Cybersecurity Crisis Response Plan (2/2)

In a previous blog post we have defined what a crisis actually is and the main activities to take during a crisis. However, we have not gone into the details of the rationale behind the activities and under which conditions these need to be taken.

Cybersecurity Crisis Response Plan (1/2)

Each cybersecurity crisis is unique, as it represents an incident where normal processes no longer function effectively. However, certain activities can be anticipated. These initial actions form part of an overall crisis management strategy.

Blog - Valentin VieValentin Vie

As a reminder, here is the table with all the activities from the previous blog post :

These initial actions form part of an overall crisis management strategy that must be adapted to each specific cybersecurity crisis. The different priority ratings needs to be adapted for each crisis depending on the incident. In the following section we describe the rationale of the activities to ensure proper prioritization.

Open an incident logbook

Ideally, the incident logbook should be initiated as soon as the incident is recorded. From the very beginning of the incident, an incident it should be opened to record all related actions, decisions and events that occur on the information system in chronological order.

This document will be useful for:

• Creating a history of the incident handling process and sharing knowledge
• Coordinating actions and tracking their progress
• Assessing the effectiveness of actions and identifying any unintended impacts
• Passing knowledge to the rotating teams if a 24/7 schedule is in place

This incident logbook should be editable and accessible to all members of the crisis unit. It is not recommended to store it on the compromised information system, where it could be accessed by the attacker. However, it may be stored on an online file-sharing platform (cloud), integrated into the organization’s incident management software, SIEM if available, or even manually maintained on paper.

Contact the cybersecurity crisis management team

All crisis unit members involved in crisis management must be informed as soon as a crisis is declared.

The crisis management process (which differs from the crisis response process) defines the governance and the stakeholders to be contacted in the event of a cybersecurity crisis. The simplest approach is to use the usual professional communication channels (Teams, email, phone, etc.).

However, it may be wise to activate the dedicated crisis communication tool (see the relevant section bellow).

Notify the cyber insurance provider

The cybersecurity insurance provider can supply human resources to help resolve the crisis. Cyber crisis management experts may be mobilized as part of this support. Additionally, the organization may be eligible for financial compensation.

The cybersecurity insurance provider should ideally be contacted within 48 hours; otherwise, the insurance policy may be rendered void (depending on the specific terms of each contract).

Notify ENISA and CERT-FR (Cyber Resilience Act) - French and EU authorities

ENISA stands for the European Union Agency for Cybersecurity, which is the EU’s specialized agency responsible for cybersecurity. The Cyber Resilience Act (CRA) is a regulation adopted by the European Union in October 2024, aimed at strengthening the cybersecurity of products with digital elements. The regulation will enter in effect on December 11, 2027, with the incident reporting obligation taking effect from September 11, 2026 (Article 71).

According to Article 14 of the Cyber Resilience Act, a manufacturer must notify any actively exploited vulnerability found in a product with digital elements. This notification must be sent simultaneously to the CSIRT/CERT designated as the coordinator of the Member State and to ENISA. The reporting process follows this timeline:

• Within 24 hours after becoming aware of the vulnerability or incident, an initial alert must be issued.
• Within 72 hours, an initial assessment and details of the mitigation measures implemented must be provided.
• Within 14 days after the deployment of a corrective measure, a detailed final report must be submitted.

Activate network isolation

One of the priorities during a crisis is to prevent the attack from spreading. To stop healthy areas from being infected by the malware causing the crisis, it may be advisable to isolate a network segment from the rest of the information system.

Isolating a network segment could prevent the attack from propagating but may have immediate consequences on the systems within the isolated perimeter (loss of services or functionality). Therefore, such a decision must be weighed against the potential business impact of shutting down a service.

The decision to isolate an IT site must be validated by the strategic crisis unit. It is also essential to have a method to reverse the network isolation to avoid creating long-term operational impacts.

The conditions for triggering network isolation are as follows:

1. The zones to be isolated are still presumed healthy. A threat has been detected within a network perimeter, and there is a strong likelihood that it has not yet spread across the entire corporate network.
2. A crisis management process has been initiated.
3. The business impacts of network isolation have been presented to the decision-making crisis unit (EXCO). These impacts can be financial, operational, or reputational.
4. The probability of containing the threat has been assessed and presented to the decision-making crisis unit (EXCO).
5. The formal decision to activate network isolation has been made by the decision-making crisis unit (EXCO).

The network isolation process should be tested beforehand and the inverse process too. If a network red button exists, a network green button should exist too.

Activate the crisis communication tool

As soon as a cybersecurity crisis is declared and there is suspicion that the attacker has compromised communication systems or workstations, the use of a secure, isolated crisis communication tool should be considered.

A dedicated communication tool for cyber crisis situations can be highly valuable when an attacker has escalated privileges to the point of compromising the usual communication channels such as Teams or Outlook. This implies the directory containing the contact information of crisis unit members should be updated regularly in the communication tool.

In such cases, the attacker could read the crisis unit members’ messages, allowing them to stay one step ahead and adapt their attack in response to defensive actions. The attacker could also render these communication tools unavailable, thereby disrupting the organization’s ability to respond effectively and in a coordinated manner.

Inform clients that a cyberattack is in progress

The primary objective is to protect clients by providing them with the information necessary to take appropriate actions in response to the risks. By acting with transparency, the organization reinforces client trust and demonstrates its commitment to security.

The goal is also to minimize legal and reputational impacts related to the incident. It involves informing clients about the security of the product following the cyberattack, particularly when the organization has a service quality obligation (SLA) toward its clients.

It is important to inform clients as soon as possible about the unavailability of the services they subscribe to, or even about the safety of the vehicles following the cyberattack.

All communications must be validated by the cybersecurity team for the technical content and by the commercial/sales teams for client relationship considerations.

A directory containing client contact information should be resilient enough to be available during a cyberattack.

Inform employees that a cyberattack is in progress

The primary objective is to inform employees about the situation to prevent any further spread of the threat. It is also important to reassure employees regarding the HR implications of such an attack.

Employees should be informed as soon as possible about the potential propagation of the threat. They play a crucial role in preventing the threat from spreading across workstations and different environments (DEV, PROD, etc.) and business units.

It is also important to remind employees that support services will not operate at their usual speed. Additional communications should be planned to keep employees updated on the evolution of the crisis (service restoration, payroll processing, site reopening, etc.).

The first communication should be meant to alert employees as soon as the crisis impacts are felt. All messages must be validated by the cybersecurity team for technical accuracy and by the HR team to address employee concerns.

A specific communication should be issued to employees working in financial control, instructing them to limit access to company bank accounts from corporate PCs to prevent fund theft.

A directory containing employees and contractors contact information should be resilient enough to be available during a cyberattack.

Provide dedicated workstations to crisis team members

It is highly likely that an attacker has compromised a workstation to achieve a compromise. When malware is deployed on the network, there is a strong chance that most workstations is incapacitated. The organization would then struggle to respond to the crisis effectively and in a coordinated manner without functioning workstations.

The attacker could also read messages from the crisis teams, allowing them to stay one step ahead and adapt the attack in response to defensive actions.

As soon as a cybersecurity crisis is declared and there is suspicion that numerous workstations have been compromised, it is advisable to provide clean workstations that are disconnected from the corporate Active Directory.

Priority should be given to supplying these clean workstations to the teams responsible for crisis management. There is nothing preventing a return to the usual workstations once they have been sanitized.

Allowing collaborators to connect to their O365 account without a company managed device is both a risk and a blessing in this situation. It is a risk because the company has no way to attest of the device cybersecurity posture and it allows for all sorts of data leaks. It is a blessing as it would allow collaborators to keep working as part of the business continuity plan (BCP).

Prevent any fund exfiltration from company bank accounts

The vast majority of cyberattacks are financially motivated. The attacker’s goal is often to encrypt company data and demand a ransom in exchange for the decryption key.

Some attacks are used as a smoke screen to exfiltrate funds from the company’s bank accounts. It is therefore essential to protect banking credentials to prevent any possible fund exfiltration, especially if the workstations of the financial control teams have been compromised.

As soon as a cybersecurity crisis is declared and there is suspicion that workstations have been compromised, a specific communication should be issued to employees in financial control, instructing them to limit access to bank accounts from corporate PCs (see the section on employee communications).

Inform shareholders that a cyberattack is in progress

The main objective is to alert shareholders about potential impacts on ongoing projects and the organization’s resilience. By acting with transparency, the company reinforces shareholder trust and demonstrates its commitment to security.

It is important to inform shareholders as soon as possible about service outages, customer impacts, and potential legal and financial consequences. However, priorities must be maintained: contacting a CERT and containing the crisis remain the top priorities.

The communication should be issued as soon as the crisis impacts are felt. All messages must be validated by the cybersecurity team for technical accuracy and by the commercial teams for client relationship considerations.

Restore payroll and dependent HR systems

The vast majority of cyberattacks are financially motivated. The attacker’s goal is often to encrypt company data and demand a ransom in exchange for the decryption key.

Some IT systems have high availability requirements that could be disrupted by the attack. Among these critical systems are HR systems, particularly payroll. Restoring payroll supports the overall effort to rebuild the IT infrastructure that have been compromised.

When a cybersecurity crisis is declared and there is suspicion that workstations and payroll systems have been compromised, the objective is to restore these systems before the end of the month to avoid impacting employee finances.

Define an HR policy to support 24/7 crisis response activities

A crisis can last several weeks and will place significant strain on support teams involved in the response (IT, OT, cyber, customer support, legal, etc.). It is therefore necessary to protect and relieve these teams so they can focus on priority actions.

Every day that employees are unable to work represents a loss for the organization. It is therefore important to restore services to clients and employees as quickly as possible. Implementing a 24/7 rotation among the crisis management teams can be effective. This allows the attack to be contained more quickly, minimizing the overall impact, and this exceptional arrangement can provide a return on investment.

Many factors must be considered to facilitate their work, including team organization and management, working hours (non-business vs. business hours), rotations, catering or accommodation services, compensation, and meeting rooms.

The rotation of crisis management teams should be organized by HR. The sooner this rotation is implemented, the sooner the teams can operate efficiently and the crisis can be contained.

Employment contracts should be accommodated by HR in advance to ensure some clauses could be activated in case of a crisis.

Inform third-party partners that a cyberattack is in progress

The main objective is to protect partner infrastructures by providing them with the information needed to take appropriate measures against the potential spread of the threat. By acting with transparency, the organization reinforces partner trust and demonstrates its commitment to their security.

It is important to communicate with partners as soon as possible about the potential spread of the threat. It is also important to remind them that the organization will not operate at its usual responsiveness. However, priorities must be maintained: contacting a CERT and containing the crisis remain the top priorities.

The communication should be issued as soon as the crisis impacts are felt. All messages must be validated by the cybersecurity team for technical accuracy and by the commercial/sales teams for relationship management.

A directory containing third-party partners contact information should be resilient enough to be available during a cyberattack.

Notify the Data Protection Authority (CNIL) of potential data breach - French authorities

A notification of a personal data breach to the CNIL is intended to ensure GDPR compliance in the event of a security incident affecting sensitive data. The goal is to inform the competent authority quickly and, if necessary, the individuals concerned, in order to minimize impacts on their rights and freedoms. The organization has a legal obligation to make this notification.

For a personal data breach to occur, two conditions must be met:

1. Personal data processing must have been implemented (e.g., customer data, employee data).
2. The data must have been subject to a breach (loss of availability, integrity, or confidentiality of personal data, whether accidental or unlawful).

The notification must be submitted to the CNIL as soon as possible after the breach is detected if it presents a risk to individuals’ rights and freedoms.

If it is not possible to provide all required information within this time-frame due to ongoing investigations, a two-step notification can be performed:

1. An initial notification within 72 hours, if possible, after the breach is detected. If the 72-hour deadline is exceeded, the notification must explain the reasons for the delay.
2. A supplementary notification once additional information becomes available.

Alert authorities (ANSSI, Police, etc.) - French authorities

Filing a complaint with the authorities is necessary to assert the organization’s rights with various insurers. Certain authorities may also provide human or technical resources to assist in managing the crisis (e.g., ANSSI).

Filing a complaint triggers an investigation and helps limit the organization’s liability if the attack spreads to other victims. It is essential to file the complaint within 72 hours of discovering the attack.

This deadline is established by Article 5 of the French Law of January 24, 2023, d'orientation et de programmation du ministère de l'Intérieur (LOPMI), which, since April 24, 2023, requires all professionals to file a complaint within 72 hours of becoming aware of a cyberattack in order to be eligible for compensation by their insurer, provided their contract allows it.

This requirement applies to all professionals (natural and legal persons) whose insurance contracts are governed by the French Insurance Code. All types of cyberattacks are concerned.

The complaint should be filed as soon as an impact is detected. It may also be useful to file a complaint if a cyberattack attempt is detected, though the practical benefit may be smaller.

A legal representative of the organization must file the complaint in person at a police station, as online filing for cyberattacks is not currently available (as of October 2025). If the legal representative cannot appear in person, they should provide a copy of their ID, a company registration certificate (extrait Kbis), and a dated and signed authorization.

Source: France Num – How to file a complaint in case of a cyberattack

Secure and isolate regular backups

Backups are essential for restoring systems that have been compromised. The organization should maintain immutable backups for critical information systems. In this case, an attacker who has compromised the infrastructure cannot delete or alter immutable backups. For example, AWS Backups with Compliance Lock allow for a write-once read-many, immutable type of storage (WORM).

Let's take an example where backups are have a retention period of four weeks. If the attacker encrypts the infrastructure, AWS Backup jobs will continue to run. After four weeks, only backups of the encrypted systems may be created. It is therefore necessary to stop the backup process before this occurs.

The encryption key for the backups could also be deleted by the attacker, rendering the backups unavailable. In case of an AWS Customer Managed Key, AWS KMS requires you to set a waiting period of 7 – 30 days. The default waiting period is 30 days. You can only schedule the deletion of a customer managed key. You cannot delete AWS managed keys or AWS owned keys. Source

From a network perspective, isolating the backups and stopping the backup overwrite process must be done within one week of the crisis, leaving at least three weeks of daily backups intact.

Testing the backups is essential to ensure everything is backed up to allow rebuilding the infrastructure. Testing the restoration process is essential to ensure an efficient and parallelized restoration.

Preserve traces

To support incident response and investigations, it is essential to prioritize preserving the oldest possible logs and to increase their retention and verbosity. The more activity traces from the attacker that the investigation teams have, the more effective the threat eradication will be.

In addition to being crucial for understanding the incident, preserving evidence may be necessary to respond to law enforcement in the event of legal proceedings.

Preserving logs is not the highest priority, as they are normally already retained for a certain period. However, it is important to secure them before they are overwritten if the workloads continue to generate new logs.

Logs from compromised machines are generally already preserved, as these machines are either idle or powered off. If the logs are already exported to a SIEM or a centralized logging system, it is not necessary to export them again or increase their retention on the source machines.

To preserve logs from IT equipment, it is necessary to:

1. Identify the security equipment within the information system, such as: firewalls, VPN gateways, proxy servers, antivirus and EDR consoles, etc.
2. Export the logs
3. Increase log retention
4. Configure the logs to capture the most detailed information possible

To preserve authentication logs:

1. Export Active Directory logs
2. Increase the retention period for these logs