Crisis management

Anticipating a cyber crisis: who does what in the crisis unit?

What is a crisis unit? How should roles be allocated? How to adapt the crisis unit to the nature of the incident?
8 min

In our “Anticipating a cyber crisis” series, find the best advice and feedback from HarfangLab experts, as well as from CISOs and other players in the cyber ecosystem. The aim is to capitalize on experience in the field to enrich everyone’s knowledge. In this article, read the testimonials of Jean-Sylvain Chavanne, CISO at Brest Regional University Hospital, and Pierre-Yves Amiot and Léna Jakubowicz, respectively CXO and Pre-Sales at HarfangLab.


What is a cyber crisis unit?

The crisis unit is the team that organizes a company’s crisis management, both in terms of cyber remediation and business actions. It clearly defines roles in the event of a crisis, and ensures coordination between the various levels. It is essential in any company, whatever its size. While many tasks can be outsourced in the event of a cyber crisis, the crisis unit cannot: only management teams can arbitrate and take decisions that commit the company. As the human factor is decisive, giving each person a clear role and precise tasks, and allocating the necessary resources, enables the right people to be mobilized in record time. Because in the event of a crisis, you need to demonstrate formidable collective intelligence in a very short space of time.


Identify and document the roles of your cyber crisis units

Define roles according to your crisis scenarios

You’ll be able to allocate roles in your crisis units according to the nature of the crisis your company is facing. What are the probable and potentially serious risks for your company? The preliminary cyber risk analysis will enable you to define possible hazard scenarios and their impact. Based on this analysis, you will then have different procedures, in which the decisions to be made and the stakeholders involved are not the same. For example, if your scenario is an information leak, your company’s Legal Department needs to be involved in the crisis unit, as it has to contact the CNIL, then inform the unit’s coordinator of its actions.

Distinguish between strategic and operational units

In general, there are two distinct types of crisis unit: the strategic or decision-making unit, and the IT and cyber operational unit. Crisis cells therefore mobilize people who are both responsible for IT infrastructures and security, and those responsible for the organization’s business activities.

The strategic, decision-making or institutional crisis unit must bring together the company’s strategic functions: General Management, Communications Department, Legal Affairs Department, Information Systems Department (DSI and/or RSSI), business departments to be called upon as required (HR, finance, etc.). His/her missions are :

  • Identify business impacts
  • Organize response, strategic decisions, legal decisions (CNIL, ANSSI, etc.) and communication actions.
  • Validate remediation with the operational unit on the basis of the latter’s feedback

The IT and cyber operational crisis unit includes key experts capable of providing guidance and remediation. It brings together cyber/IT managers (SOC Manager, Infrastructure Manager, etc.), cyber/IT experts and support functions. The crisis organization in place is as efficient as possible, and is not necessarily the same as day-to-day operations. Its missions are :

  • Coordinate actions defined by the strategy unit
  • Guiding decisions through feedback
  • Carry out investigation, remediation and reconstruction actions

An operational business unit may be activated depending on the stakes of the crisis. HR, legal, communications, logistics – the department concerned depends on the needs of the crisis. Its mission is to carry out the actions defined by the strategic unit.

Save and share this information

Once you’ve identified the members of the crisis units according to your scenarios, you need to inform them of their roles and define their areas of action. Record their contact details in a directory, duplicated in two different environments. During a crisis, you probably won’t have access to your usual information systems, so you’ll need to set up a system to access this information in downgraded mode.

Léna Jakubowicz, Pre-Sales at HarfangLab

“When defining these parameters, remember to guarantee the agility of crisis cells: make sure there aren’t too many participants, so as not to hamper the cell’s responsiveness. Also, each member must have a sufficient level of autonomy in his or her field, so as not to slow down the cell with lengthy validation processes.” 

Assign clear tasks to the various parties involved (CISO, CIO, PR, etc.).

Within the strategy unit, you can appoint :

  • A crisis manager: defines and directs the crisis management strategy
  • An information management manager: shares information between the various units
  • A crisis management manager: coordinating meetings and monitoring actions

Pierre-Yves Amiot, CXO at HarfangLab

“It’s crucial that the person in charge of information management keeps the crisis cell operational. There’s nothing worse for technical teams than receiving requests from all sides. As soon as the crisis takes hold, and lasts, reminders and over-solicitations could interfere with the management of the crisis itself: the person in charge of information management has to keep the people involved as well as possible.

Who can play this role? You need someone who understands the technical side of things, and who can at the same time convey the information in a straightforward way to the management team. This role can be filled by the company’s CISO. As for the crisis manager, this is often the CIO, who may be supported by the CISO, or the CISO himself. It depends on each organization, and on the CIO’s technical level.” 

Designate a single person to deal with the press: this could be the head of public relations, markSMBng, communications, or the head of information management in your unit. The most important thing is that this person should be familiar with the subject of the cyber crisis, and be able to provide accurate and relevant information. If this is not the case, a “flop” can happen very quickly, and can even trigger an over-crisis… That’s why many strategic units call on a media training service to help them avoid failures.


Chronology of a cyber crisis at Brest University Hospital

On Thursday March 9, 2023, the IT teams at Brest Regional University Hospital received a notification that the hospital’s information system was likely to fall victim to an intrusion. Jean-Sylvain Chavanne, CISO, explains how he organized his crisis teams to deal with the early stages of this cyberattack.

When the incident was detected, at 8.50pm on Thursday March 9, we convened a mini-crisis cell with the ISD, the on-call manager and myself. We immediately contacted the hospital authorities: General Management, and the President of the healthcare workers’ representative.

At 10.30pm, we decided to cut off the hospital’s Internet connection, as we felt the impact could be very significant: from the moment we saw traces of Mimikatz and Cobalt Strike on several workstations, we decided to pull the rug out from under the attacker to avoid a wider incident, including access to the Active Directory.

That same evening, we set up 3 mini-crisis cells, working all night until 6am.

  • A crisis unit in charge of investigating the traces we have, i.e. carrying out the famous ANSSI ORCs on the various servers affected. ORC: ANSSI software available on GitHub, which can be used to record traces on a server or workstation, and then process and investigate them locally.
  • A crisis unit dedicated to Active Directory, tasked with determining whether the attackers have managed to get their hands on Active Directory, and with reinforcing all configurations, to save everything that can be saved. In this cell, there are two ANSSI agents, and two system administrators on our side.
  • A third crisis unit, this time made up of the business units. They are tasked with identifying the impact of an Internet outage, and defining the procedures for continuing business in downgraded mode, to be implemented the following morning.

On D+1, i.e. Friday March 10, we reorganized the crisis cells into two large cells: an institutional cell, of which I was a member, and a technical cell from the ISD.

The IT department’s technical team is in charge of setting up procedures in degraded mode to try and get things running as smoothly as possible.

The institutional unit is responsible for assessing the impact on the business and prioritizing the systems to be brought back into service. It is also responsible for triggering the White Plan if necessary.

Very quickly, we have to prioritize these business impacts. Indeed, when you’re in degraded mode, your employees come to you to explain how this new mode of operation affects their work, and you have to be able to respond to their requests.

The institutional crisis unit is therefore responsible for prioritizing the impact on the business, establishing a hierarchy in the requests to be dealt with, and taking responsibility for them by explaining the situation and its implications. Its role is also to keep the technical crisis unit informed of what may be happening, so that they are not disrupted in their remediation.”

Key points for organising your crisis units

  • Identify roles according to your different crisis scenarios
  • Organize your strategic and operational cells
  • Give each player a clear scope of action and missions
  • Communicate this information and save it for a downgraded mode

 

Discover our experts’ advice for communicating in times of crisis.