Maersk incident response

Written by: RedGoat

Categorized: Cyber Resilience

The importance of testing your incident response

Updated April 2023

Fire drills are commonplace. We test the alarms, the evacuation procedures and the fire marshals get to practice their roles. In a cyber attack there can be just as much chaos as with a fire, perhaps even more so. This is why incident response is such an important consideration for companies and why, no matter how good you think your plans are, you need to test those plans with cyber-attack wargaming exercises.

When you review the aftermath of some of the cyber incidents that have happened over the last few years one thing strikes you quickly. Some companies come off well and others have their reputations utterly destroyed.

AP Moller Maersk is well and truly in the former category. So much so that they have been heralded as the “Gold Standard” for incident response. Their reputation has benefitted greatly from the cyber attack and rightly so.

We are going to look at what happened to Maersk and more importantly what choices they made that left them setting such a high bar for incident response.

The Attack

In late June 2017 Maersk employees started noticing “Ooops your files are encrypted” appearing on their laptops. Around the same time a staff member noticed that suddenly his PC restarted. He looked around the office and described a “wave” of screens turning black. They were irreversibly locked.

Across Maersk the scale of the incident was becoming clear.  45,000 PCs and 4,000 servers.

It took hours to halt the spread of this malware. Many employees were told just to go home. They must have left work that day wondering if they would even have a job to go back to.

Incident Response

Maersk made some very clever and effective decisions throughout this ordeal though and this not only saved their business but ended up with the media referring to their IT team as “heroes” and heralding the company for being a beacon for corporate responsibility. Here are a few of the strategies employed by Maersk on that fateful day.

Speed and Honesty: Maersk got their first public statement out quickly. This allowed them to get ahead of any news stories that would inevitably break. They wouldn’t need to spend time putting out communications fires if they were leading the narrative. A big mistake is to wait until you are sure what has happened. The story will leak into the media and if they get their narrative out first you will spend a lot of time putting out the fires they start.

Maersk also didn’t try to hide what was going on. They quickly admitted they had suffered a cyber attack and continued to stress that the safety of their staff and their operations was of paramount importance. They didn’t try to blame “power issues” or “unexplained outages” as others have done in the past. They were brutally honest about what was happening from the start.

Priorities: Your I.T team can’t do everything. Their time and focus in an incident are valuable commodities so use them wisely. Maersk was clear that their priorities were safety and containment. Both for their operations and for the peace of mind of their partners they wanted to ensure that, whatever else happened, the malware didn’t spread outside of Maersk. This means their I.T team weren’t being pulled in 100 different directions and people were reassured safety and containment were paramount.

Facts First: Maersk eventually communicated that the cyber attack had come from “a previously unseen type of malware”. This is a very clever statement on their part. It is descriptive but not sensational. A big mistake that a lot is organisations make is to be tempted to put out that they were attacked by a “hugely sophisticated actor” or that they had suffered “an unprecedented attack never before seen in the world”. The trouble with this is that the language i s just too sensational. This leaves you open to criticism from the cyber community and increased interest from the press. Maersk kept all their external messaging factual and devoid of emotional language. They didn’t announce that everything was “secure” again until they were certain of it either. They didn’t speculate about who may have done this, they focussed on their clients, partners and operations and putting things right.

Aftermath

At the World Economic Forum, the Chairman of Maersk is quoted as saying that before the incident they were “basically average when it comes to cyber security” and that this attack was a “wakeup call”. This is a refreshingly honest statement from the head of one of the world’s leading shipping companies.

According to Industrial Cyber Security Pulse, Maersk estimated the the cost of the attack to be between $250 million and $300 million, though the true cost could have been significantly higher.

Planning for incidents is one thing that, in my experience, the maritime industry is very good at. It isn’t rocket science though. Every company from large multi-nationals to micro-entities should have a plan and have confidence that in the chaos of a real event that plan will be effective.

How can you be better prepared?

Review: Do a review of your current plans for a cyber-attack. Check that the names of the people who will manage the crisis are up to date and know they are on this list!

Wargame: Run a cyber attack wargame exercise to test the plan and the teamwork of your crisis management team. This helps everyone practice their roles in a safe environment where they can make mistakes. Ensure you use loggists from within your company to log every decision being made. This helps you debrief after the exercise and in a real incident will provide an invaluable log of everything that happened.

Document: Make sure you document the lessons learned from the wargame and use them to update your plans

Playbook: Develop a playbook or action cards that your senior leaders can use in an incident. Keep this as a simple checklist.

Insurance: Review your insurance cover and the terms of that cover. Some insurers demand that they allocate your incident response help they also have various requirements about notification.

Get legal support: Find a law firm that handles cyber incidents. They can help reduce your liability post-incident, ensure you communicate everything to regulators and even assist with PR advice.

Honest comms: Remember that honesty and transparency go a long way in an incident. Confidence and trust are crucial for almost every company. Make sure your communications plans remember this.

If you would like assistance in designing or delivering a focused and bespoke cyber exercise within your organisation, read our guide to exercising or email [email protected] for a free no commitment consultation with one of our leading exercise professionals.

You can read from some of the Maersk team who dealt with the attack here in the “Maersk Post”.

Sources:

Maersk CEO on surviving a cyber-attack; Financial Times

Maersk Line: surviving a cyber-attack; safety4sea.com

Lessons learned from NotPetya; infosecurityeurope.com

The untold story of NotPetya; wired.com

Ransomware: The key lesson Maersk learned; zdnet

Case study AP Moller-Maersk and NotPetya; clairetills.com

The Throwback Attack: How NotPetya accidentally took down global shipping giant Maersk, industrialcybersecuritypulse.com

Related Content

Key risk indicators in cyber security

Understanding key risk indicators (KRIs) in cybersecurity In the constantly evolving landscape of cybersecurity, key risk indicators (KRIs) play a crucial role in measuring and […]

Read more

How to get exec approval for a cyber exercise

Testing your response to a cyber-attack will save you resources in the event of a real incident, but for many organisations taking the first step in exercising can seem like a big commitment in time and energy. Here are some top tips on getting exec approval for a cyber exercise.

Read more
Menu