Organizations should operate under the assumption that they will experience a cyber incident. It is the reality of doing business in today’s globally-connected world.
Specific to this pandemic season, organizations are increasingly under attack from bad actors. The FBI reported that the number of cyberattack complaints they received during the pandemic reached as high as 4,000 per day, a 400% increase from pre-coronavirus levels.
That’s why we recommend that companies be as prepared as possible for an attack. Organizations should consider what should be included in their incident response (IR) plan and the important steps to take in the incident response process if an actual event occurs.
Most Important Steps in Incident Response (IR)
You should consider including the following elements into your IR plan along with the supporting processes to facilitate executing the plan as quickly and seamlessly as possible.
1. Identification
The starting point for incident response is being able to identify something is happening or has already happened as quickly as possible. Your organization should consider an alerting or monitoring system that triggers notifications to the appropriate team or personnel that something is not right.
For example, if an administrator account is used to log in at an unusual hour, that may warrant an alert to your team. If there is a significant increase in Internet traffic to your firewall, that could be a signal that something worth investigating is happening.
When an attack or adversarial presence is confirmed, it is important that your incident response team quickly communicates with your management team to inform them that an active event is taking place. In some cases, you may need to shift employees to off-channel communications — whether it’s secure texts, personal cell phone lines, or another secure communication platform.
It’s important for employees to stay off the company email server because the adversary could be in the system reading emails looking to identify your organization’s next move in the IR plan. Be mindful of not letting the bad actor gain access to your playbook in the middle of the game.
Another consideration is whether or not the event requires notification to third-party vendors. For example, if your vendors typically email invoices, you may consider shifting them to a fax option or a non-company email address as a temporary stop-gap until your systems are returned to a normal state.
2. Containment
Once the identification is made, your team should spring into action following the IR plan to contain the threat. Perhaps the appropriate response is to take an infected machine offline. Or, you may need to unplug the network altogether so that the infection cannot replicate itself. You need to understand the extent of the situation.
- Is the incident isolated to one machine or one group of machines?
- If it is bigger than one machine — is it the entire environment?
Then, once you isolate the entry point of the attack, you want to determine whether the infection has spread. Is the bad actor still in the system? Is it a simple fix like a password change for one user? Or, does the bad actor have access to the entire network and this becomes a much larger issue to address?
The key is to understand the scope of the problem so that you can deploy the appropriate teams and tools to address the problem. Depending on the nature of the threat, you ultimately want to arrive at some level of comfort that the bad actor is out of the system. In extreme cases, this may require rebuilding the entire environment from scratch.
If you arrive at this point where the issue is more complicated or complex than what your team can appropriately respond to given timeframes or resource constraints, then you may need to bring in a security expert to provide incident response support.
3. Restore the System
Time is critical needing to get the company back up and running as quickly as possible. Once you have contained and eliminated the threat, you need to execute your plan to regain control of the system and bring systems and machines back online. This needs to be planned out in advance so that everyone involved in the project follows the proper order of bringing things back online during the restoration process.
For example, your organization could be up against a payroll deadline. You may need to bring payroll back online before you restore email or applications. Or, your organization could be in the middle of a major project with a tight deadline that requires immediate restoration of file access. This is why it’s important to plan for as many scenarios as possible and then prepare your incident response team to execute the plan.
Simultaneous with restoring the system, your team also needs to gain an understanding of how the event occurred. You will want to perform some level of discovery about how the bad actor entered the system and launched an attack.
You need to gather information to prevent a future attack, identify any gaps that need to be addressed, and then prepare to take action to close the gaps. The challenging part is balancing the need to return to operations against the need to gather intelligence to prevent the next incident. This can be especially difficult without a deep bench of resources to execute both aspects of the containment step at the same time. A security expert can help you plan for how to prioritize each action during the containment stage.
A final consideration is whether to engage legal counsel for guidance around any voluntary or required disclosures that may need to occur. These vary from state to state and are partly based on what data was potentially breached or exfiltrated. In many instances, the reputational damage can be just as significant, if not more, than the actual attack itself.
Next Steps: Prevent Future Cybersecurity Event
Why do organizations experience a second or third cybersecurity event? They skip an important step of reviewing what happened or return to operations, get busy, and never go back to make the identified changes. Organizations that do not complete this step will leave themselves vulnerable for a return attack, possibly with larger consequences.
Our recommended course of action is to create an investigative report, deliver the report to the appropriate decision-makers and stakeholders in your organization, and then review the findings. Take the time to review lessons learned and then act on the lessons learned to strengthen your organization’s position against a future attack.
Many organizations see this as an opportunity to set up supplemental risk mitigation projects. You can take the scenario that your organization just experienced, look through the lessons learned, and run through some scenarios to continue planning, practicing, and discussing what to do in the event of another attack.
You may not be able to test-run every scenario that your organization could face, but this is a valuable exercise to improve internal controls, gather feedback, provide further training to your technical teams and employees, and get better at incident response.
How Socium Solutions Can Support Your Incident Response
It’s a good idea to regularly schedule an incident response walkthrough. Perhaps it’s quarterly or once per year, but you should continually test the restoration process, especially to review the latest threats that are out there. You don’t want to be caught off-guard.
At Socium Solutions, we offer multiple opportunities for organizations to receive support for incident response.
1. We help organizations prepare for a cybersecurity incident through tabletop exercises with your team and other stakeholders. We’ll set up scenarios, run through simulations, and facilitate conversations about the best course of action during or after an attack.
We can also build out your IR plan or review your existing IR plan. Included in this process is performing a gap analysis to identify threats. We use a control-based assessment tool to help organizations clearly see their gaps, understand their vulnerabilities, and then work toward building the appropriate incident response plan.
2. We also help organizations that have faced an attack and may lack an IR plan. You’re not on an island when faced with this type of incident. You can call us and we will spring into action to help drive toward full restoration.
We will work with on-premise or localized IT teams to support your organization’s response to an incident. We will manage the process from the time of the attack to the full return to operations.
– To inquire about utilizing our incident response services, including seeing our assessment tool for yourself, contact us today. We will deliver a right-size solution that works best for your organization to support the incident response process.