Even if it means rebuilding your network, you might as well do it on healthy foundations. This is in essence the message from Anssi, which has just unveiled three new guides this Tuesday, January 16, intended to share its doctrine and best practices, dedicated to remediation after a computer attack.
This term designates operations intended to remove the attacker from his information system, regain control of his network and rebuild his IT on a sound basis.
As the State cyber firefighter points out, these operations are very structuring. They can be rapid, to favor a return to normal as quickly as possible, resulting in a low level of security which will then have to be “consolidated over time”. “A second alternative, longer, consists of a total resumption of control of the information system”, reports the agency, “more effective over time”, making it possible to aim for “a higher level of security”.
“Very profitable” investment
Unsurprisingly, Anssi is campaigning for the second option. As she points out in the first twelve-page guide, intended for managers, a profound remediation accompanied by a transformation of the security posture certainly costs more initially. But in the long term, this investment will be “very profitable”, estimates Anssi, with lasting control of its IT security.
On the contrary, too rapid remediation is synonymous with high risks of resurgence, which can generate a “very high” total cost for the organization. “The damage from a computer attack can amount to millions, or even tens of millions of euros,” recalls Anssi. This is why the directions and means given to managing remediation are decisive for the future of an affected organization.”
In its press release, the agency cites the example of an organization, with an unspecified identity, to illustrate the issues. After a first computer attack, this organization carries out incomplete remediation, which nevertheless allows it to “increase its level of detection”. She then fell victim to a second computer attack, detected immediately, followed by a reorganization of the information system. Assisted by Anssi, the victim organization was on the other hand able to face the third attack alone, contained thanks to the efforts made.
Active directory
The two other guides published by Anssi are aimed at remediation pilots and technical teams. Their publication was announced last spring, with Anssi then publishing a call for comments from IT departments. The second guide, “Managing remediation”, deals in 96 pages with the development and execution of the remediation plan. Part of this document is devoted to relations with service providers. Similarly, standard plans are also suggested to readers.
As for the third guide, “Tier 0 Active directory remediation”, it is devoted, as its title indicates, to the core trust of the Active directory. This directory service centralizes identification and authentication across a network of Windows-based devices, making it a prime target for hackers.