INDIAN INSTITUTE OF MANAGEMENT TIRUCHIRAPALLI

POST GRADUATE PROGRAMME IN BUSINESS MANAGEMENT

[2023-2025]

Group Case Submission – Group 5

iPremier (A): Denial of Service Attack

For
INFORMATION SYSTEM FOR MANAGERS
Year 2023 - 2025

Prepared By
Anshul Nyati - 2303005
K Ganapathy Sivasubramanian - 2303011
Jerin Joseph John - 2303015
Kannan Piedy - 2303016
K.S.Sharren Balaji - 2303038
Sritha Ikkurthy - 2303044
QUESTION:
Did iPremier effectively manage the crisis? Assume your group is part of crisis management at iPremier.
What your group could have done before, during, and after the crisis?
Answer:
Did Ipremier effectively manage the crisis
IPremier crisis management was unprepared, and the team followed a reactive rather than a proactive
approach.
The actual attack was a distributed denial of service (DDoS) and a botnet (Zombies of proxy servers),
with suspicions of intrusion; the potential threat and consequences were unclear.
The critical aspect of crisis management is preparedness for such situations, which was lacking in
iPremier management. Especially having no incident response plan, outdated manuals, and no detailed
loggings, which led to a lack of evidence for the real-time situation and the reliance on outdated systems
of Qdata and improper response from the Qdata team put the whole of the management team at a
disadvantage in tackling the crisis effectively.
The Chief information officer was unsure of the nature of the attack and how to tackle it; the improper
planning of roles and responsibilities in such situations led to many communication delays, which
delayed the decision-making process. With delayed decision-making and a lack of clarity on the
problem, the leadership team CEO and CIO could not assess the potential breach and damage to the
data, which reflects poor crisis leadership.
What your group could have done before, during, and after the crisis?
The Crisis handling would be subdivided into Before the crisis (preventive measures), During the crisis
(real-time response), and After the Crisis (Recovery and recoup). This would equip the crisis
management team with a proactive approach with better planning of probable crises, better crisis
response, and post-crisis evaluations to mitigate the risks in the future.
Let's look at the following individual steps; -
Before Crisis – Preventive Measures
1. Device a structured incident response plan (IRP) and an improved monitoring plan outlining
the steps to take during a cyber-attack. It should assign specific roles and responsibilities and
ensure a crisis PR strategy, ensuring internal and external communications protocols. This
should primarily cover DDoS attacks, data breaches, and system outages. Regular drills and
testing are to be done to equip staff to handle such situations effectively.
2. Upgrade IT infrastructure and security systems, which are one of the foundations of any
business in today's era; if there is a failure of such systems, business losses because of cyber
crises can be severe. Hence, moving away from outdated Qdata systems and implementing
firewalls with servers (not routers), intrusion detection systems (IDS), and DOS mitigation
software were in place for simple DoS attacks; there were no measures to stop complex DDoS
attacks.
• Regular audits and updates of systems, including at data centers, are to be mandatory to
avoid future risks.
• Implementation of traffic filtering systems to block malicious traffic before they affect the
network.
• Rate limiters can be set for several requests received from each IP to protect from overload.
• Firewalls are in place even on the Data Centre side.
 • Credit card security and encryption must be used to avoid data extraction by intruders.
• Vendor partners need to be vetted and aligned to the business strategy.
3. Cybersecurity knowledge and regular cybersecurity and crisis management training are to be
undergone by all employees in the topmost hierarchies. Understanding the nature of
cyberattacks early enough is vital in situations where this training plays an important role.
4. Outlining a business continuity plan, which lays down information on continuity of operations,
would be necessary in case of cyberattacks. They should specify backup systems, data recovery,
and communication strategies for business continuity.
Real-time Response
1. The Incident Response plan should be activated when the attack is suspected.
2. Crisis management should be led by senior leadership without departmental bias. The IPR
should involve senior leadership, IT, Legal, PR experts, etc. The precise roles and
responsibilities assigned should minimize the confusion and delayed responses, giving a clear
structure to communication and action steps to be followed.
3. Setting Up a War room with real-time information acts as a central point of information and
communication flow to the responsible parties in a crisis.
• Check the Network traffic logs.
• The email chains are to be checked as a part of a more enormous cyber-attack.
• Analyze system health to confirm any kind of customer data breach. Key parameters to
check for
o Differentiate between DDoS vs. data Breach attacks.
• Clear Internal communication on the roles and responsibilities of the internal stakeholders.
• Clear external communication with a customer-centric message about the crisis and the
counter steps taken.
4. Isolating the systems under attack to prevent further damage. In Dos attacks, the Dos mitigation
service can divert malicious traffic. In case of any Data breach, the vulnerable systems can be
cut off till a complete assessment of the situation is done.
5. Devise the PR communication to flow for the internal and external stakeholders and maintain
clear and transparent communication of the situation; the team should also be mindful of not
creating a panic situation with its communication.
6. Decide when the systems are to be reopened for business operations, considering the severity
of the attack and security procedures.
Recovery and Recoup
1. Assess the damage, who is affected, and the data protection regulations and laws impacting the
Company.
2. Conduct a root cause analysis of the crisis, understand the vulnerabilities in the system, and
update the IPR based on what has been learned.
3. Document the crisis by maintaining logs of the entire event, particularly about the botnet and
any other attack vulnerability.
a. Timeline of the attack and Duration of crisis
b. What response efforts were made? Were they successful efforts vs. unsuccessful ones?
c. Conduct additional training on the lessons learned.
4. Update and monitor the IT infrastructure and strengthen Firewalls to avoid further incidents.
Logs need to be stringently maintained irrespective of the cost.
5. Customer communication and PR are needed to ensure the customer's confidence in the data
being safe and to take action steps to prevent such future incidents.
6. Cyber security insurance policy as a part of risk mitigation strategy.
7. Change the vendor partner based on the company's reliability and security requirements.