:
• Recovery:
• Post-incident review:
crisis situations.
16
17
Traficom
tel. +358 29 534 5000
ISBN 978-952-311-815-7
Instructions –
Supply chain attack
21/2022
Contents
1 Introduction ....................................................................................................... 2
1.2 What does a supply chain attack mean? ....................................................... 2
2 Preparation......................................................................................................... 3
4 Instructions ........................................................................................................ 6
4.4 Recovery .................................................................................................14
1
1 Introduction
in situations in which a supply chain attack is suspected. The instructions are focused on how
to deal with the special characteristics of this type of information security incident. In order to
resolve the situation completely, the organisation should maintain the incident response plan it
has drawn up in case of information security incidents and follow it.
curity breach and recover from it. It is recommended that the organisation draw up a separate
guide for its own use that takes its technological and operational environment into account in
more detail. The project is funded by the National Emergency Supply Agency.
1.2 What does a supply chain attack mean?

In a supply chain attack, the information systems of the organisation are breached via the net-
works, services, products or open source projects it uses. The attack exploits the trust of or-
ganisations in their suppliers. The attack route may involve partners, service providers, soft-
ware or devices. Attackers penetrate the supplier’s systems and infect the part used in the
supply chain with their own malicious code, after which it spreads via the normal product dis-
tribution channel to the partner and customer organisations.
The aim of a supply chain attack is to gain a foothold in different organisations along the sup-
ply chain. Once a foothold has been secured, it can be used in different kinds of further at-
tacks, such as data breaches and ransomware attacks.
Detection and management of supply chain attacks is important, because they have a major
impact on the reputation and trust of the organisation in the network. The victims of a supply
chain attack include both the supplier and the customer. Managing the situation often requires
transparency and cooperation from the parties.
2
2 Preparation
rity Centre Finland, for instance 1. An incident response plan that has been drawn up in ad-
them out.
ing and restoration of the environment. The National Cyber Security Centre Finland has drawn
up a guide on how to collect and use log data. 2 Depending on the systems used by the organi-
sation, comprehensive monitoring typically also requires network- and system-level solutions
in addition to this.

• Draw up an incident response plan for your organisation in case of a supply chain attack.
• Train the personnel on how to act during security incidents such as the ones described in
these instructions.
Finland. 4
security breach.
to be protected.
- Maintain a list of the components of the most critical systems.
• Maintain a list of the licences and software used by the organisation and their versions.
- Follow their update schedules and vulnerabilities.
• Evaluate the status of the cyber security of suppliers. By ensuring that all suppliers provide
a full description of their security measures, you can establish an idea of the safety of their
1
tari-cybermeter
2
3
4
5
3
products. You can also ask a cyber security professional to review the information provided
by suppliers to find out whether the security solutions are sufficient and appropriate.

the attack surface of your company is as small as possible.
• Protect the connections of your partners with strong encryption settings and implement
multi-factor authentication.
• Install anti-malware software on terminal devices that can be used to restrict the running of
programs, investigate suspected information security breaches and isolate the computer
from the network, if necessary.
• Centralised log management should be deployed to enable efficient detection and investiga-
tion of cyber threats.
4

Detecting an information security breach that has occurred via the supply chain may be chal-
lenging, because the attacker exploits the organisation’s trust in its partners. The intrusion is
often carried out by using the partners’ connections or infecting an application provided by
them. In that case, the attacker does not yet do anything that could be interpreted as suspi-
cious or harmful at the intrusion stage.
An attack can be detected in the following ways, for instance:
• A partner reports that they have become a victim of a cyber attack.
• An attempt is made to use the IDs of partners to log in to services they would not normally
log in to.
• An information security product or service provider sends an alarm, which is usually caused
by a trusted application.
• The organisation is notified about the attack by a party outside the organisation, such as
social media, customers, partners or the authorities, for example.
(in Finnish). 7
6
7
5
4 Instructions
Use the attached checklist to find measures to help you if you suspect that you have become a
victim of supply chain attack. The checklist helps organisations to prioritise and use a phased
approach when investigating information security incidents.

6
7

phase is to protect the critical data in the environment, stop the malware from spreading, prevent the at-
tackers from gaining a foothold in the network and prepare for the start of the recovery process.
Isolate the infected device The aim of isolating the infected device Isolate the devices by using the
from other data networks is to stop the at- features of endpoint detection
tack from progressing and protect the data and response. If necessary, dis-
in the system. connect the network cables of
the devices.
The isolation must also ensure

that the device cannot access
the internet to prevent the at-
tacker from stealing data from
the server.
Find out what connections or Many different kinds of connections can be Find out if the attack was car-
components were used in the used in a supply chain attack, such as data ried out
attack transfer, software update, system or
maintenance connections. • by using a remote connec-
tion or leaked IDs of a part-
Attacks can also be implemented by ex- ner, or
ploiting software or their components. • through a backdoor installed
in an application used by
your organisation.
Find out if the software and sys-

tems on the infected device are
up to date. Also follow the bulle-
tins of the National Cyber Secu-
rity Centre Finland, because the
attack may have exploited a
new zero-day vulnerability.
Find out which servers and You must be able to identify rapidly all Take advantage of the list of
workstations may have be- servers and terminal devices that are using your IT assets and installed
come infected in the attack the connection or component exploited in software quickly to determine
the attack, so that all devices that may where the infected application
have been infected can be isolated. or component is used.
If a remote control connection

or other integration is involved,
check the documentation to find
out where they are used and
how they can be accessed.
If, for example, the infected

component is a library that is
used by several different sys-
tems, check the applications
that are being used by going
through the list of installed soft-
ware and find out if they use the
component in question. This
may require the organisation to
contact the application supplier
directly for confirmation.
If one of the measures is not

possible without the help of the
IT service provider, go to the
next section in the instructions.
Contact your IT service pro- Often a part of the organisation’s IT infra- In this phase at the latest, find
vider structure has been outsourced to a service out what parts of the IT infra-
provider. The assistance of service provid- structure of your organisation
ers may be needed for some of the have been outsourced to service
measures related to limiting the scope of providers.
the incident. Contact the service provider’s
contact person in case of crisis
situations. Among other things,
8
you may have to ask your ser-

vice provider to disconnect your
servers from networks, restore

can give further assistance with
resolving the security incident.
dent about the information The cyber security of the partners may also cident if you believe that it may
security breach be endangered due to a supply chain at- affect the availability of their
tack. services.
If the server has had active con-

nections to other organisations,
notify them, too, so that they
can invalidate the IDs, keys or
certificates that were used on
the infected server. It is also
important that they check the
integrity of their own data.
If necessary, also notify the

other organisations in the sup-
ply chain, such as the supplier.
external help to handle the in- ising measures, managing the incident or the incident may require exter-
formation security breach or technical measures. If the necessary exper- nal expertise. Such measures
not tise is not available within the organisation include collecting identification
itself or directly from the IT service provid- information and investigating
ers, you should consider getting external the threat based on it. External
help. assistance may also be useful
with checking whether the at-
tacker was able to obtain data
important to the business, and if
so, what kind of data.

Finland and abroad.

viders via the links in the list of
references. 8
Report the information secu- If personal data may have ended up in the Submit a preliminary notification
rity breach to the Office of the hands of the attacker as a part of the data about an information security
Data Protection Ombudsman breach, the incident must be reported to breach immediately, because
the Office of the Data Protection Ombuds- you can supplement the notifi-
man without undue delay and, if possible, cation later.
within 72 hours of when the organisation
found out about the information security The controller must assess the
breach. level of risk caused by the infor-
mation security breach to the
persons targeted by it. The level
of risk determines the measures
that the controller must take
later.
Document all personal data

breaches as well as their impact
8
https://dfir.fi/
9
and the corrective measures im-

plemented. The log data from
the time of the incident affecting
the information system also fall
within the scope of the docu-
mentation obligation. The Data
Protection Ombudsman may ask
for the log data for processing
the notification of the infor-
mation security breach.
Also report the information Report the incident to the authorities. The File a report of an offence about
security breach to other au- organisation may have an obligation to re- the incident with the police. 9
thorities port the incident based on regulations or Also notify the National Cyber
the terms of the cyber insurance. Security Centre Finland of the
incident 10 to maintain situation

notify the authorities about in-
formation security breaches in
network and information sys-
tems 11.
9
10
11
10

phase pact on the organisation. A thorough investigation ensures that malware and potential backdoors
have been removed from the environment.
Identify signs of harmful activi- Identification information is collected Collect the following identification in-
ties and collect identification in- to make it possible to map how formation:
formation widely the infection has spread to
devices and how the stolen access • When the login to the server oc-
rights have been used. curred
• From which IP address the login
Once attackers have gained a foot- was carried out
hold, they may use different kinds of • At what time was a specific
attack methods. In fact, identifica- command run on the server
tion information should be collected • What the command in question
extensively and signs of their use caused on the server
should be studied carefully to ensure
that the cleaning of the environment The malware often communicates
can be done reliably. with the attacker’s command and
control server. By studying the net-
Recovery can only start after the at- work traffic of infected devices or
tacker has been removed from all of domain name resolution (DNS logs),
the environments. you can identify the source IP ad-
dress or domain name used by the
attacker.
You can extract the hashes

(MD5/SHA256) of harmful files and
use them to identify the files on
other devices, too.


ten has a functionality for collecting
and using the identification infor-
mation mentioned above. Otherwise,
the measures should be taken man-
ually by using a centralised log
server. If no such server is available,
either, you can examine the logs of
individual servers and terminal de-
vices.
Use the identification infor- The identification information can be You can use identification infor-
mation to help with identifying used to find out how far into the or- mation to find infected devices, such
all infected systems ganisation the attacker was able to as by using the endpoint detection
penetrate. By collecting identifica- and response features that often di-
tion information and searching for it rectly offer the option of searching
in the target systems, it is possible for events on devices based on dif-
to ensure that all infected devices ferent identifiers.
and identifiers are found and
cleaned. If the organisation also uses central-
ised log management, you can use it
to search for events based on identi-
fiers from several different devices
at the same time.

above is available, search for the
identifiers separately from each de-
vice. You can use different kinds of
remote control solutions for the pur-
pose, however; they often enable
instance.
11

cess to a device, in which case their
activities have left no trace. For this
reason, you should review identifica-
tion information collected from all of
the different sources and use it to
try and establish an overview of the
attackers’ activities.
Find out what connections were Servers often have active connec- If the server has active connections
active on the server tions to other systems. Such con- to other systems, find out if the con-
nections may include a database nected systems have also been
connection or different kinds of API hacked by reviewing their logs.
calls and keys. In order to determine
how serious the situation is, you Issues to check may include the size
should check as soon as possible if of database searches carried out or
these systems have also been a large number of interface calls
hacked. while the attacker was on the
server.
Find out as quickly as possible if the
connected systems have also been Change the IDs of the connected
hacked by reviewing their logs. This services, such as the database ID
will give you an overview of the used by the infected server as well
scope of the incident. as the interface keys and certificates
used for the connections.
Find out if critical data have be- As a part of the investigation, it Find out if the IDs, certificates or
come endangered should be determined whether the keys used for the connections have
attackers were able to access im- been used to log in from a place
portant data of the organisation or other than the server on which they
potentially the personal data of cus- should be used.
tomers or employees.
Find out if the attackers were able to
access and steal data. By reviewing
the database or interface logs, you
can determine if the attacker in-
tended to download information
based on the searches or the level of
overload.
Review the network device logs to

find out if there are any abnormali-
ties in the traffic of the infected
server. Unusually heavy traffic may
indicate, for instance, that the at-
tackers have stolen information.
Note that the attackers may have

edited the data in addition to de-
stroying or stealing them. The at-
tackers may also have stolen very
small amounts of data, such as IDs.
Save all available log files and The aim of collecting and storing ev- Save log files that contain infor-
other evidence on a hard drive idence is to guarantee a high-quality mation relevant to the investigation
isolated from the network for investigation after the incident so of the incident on a hard drive iso-
later investigation that the root causes of the incident lated from the network. Also collect
can be determined. harmful email and other messages,
if any.
Evidence may be needed during the
criminal investigation and for the Aim to keep the evidence, such as
court proceedings. complete disk images and memory
If the organisation has a cyber in- tract integrity hashes from them to
surance policy, the insurance com- ensure this.
pany may also require more detailed
information on the security incident Try to take samples of the malware
as well as evidence for the investi- detected and save them. They
gation. should be handled with extreme
care. Professional expertise is often
required to store them safely. Send
12
the samples to the National Cyber

Security Centre Finland. 12
12
centre-finland
13
4.4 Recovery
Goals of The recovery starts from the systems that are the most critical to the business. The organisation
Reactivate the connections and The aim is to return the partners’ re- Before activating the connections,
start the applications mote connections or software make sure that they are safe and
needed for business back to opera- that the partners have also been
tion. able to clean their own systems and
IDs.
Before activating the software, make

sure that the necessary updates to
correct the issue have been in-
stalled. If there is no update availa-
ble to correct the issue, do not de-
ploy the software and consider re-
moving it completely.
from backups and return to normal operation. Re- Take into account that the previous
storing the systems is done as safely daily (incremental) backups may al-
as possible to ensure that the at- ready have been infected. When re-
tacker cannot get back into the sys- storing old backups, keep in mind
tem. that the backup may contain the
vulnerabilities that the attacker used
during the incident. Try to restore
the systems without a network con-
nection, and update the operating
system and its applications before
connecting to the network to avoid
these risks.


mated tools, because automatic
scanners may not necessarily be
able to clean the systems com-
pletely.

ware tools before connecting them
back to the network again.
sure that the system administra- all of the infected IDs is changed so IDs and start using the IDs again.
tor IDs are safe that the attacker can no longer use
the IDs to access the organisation’s To make sure, change the password
systems. of administrator accounts and ser-
Strengthen the user login require- have fallen into the hands of the at-
ments, if possible. tackers.
message or by telephone, but do not
use email or the instant messengers
used in the organisation, because
the attacker may still have access to
them.

in the attack. In addition, monitor
the IDs used in the attack more
14
carefully after they have been re-

stored in case the attacker gains
control of them again.
If it is still unclear how the attacker

was able to gain control of certain
IDs, consider destroying them and
tacker cannot use this unidentified
method to gain control of the IDs
again.
15

start the post-incident review of the security breach and learn as much as possible about what
happened for the future. At the same time, crisis management systems should be updated
based on the observations made. The organisation may become a victim of a similar breach
again, if the root causes of the security breach cannot be determined and no lessons are
learned from it.
• Root causes of the incident
• Effectiveness of the organisation’s own protection
• Actions during the crisis
• Recovery
• Post-incident review
The organisation should update its own incident response plan and more detailed instructions
crisis situations.
16
Traficom
tel. +358 29 534 5000
ISBN 978-952-311-813-3

Instructions For Recovering From Cyberattacks

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Instructions For Recovering From Cyberattacks

Uploaded by

Copyright:

Available Formats

Instructions – Data breach

Traficom Research Reports

1.2 What does a data breach mean?

2.1 Administrative measures

• Implement continuous vulnerability and update management.

2.2 Technical measures

• Implement centralised log management to make effective detection and investigation of

3 Detecting an information security breach

An attack can be detected in the following ways, for instance:

• The system stops working or is not available.

• An information security product or service provider sends an alarm.

• The attacker tries to blackmail the organisation with stolen information.

4.1 Workflow of an information security breach investigation

4.2 Immediate measures

The isolation must also ensure

IT service providers often also

If the server has also had con-

was able to obtain data im-

The National Cyber Security

You can find Finnish service pro-

Document all personal data

The infrastructure operators and

4.3 Investigating an information security breach

Phase Purpose Measures

Authentication events related to in-

Endpoint detection and response of-

If neither of the solutions mentioned

by disabling logging after gaining ac-

Find out if the attacker was able to

Review the network device logs to

Note that even if attackers have not

If there is no suitable backup availa-

Do not try to clean an infected sys-

Check the systems with anti-mal-

Deliver the new passwords to users

Consider adding two-factor authenti-

If it is still unclear to the organisa-

If the attacker has stolen data, all of

Notify the people whose data have

5 Post-incident review of an information security breach

Root causes of the incident:

What technical or functional weaknesses led to the situation?

Effectiveness of the organisation’s own protection:

Were the controls used to detect attacks sufficient?

Did the attacker’s actions raise any alarms?

Actions during the crisis:

Was the crisis plan followed? How usable was it?

How did the recovery of critical information and services go?

Traficom Research Reports

1.2 What does a denial-of-service attack mean?

In addition to the agreements, duplicating the telecommunications connections as well as po-

2.1 Administrative measures

• Implement continuous vulnerability and update management.

2.2 Technical measures

2.3 Preparation and training in practice

• Deploying a backup system

• Final investigation process of the security incident

3 Detecting an information security breach

4.1 Workflow of an information security breach investigation

4.2 Immediate measures

Today, most of the denial-of-

An application layer attack usu-

An amplified DNS attack is also