Cyber-operational models in an imagined scenario of ransom-ware attack on UK’s retail market, the context of the six phases of cyber-operations can be laid-out as below.
Phase 1 → Shape: Prevent and prepare: is a pre- operational phase, which is a regular day-to day protection and prevention measured conducted to support the over-all stability of your system. For example in this UK’s retail market incident, measures like educating user to use a strong and complex password (public-private partnerships) will prevent a breach occurring through a weak password uses. In other cases training employees regarding roles and responsibilities they can play in a time of attempted data breach can be prevention phase.
Phase 2 → Deter: This phase assumes and acts as if the system is under continuous attack and takes measures to deter it. Identification of breaches and how, who, when, what are the matters. For example in our UK’s example, knowing who is asking the ransom, what kind of data and resource the criminal has employed to conduct the breach, assessing how can you retain the breach will be helpful in taking the deterrence measure against the criminals.
Phase 3 → Seize: is an act of containment once a breach is discovered. In this phase measures to eliminate or minimize the damages by deploying force is happening. In our case of the UK’s ransom attack, when the attack occurred, for example a system-back up prepared for disaster and recovery measures are employed, disconnecting infected device from the internet and changing user and administrative access credentials and harden all passwords will be the necessary measures.
Phase 4 → Dominate: once the seizure is established, dominance to eradicate the threat has to occur. In this phase going back to the root of the cause where the criminal ransom has gotten an access of entry, works like removal of malware, hardening of the system and generally confirming full spectrum of superiority is essential.
Phase 5 → Stabilize: In this phase of operation, stabilization and restoring of the system for a full operation is occurring. After businesses are hit by ransom there is generally a fear of second occurrence, however restoring and returning the affected systems and devices back into your business environment should be the target. Methodical testing and more intrusion detection systems need to be introduced to stabilize the system once more.
Phase 6 → Enable Civil authority: at this final phase, investigation has been completed, incident report team has reported the case, and lessons have been learned, and now it’s time to determine what has worked well in the response, what was the shortages in handling the attack, even goes as far as policy changes in the company’s business operation methods and so on.
Reference: