Hartford cyberattack response exemplary
When a city or company is hacked, its leaders usually don’t face the press. They hide behind a statement and news of the attack gradually emerges over days or weeks.
Earlier this month, when Hartford Public Schools canceled the first day of classes while the city recovered from a cyberattack, the mayor, school superintendent, police chief and head of information technology for the city held a joint press conference. They confidently explained the situation and the city’s response. To those of us in the cybersecurity field, it was clear that the city had invested time and financial resources and was ready for this attack. City leaders were following a response plan. It was very different from the scrambling we’re used to seeing.
Canceling the first day of school — especially in this fraught and fragile school year — was an unfortunate outcome. But it could have been so much worse. Look no further than other Connecticut towns and cities that, in recent years, have paid hackers’ ransoms or spent weeks or months attempting to recover lost data.
The National Institute of Standards and Technology provides a four-step incident response cycle, which provides insight into why Hartford fared so well.
It recommends preparation. At that first-day-of-school press conference, Mayor Luke Bronin described a recent investment of just under half a million dollars to shore up the city’s cyber defenses. The upgrade was well-timed, and without it, the story of this cyberattack would likely be very different. Part of the investment, it would seem, included robust backup systems. Without the ability to restore data from backups quickly, a ransomware attack like this one (in which hackers lock data and demand payment to restore it) can be devastating and long-lasting.
The NIST’s second step is detection and analysis. Reportedly, hackers gained access to the city of Hartford’s IT systems on Sept. 3, and their presence was detected when information began to be encrypted on Sept. 5. It may be surprising for people outside of the IT industry, but two days is a very short period of time to detect a cyberattack. Hackers love undetected access to systems in order to gather more information or expand their access over time. According to a recent IBM study, hackers remain undetected for about 197 days on average after first gaining access.
The third step is containment, eradication and recovery. It typically takes about two to three months for an organization to contain and recover from a cyberattack. While we don’t know exactly where the city of Hartford’s recovery effort stands, we do know that more than 200 of the city’s 300 servers were affected, and yet school opened successfully on day two. It came close to opening on day one, were it not for a system that operates school transportation that had not yet been restored.
Restoring large amounts of data and complicated systems from backups takes time. There are solutions that keep a physical copy of data on site in addition to a cloud backup, which can make data recovery almost instant. However, for a famously cashstrapped city, I am extremely impressed with Hartford’s ability to get back online so quickly.
The fourth step is post-incident activity. While the city of Hartford’s response was quite strong, it is, of course, better to stop ransomware before it enters the system at all. Typically, an employee unwittingly enables a ransomware attack. The sudden transition to remote work this year has caused cybersecurity best-practices to fray at many organizations.
Though the city hasn’t detailed exactly how the Hartford hack occurred, it’s important for municipalities and companies alike to make sure that their cybersecurity measures and training have adjusted to the current reality of how work is done.
Organizations throughout Connecticut can look at Hartford’s ransomware incident as a new type of example to aid in their cybersecurity planning and decision making. There seems to be an endless stream of cases demonstrating what can go wrong.
In Hartford, we have a case study in what it takes to weather a ransomware attack with minimal harm.