Cyber attack response planning: Train until your plan becomes a reflex. Takeaways from the Beltug N-sight of 10 Dec 2020


At the moment of a cyber threat, it is too late to think of what to do: you need to know what to do. Cyber attacks continue to not only increase, but to get more innovative, and that spells danger. It isn’t enough to have a plan in your security strategy, you need to be ready to roll when the moment hits.


In our N-sight, we heard from Orange Cyberdefense about the cyber attack lifecycle, and how to prepare. Then Telenet Business explained about cyber resilience. Both speakers agreed that the question isn’t ‘if’ you will get attacked, it is ‘when’ – so while prevention is important, defending and recovering are paramount! Finally, we heard about Coordinated Vulnerability Disclosure Policies and ‘bug bounties’ from Cybersecurity Belgium, which has prepared guidelines on best practices and legal aspects.


Presentations from the speakers and a recording of the event are available to our members (after log-in).



Cyber attacks: prepare or defend (or both)?


Belgium is a small country, so we tend to think incidents won't happen to us. Steve Bielen, Cyber Security Advisor at Orange Cyberdefense confirmed that the contrary is true, and that the impact of a cyber attack can be enormous. It may certainly have financial consequences, but in other cases, such as when a hospital is attacked, it can cost lives. And Covid-19 isn't helping: with everyone working from home, internet traffic is often unrestricted and unmonitored.


Since you know that your company will be subject to cyber attacks, keep in mind: you won't be judged for being breached, but you will certainly be judged for not being prepared (slide 7).


Today's reality is about lengthy response times to incidents and 'reactive hunting': we only start reacting when an anomaly is spotted. Steve pleads to allocate budgets for a proactive approach as well (slide 12).


To do this, you need to know what you're up against. Steve took us through the cyber attack lifecycle (slides 24-29).

  • 'Recon' phase: who are the targets within the company? How easy are these people to reach and attack? What public data is available for the cyber criminal to use?
  • 'Weaponise' phase: what is the path of the least resistance within your organisation, and what content do your clients expect to see from you?
  • 'Delivery' phase: certainly, e-mail remains the most effective delivery method of malware, but other channels include social media or physical drops.
  • 'Exploit' phase: how can the cyber criminal run his malicious codes, and how can he avoid detection? Importantly, this is the phase where you have the most ability to defend yourself: with e-mail security, firewalls, proactive log management, etc.


With this attack lifecycle in mind, we are ready to build our cyber attack response plan. The goals:

  • Optimise company response to incidents
  • Minimise downtime and impact
  • Find root cause
  • Improve defences


Building the plan, starts with your capabilities (slides 33-44).



What is a cyber attack response plan, and why do you need one?


Willem Janssens, Cybersecurity Expert at Telenet Business started by stating that your cyber attack response plan isn’t only about cyber security. It's about being cyber resilient: being ready for when something happens, so that your business can continue even under a constant flood of cyber attacks.


'Everybody has a plan, until they get punched in the mouth': this quote from Mike Tyson applies as much to cyber security as it does to boxing. You think you have plan, until you get a cyber punch in the mouth. And the analogy goes further: train until your plan becomes a reflex, so you don't need to think about what to do, because you already know.


A solid plan, Willem emphasises, is based on 4 key principles (slide 5):

  • logging
  • plan b(ackup)
  • involvement
  • uniqueness


When looking at the build-up of such a plan, there are several crucial elements:

  • preparation
  • identification
  • containment
  • eradication
  • recovery
  • lessons learned


The most important element of these is the preparation. Map what it exactly is you are protecting - your activities, your IT systems, etc. Know how everything works, from the network over devices, to the service links and the accounts. 'Who does what?' is also vital to your preparation, for all the various roles and responsibilities in case of an incident. Finally, define how you will communicate towards the different stakeholders. Keep in mind, this will depend on the type of incident.


Don’t forget your legal requirements, towards official entities and towards your insurance company. And last but not least: investigate the visibility you have, on people, processes and technology.


For the other elements (slides 8-13), Willem explained that containment is both about stopping the attack and understanding it. When it is time for eradication, you are cleaning up the mess – and fixing the flaws in your system. The recovery phase is often a balance between time, effort and budget. Make a list of lessons learned, starting from these questions:

  • How did we perform as a team?
  • Did we have all tools in place?
  • Were we prepared for this?
  • Could we have prevented this?
  • Can we detect this faster?
  • And keep in mind similar incidents will happen! So use the available information to accelerate future response.


Willem wrapped up with these 3 points about cyber resilience:

  • It’s a team effort
  • Be prepared for 'the punch in the mouth'
  • Learn to improve


Promoting the adoption of a CVDP or bug bounty


Valéry Vander Geeten, Legal officer and DPO at the Centre for Cybersecurity Belgium (CCB) finished off the event with a brief introduction on the guide the CCB has recently published on Coordinated Vulnerability disclosure policies and bug bounty policies. A CVDP or bug bounty programme can have many benefits (slide 5). The CCB recommendations have been developed in collaboration with ethical hackers and with the federal prosecutor’s cyber crime unit. The first part of the guide talks about good practices, the second part is on the legal aspects. The CCB’s team can act as the coordinator, to help with your bug bounty programme. Beltug’s Debate Room on 21 January will elaborate further on the CVDP programme.



Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview