The very second a cyber attack is discovered is the moment no organization likes to think about. A million things rush into your head as you try and process the situation and recall what needs to happen next. Having a strong incident response (IR) plan will help make the next critical moments run smoothly and ensure the business is back up and running as quickly as possible.
A good IR plan goes into finite detail, breaking down each requirement after a breach and allocating roles so everyone knows what their priorities are. Every second is critical, so time cannot be wasted revisiting the plan and reconfirming duties – it must be engrained into business practice and knowledge so that the plan can be put into motion immediately.
Joseph Carson is Chief Security Scientist and Advisory CISO at ThycoticCentrify (opens in new tab).
The most important thing to remember is that every tiny detail must be considered. It’s not just a case of who’s calling who, and what buttons need pressing. Every single action and requirement must be accounted for.
Let’s take a look at the top five elements of a strong IR plan.
As soon as someone mentions a cyber breach, everyone’s thoughts go to the cybersecurity (opens in new tab) team. However, the intricate and dynamic cyber landscape demands more – company security is no longer the sole responsibility of the security (opens in new tab) team. Awareness must be business-wide and board-level high.
When it comes to making those vital decisions straight after a breach, who needs to be involved in the conversations? Of course, the security professionals will have greater knowledge on the technical side, but the decisions made will impact the entire business – like paying or not paying a ransom – so there must always be a board presence. From there, you can start to allocate specific responsibilities. For example, someone needs to contact the external IR team and manage their access to the building so everything runs smoothly. In a time of crisis, you don’t want to be fussing around with clearance and admin.
Data (opens in new tab) breaches often involve the compromise of sensitive information relating to both business and customers (opens in new tab), which brings regulations and compliance into the mix. The legal team will need to be on hand to manage communications (opens in new tab) with data protection authorities and any other involved parties.
And finally, businesses need to be prepared for when the public catches wind of the situation. News can rapidly spiral out of control, so establishing a clear PR and communications plan is essential. Having pre-prepared statements and messaging will save valuable time and deliver a voice of control to those affected.
Don’t forget documentation
To best manage a cyber incident, teams need to collect as much information as possible. This includes what type of breach, where it originated, how far it has spread, and what systems have been affected. You need to paint a detailed picture of what is happening in front of you so you can respond appropriately. Unfortunately, attackers won’t make it easy for you. They often hide their activity by deleting logs and other indicators of their location. Teams must use what little evidence they can salvage from the breach to identify the origins of the attack and block further compromise.
How will you communicate?
As well as communicating to those outside the company following a breach, teams must also prepare for a potential collapse of internal comms. Criminals are smart and will often target a business’s means of contact to delay being kicked out of the network. This means emails may be locked down by ransomware and phone systems taken offline. When there are so many parties involved in an IR plan, communication is everything. If 20 different people are working to manage the breach in complete comms isolation, the whole process is at risk of collapse. Setting up alternative forms of contact is vital to avoid further catastrophe.
A ransomware (opens in new tab) outbreak may swiftly encrypt critical assets, including the IR plan itself, which could leave the team stranded in a crisis maze with no map. Saving backups of important documents, or even producing hard copies, will strengthen the company’s IR plan.
The restoration process
It’s now time to start unpicking the incident and work towards re-establishing control over the network. But to do this, teams need to understand what they’ve been hit with and how it operates. Sandboxing tools are useful here as they essentially put the malware under the microscope and determine what makes it tick. And remember, just because you’ve found one trace of malware (opens in new tab), doesn’t mean there isn’t another lurking somewhere else in the network.
Now that you’ve identified the culprit, it’s time to get the company back on its feet. It might take a couple of days or weeks – especially if using offline backups – but at least you’re making progress. Predicting the fallout of a malware or ransomware attack will only strengthen the IR plan. Acknowledging that it will take weeks of work to restore the company before it even happens will lessen the sting should the situation arise.
Strengthen the plan with practice
The final, and arguably most important, stage of an IR plan is practice. If the worst happens, you need your team to move and work like a well-oiled machine, and that only comes with preparation. Scheduling drills will help iron out the kinks and highlight any gaps in the plan. When issues are resolved, repeat the drill – and then repeat it again. Businesses and the wider industry change at a rapid pace, so the IR playbook must be regularly updated. People come and go, roles are changed, and contracts expire. All this needs to be reflected in the plan.
One element that is often overlooked by organizations is the wellbeing of the IR team. The immediate response phase can take hours, even days, to complete, so the team needs food, a place to rest, and warm clothing as a lot of data centers are kept at very low temperatures. If they’re expected to work round the clock to protect your business, you need to make sure they have the support and environment to do so.
Cyber incidents of all severities occur daily, and almost every single victim will have shared the same thought in the past: that will never happen to us. But it did. And criminals will continue to capitalize on this naivety. Taking the time to produce a detailed and comprehensive incident response plan will strengthen your position should the worst happen. So, force yourself to think about that very second when a breach is discovered and ask yourself this question: what would I do next?
At TechRadar, we've featured the best business VPN (opens in new tab).