We’ve seen the story far too many times. A company gets hit with ransomware, and the hackers start making demands and threats. The victims, panicked, give in to the demands of the attackers, only to be hit with more ransom demands and threats. When designing cyber security defenses, it’s easy to put all your energy into preventing breaches. As a result, many organizations don’t put enough time into post-breach defenses. Incident response plans are an essential but often overlooked part of this.
What is an Incident Response Plan?
In a nutshell, an incident response plan is a plan that outlines the steps, procedures, and policies followed by an organization when they get hit by a cyber attack. Getting hit by a cyberattack can be incredibly stressful, and bad decisions can be extremely costly. People are more likely to make bad decisions under stress, so having a clear, well-structured plan can greatly reduce pressure and the risk of damaging mistakes.
Components of a Good Incident Response Plan
A good incident response plan will cover all areas of incident response from start to finish.
Overall Goals
A well-defined statement of your organization’s goals helps to keep priorities in focus. Like a business plan, every good incident response plan will have a mission statement which reminds you of the “big picture” during a crisis.
Delegation of Responsibilities
If everyone knows who is supposed to do what, incident response will go much more smoothly. All cyberattacks require a rapid response, but this is especially true with ransomware attacks. You can’t afford to have two different people doing the same thing, while other tasks get neglected. This also means designating a leader to coordinate the incident response. The incident response team also needs the authority to act fast through all parts of an organization. If this authority is established in advance, it can be a major time saver. Ideally, you can conduct drills from time to time to build familiarity with roles and procedures, and build preparedness.
Prepare Procedures
Once it’s clear who is going to be responsible for what, it’s time to define what exactly everyone will be doing. Someone is going to need to move to contain the threat, and someone else may need to contact law enforcement and make sure the organization complies with all relevant ransomware laws and regulations. When it comes to ransomware, every organization needs to know its stance. The ideal is to avoid negotiating with the attackers, but depending on the severity of the attack, it may be necessary. The incident response plan will define all of these procedures and help to make the decision. A good incident response plan can help defend against psychological pressure tactics many ransomware hackers will use at this stage.
Defining Incidents
Incident response procedures should define different types of threats to help with early identification. This way the right response can be launched as quickly as possible. It’s important to define different types of malware and attacks in advance so your organization can launch the appropriate response.
Threat level documentation
It’s also important to differentiate between major and minor threats. If incident response policy is too tight, it will interfere with normal operations. If it’s too loose, major attacks can slip by unnoticed.One common framework many companies use for defining threat levels is the NIST cybersecurity framework.
Containment procedures
Once the threat is detected and you know what response you need to take, it’s time for damage control. You have to stop the spread of the virus as quickly as possible. In this step, every second counts. Following well-rehearsed, clear steps can make the difference between a short amount of downtime and a nightmare that costs millions of dollars. This involves shutting down affected machines, isolating all affected machines and files, interviewing users, conducting digital forensics to determine the source of the infection, and so forth.
Recovery
The main goal of incident response is to get systems working normally again as quickly as possible. Once data is restored, it’s time to get back to work. When it comes to ransomware, many attacks these days are double extortion attacks. In these cases, recovery may mean contacting clients whose data is compromised or complying with regulations covering data breaches.
Post-breach review
Every cloud has a silver lining. A cyber attack can be a wake up call to improve the organization and security of your IT systems. It may cause significant damages, but improving security could also prevent even worse future attacks. A post-breach review is an opportunity to overhaul existing policies and procedures, and make your operations more resilient. The causes of the attack should be thoroughly understood, and lessons implemented.
Making an Incident Response Plan
This may seem like a lot at first, and it is. A good incident response plan needs to cover many different areas, including technology, business logic, and legal compliance and regulation. Thankfully, there are a number of tools available to help you in drafting your plan. A good starting point is to use one of the incident response templates. Leading cybersecurity professionals design these templates to cover all aspects most organizations need to consider. You can start by considering if each item is relevant to you or not.
Incident Response Services
Depending on your budget and staff availability, it may make sense to outsource some of the incident response process. Some areas of incident response require specialized knowledge and expertise which may not be available in-house. For example, we are specialized in handling all of the details of ransomware attacks and provide sophisticated ransomware data recovery services. We have extensive experience dealing with ransomware gangs of all shapes and sizes, and we know about the behavior and dangers of different gangs.
We know how to minimize the damage and costs associated with different ransomware types and variants. If you already have the contact information of qualified experts in your incident response plan, that’s one less thing to worry about during an emergency. This way, you can immediately get help from people with the background necessary to deal with specific threats like ransomware. We know that ransomware can strike at any time, so our rapid response team is standing by 24/7 to help in the event of an attack.