Whether you’re a small company or one as large as Colonial Pipeline or T-Mobile, not having any cyber incident response plan will cause major problems and disruptions. When you’re hit with a breach, without a plan in place, your security and management teams will be scrambling and likely to make expensive mistakes.
This being said, you should have an Incident Response Plan (IRP) tested and in place. If you already have an up-to-date IRP, follow it. If you don’t, you should begin to get one in place before it’s needed.
According to the National Institute of Standards and Technology (NIST) guidance, it’s critical to have a Cyber Incident Process that includes; preparation, detection and analysis, containment, eradication, recovery, and post-incident follow-up. In the event of an attack, without an incident response process in place, the following activities may help lessen the damage to your daily and long-term operations.
A strong cyber incident response process begins with early preparation. An established plan with comprehensive guidance is a powerful tool so that no matter what type of incident you incur, you have basic activities geared to minimize the event that allows you to respond in a strong, yet efficient manner, and not make mistakes that could damage your business in the long term. You need to be able to proceed immediately to contend with whatever type of event has occurred.
It’s a fact that preparing in advance is a far cheaper alternative than fighting a cyberattack in real-time so you should explain to your senior business executives that creating an IRP is an investment in protecting your critical operations. In other words, think of the investment as an insurance plan of sorts.
Below are some guidelines based on industry best practices and JANUS’ 32+ years protecting our clients.
After preparing, if an event occurs, you will need to identify what type of event this might be. The following steps will be useful to get you started.
Immediately disconnect affected machines from the network. If it is a workstation, unplug it from the ethernet cable, or turn off the wireless connection. Do not power off affected machines as that might permanently damage data and render it unrecoverable.
If a suspected ransomware event is detected and someone in your organization believes he/she might have accidentally created a breach, it is their responsibility to call/email/text the identified alert person(s) or group. This notification should immediately trigger the incident response process, including appropriate staff and the technical response team, to begin taking the steps needed to contain the event. If a technical response team does not currently exist in your organization, now is the time to designate team members and assign responsibilities, before they are needed.
In our ransomware example, the technical staff would be the group that most likely will disconnect your organizational network from the Internet and affected workstations from the internal network and all servers.
DO NOT TURN OFF ANY EQUIPMENT UNTIL KNOWLEDGEABLE TECHNICAL PEOPLE INVESTIGATE.
Every computer should immediately have its network connection removed but remain powered on to await technical assistance. Speed is of the utmost importance.
As the technical investigation process gets underway, it will be important to synchronize the activities of all incident involvement personnel. At a minimum, structure a communications team that includes a representative from the following:
This group should constitute the core of your incident communications team.
Under no circumstances should anyone make a statement to the press unless it has been agreed upon by senior management and your legal representative. Make sure that all media relations are coordinated from one source.
Your organization’s leadership will need to decide who that spokesperson will be. It is critical that no conflicting information be provided. That spokesperson may need to involve others to make announcements to the press, government, law enforcement, etc., but the communications team, together, should make that decision—not a single individual.
You may need to involve the highest executive in the organization such as the President or CEO, but all of his/her activities and statements should be coordinated with the team identified above. The response team needs to be involved in both eradication and recovery, but those activities will depend on exactly what happened, and therefore must be more customized than can be addressed here.
Here we’ve offered basic advice in the event of a cyber incident. It is not a substitute for a properly designed Incident Response Plan and should not be used in place of one. Rather, we’ve provided several suggestions and best practices to help you get started on protecting your environment.
Cyber attacks of all types, especially ransomware, continue to increase in frequency and sophistication, and the chances of your organization being successfully attacked are greater every day. While we hope that you never have an issue, statistics show that most organizations will most likely suffer a successful cyber-attack.
Prevention is the best and most cost-effective solution. JANUS has been protecting clients’ best interests since 1988. We can help you create an Incident Response Plan, provide data backup strategies that work if and when needed, in addition to patch management, penetration testing, employee awareness training, and other services that will fortify your defenses and help keep cyber criminals and nation states at bay. Reach out to us for a no obligation conversation on how best to protect your employees and operations.
This article, “Cyber Incident Response Guidance & Best Practices” is to be used only as a guide. It is not a substitute for a formal Incident Response Plan. If you’re interested in receiving a personalized consultation for creating or updating your IRP, get in touch with our Corporate Director Chris Kniffin, for more information.