What to Do When a Cyber Attack Occurs? The Obligations Are Clear

What should be done when a cyber attack occurs? This question is likely posed at times by those responsible in companies, but until an attack happens, very few of them actually seek an answer to it. Such is human nature: ‘It won’t happen to me, right?’ However, one should not rely on luck. From 2024, all key and important entities, according to the classification of the Cybersecurity Act, have new obligations that could be useful for anyone wondering what to do when a hacking attack occurs.

– With the adoption of the new Cybersecurity Act in February 2024, categorized entities have become obligated to implement measures for managing cybersecurity risks and obligations to report significant incidents and serious cyber threats, which will certainly contribute to greater resilience and faster response to cyber threats – stated CERT.

Before and After an Attack

In the period preceding an attack, ‘key’ and ‘important’ entities are required to manage cybersecurity risks, i.e., to implement measures such as risk analysis, action plans, the introduction or use of cryptography, and similar. If an incident occurs and there is reasonable suspicion that it falls into the category of significant incidents, they are obliged without delay, within the first 24 hours of that information, to send an early warning to the competent CSIRT (Computer Security Incident Response Team), and then within 72 hours, an initial notification with more data. After that, further notifications follow regarding how the situation is developing.

The obligation to report lasts until the end of the attack, and if the attack lasts longer than thirty days, ‘key’ and ‘important’ entities are also required to send progress reports. A ‘significant incident’ can be anything that can cause serious disruptions in the functioning of services, activities, or cause financial losses, or could cause significant material or immaterial damage to other physical or legal persons, including reputational damage. In situations where companies collect vast amounts of data about their users, including their credit card information, photographs, and similar, a significant incident becomes almost every case. The competent CSIRT can be various bodies. Most often, it is the NCKS (National Cybersecurity Center), which operates within the SOA, or CERT, which functions within CARNET. Reports to the competent CSIRT are submitted via a special application PiXi in CARNET.

The Problem of Speed and Rashness

Does it seem complicated? Well, it is, but it is necessary. Namely, when an attack, or a significant incident occurs, one must adhere to these rules and involve experts to more easily determine the causes of the attack, recover data, and in the most severe cases, report the crime to the police.

– The most common mistakes are the hasty shutdown of compromised systems, late involvement of experts, deletion of logs or reinstallation before forensics, and poor documentation of actions. The consequences of such mistakes are the loss of key forensic data, inability to prove the cause and extent of the attack, difficulties in exercising rights to cyber insurance, and prolonged recovery – said the business development manager for ICT at Duplico, Željko Vugrinec.

Best Forensic Practice

CERT also emphasized to Lider the importance of following best forensic practices and pointed out that it is necessary to secure and document all relevant data about the incident without delay, paying special attention to the integrity of the evidence. In layman’s terms, one should not tamper, but the state should remain unchanged. All activities should be documented, using authorized tools and procedures, and evidence should be secured with controlled access. This is important so that the evidence collected in this way can later be admissible in proceedings.

Entities categorized as ‘key’ and ‘important’ have certainly already studied the relevant Cybersecurity Act and the accompanying Cybersecurity Regulation that elaborates on procedures during significant incidents. Those who do not belong to these categories, but would like to ensure that they report correctly to the relevant cybersecurity authorities and receive appropriate advice or assistance, should definitely study these regulations before any incident. And those caught unprepared by an attack can always turn to CERT, whose website contains instructions and guidelines.

– Not everyone discloses attacks at the same stages, whether it is in the phishing stage, a compromised user account, or ransomware. The National CERT is available at any moment of an attack and can provide assistance and expertise in resolving a cyber incident – stated CERT.

The Issue of Reporting and Notification

The quality of reporting and notification can always be a problem in such situations, both due to detailed obligations and the stressful nature of the situation. Obligations can easily be determined by downloading forms from CERT’s pages, and stress management can be influenced by ensuring conditions for one’s own team facing the incident. Previous reports received by CERT are evaluated positively because most reporters provide all necessary data in the initial message, but Vugrinec warned that established processes sometimes remain only on paper.

– For example, compliance with GDPR and NIS2 in practice improves the quality of response because companies have defined reporting and notification procedures, but the problem arises when organizations report incidents too late and without sufficient data or when processes remain only on paper. The biggest challenges are insufficiently practiced procedures and unclear communication – emphasized the expert from Duplica.

What is a ‘Significant Incident’

However, Vugrinec noted that public-private cooperation is increasing, especially when CERTs exchange indicators of compromise. He also warned that the problem of insufficient information sharing by private companies due to fear of reputational damage has not been resolved. Interestingly, the Cybersecurity Regulation stipulates that a significant incident is also one that has caused reputational damage to the entity, and it further elaborates that damage to the entity’s reputation occurs even if a public media service provider reports on the incident. This actually means that those who conceal it, and it reaches the media, must report it even if it was not initially categorized as significant; in addition, a fine of ten thousand to ten million euros, or up to two percent of annual revenue, can be imposed. Why? Namely, if the media report it, and nothing has been reported to the CSIRT, it means that the notification was delayed.

This provision, we hope, is intended as a deterrent tool, not for frequent application.

Preventive Measures

This would be in line with what Vugrinec observed about the general readiness of organizations for cybersecurity.

– It is noticeable that they are all maturing as more and more of them introduce cybersecurity measures, update processes, and conduct exercises, but the weakest points remain outdated processes, unclear ownership of processes, lack of communication procedures, and untested backups. We advise regular tabletop exercises, clear communication channels, mandatory data recovery testing, and integration of the plan into broader business continuity plans – stated Vugrinec.

The measures he advises, along with software solutions and procedures, can contribute to prevention. Working with people is therefore important, as is proper action after an attack occurs. ‘It won’t happen to me, right?’ Well, it won’t – as long as it doesn’t hit. And then it is important to have people who know whom, what, and how to report, which experts to call, and what to tell management so they don’t panic and hit the delete button.

27939