Whether you’re a small company or one as large as Colonial Pipeline or T-Mobile, not having any cyber incident response plan will cause major problems and disruptions. When you’re hit with a breach, without a plan in place, your security and management teams will be scrambling and likely to make expensive mistakes.
This being said, you should have an Incident Response Plan (IRP) tested and in place. If you already have an up-to-date IRP, follow it. If you don’t, you should begin to get one in place before it’s needed.
According to the National Institute of Standards and Technology (NIST) guidance, it’s critical to have a Cyber Incident Process that includes; preparation, detection and analysis, containment, eradication, recovery, and post-incident follow-up. In the event of an attack, without an incident response process in place, the following activities may help lessen the damage to your daily and long-term operations.
Preparation
A strong cyber incident response process begins with early preparation. An established plan with comprehensive guidance is a powerful tool so that no matter what type of incident you incur, you have basic activities geared to minimize the event that allows you to respond in a strong, yet efficient manner, and not make mistakes that could damage your business in the long term. You need to be able to proceed immediately to contend with whatever type of event has occurred.
It’s a fact that preparing in advance is a far cheaper alternative than fighting a cyberattack in real-time so you should explain to your senior business executives that creating an IRP is an investment in protecting your critical operations. In other words, think of the investment as an insurance plan of sorts.
Below are some guidelines based on industry best practices and JANUS’ 32+ years protecting our clients.
- All personnel should be informed of the main point of contact to notify, the technical and/or management contact who will set the response in motion, in the event of a suspected event/breach, and how to do so in a way that is consistent throughout your business. This alert notification should be published to the appropriate personnel and should be categorized at the highest level of priority as possible. Make sure people know and understand the following:
- What to include in the alert such as what happened, where it happened (what you were doing when it happened), and when it occurred.
- How they are to communicate, cell, radio, etc., in the event that email or telephones cannot be trusted.
- Technical Response Personnel—A process needs to be put in place (well before an event and as part of your plan) that lays out what happens when an event occurs) who the response team should notify (think management), what processes need to be kicked off, etc.
- Every event will have unique components. However, a significant amount of time can be saved – which might be critical in avoiding severe disruption – by getting as many common elements such as important vendors, law enforcement contacts, and customer contacts in place so that you don’t need to think through (or research) every action needed and only have to address those that vary from the mainline plan.
- Every event will have unique components. However, a significant amount of time can be saved – which might be critical in avoiding severe disruption – by getting as many common elements such as important vendors, law enforcement contacts, and customer contacts in place so that you don’t need to think through (or research) every action needed and only have to address those that vary from the mainline plan.
- Make sure the Plan is stored in multiple places that are easy to get to no matter what type of event occurs. That means not solely on the network just in case the network is encrypted and made inoperable by ransomware. Examine the plan each month for potentially needed updates. Changes such as new or departed personnel, new software or new systems, and changes in service providers can have a major impact on whether the plan will work properly or fail.
Identification
After preparing, if an event occurs, you will need to identify what type of event this might be. The following steps will be useful to get you started.
- Start by determining that there is a suspected problem. You need to identify:
- What happened?
- What infrastructure within/without your site/network is, or might be, involved?
- When did it happen?
- What person or group of staff was affected?
- Alert your response contact (while the following are suggested best practices, always follow your leaders who understand your specific environment and who are knowledgeable staff).
- At the receiving end of the notification, the response personnel should always answer immediately.
- Sever internet connectivity via the network switch.
- Cut off connectivity to all network-connected backups and their processes.
- Sever all connectivity between the affected servers (as best understood at the time). If you can, separate connectivity between network segments.
Immediately disconnect affected machines from the network. If it is a workstation, unplug it from the ethernet cable, or turn off the wireless connection. Do not power off affected machines as that might permanently damage data and render it unrecoverable.
Containment
If a suspected ransomware event is detected and someone in your organization believes he/she might have accidentally created a breach, it is their responsibility to call/email/text the identified alert person(s) or group. This notification should immediately trigger the incident response process, including appropriate staff and the technical response team, to begin taking the steps needed to contain the event. If a technical response team does not currently exist in your organization, now is the time to designate team members and assign responsibilities, before they are needed.
In our ransomware example, the technical staff would be the group that most likely will disconnect your organizational network from the Internet and affected workstations from the internal network and all servers.
DO NOT TURN OFF ANY EQUIPMENT UNTIL KNOWLEDGEABLE TECHNICAL PEOPLE INVESTIGATE.
Every computer should immediately have its network connection removed but remain powered on to await technical assistance. Speed is of the utmost importance.
Investigation
As the technical investigation process gets underway, it will be important to synchronize the activities of all incident involvement personnel. At a minimum, structure a communications team that includes a representative from the following:
- Executive Management
- Technical Response
- Human Resources or Personnel
- Legal, Audit and Privacy
- Public Relations or Corporate Communications
This group should constitute the core of your incident communications team.
Under no circumstances should anyone make a statement to the press unless it has been agreed upon by senior management and your legal representative. Make sure that all media relations are coordinated from one source.
Your organization’s leadership will need to decide who that spokesperson will be. It is critical that no conflicting information be provided. That spokesperson may need to involve others to make announcements to the press, government, law enforcement, etc., but the communications team, together, should make that decision—not a single individual.
You may need to involve the highest executive in the organization such as the President or CEO, but all of his/her activities and statements should be coordinated with the team identified above. The response team needs to be involved in both eradication and recovery, but those activities will depend on exactly what happened, and therefore must be more customized than can be addressed here.
Closing Thoughts
Here we’ve offered basic advice in the event of a cyber incident. It is not a substitute for a properly designed Incident Response Plan and should not be used in place of one. Rather, we’ve provided several suggestions and best practices to help you get started on protecting your environment.
Cyber attacks of all types, especially ransomware, continue to increase in frequency and sophistication, and the chances of your organization being successfully attacked are greater every day. While we hope that you never have an issue, statistics show that most organizations will most likely suffer a successful cyber-attack.
Prevention is the best and most cost-effective solution. JANUS has been protecting clients’ best interests since 1988. We can help you create an Incident Response Plan, provide data backup strategies that work if and when needed, in addition to patch management, penetration testing, employee awareness training, and other services that will fortify your defenses and help keep cyber criminals and nation states at bay. Reach out to us for a no obligation conversation on how best to protect your employees and operations.
Important Information
This article, “Cyber Incident Response Guidance & Best Practices” is to be used only as a guide. It is not a substitute for a formal Incident Response Plan. If you’re interested in receiving a personalized consultation for creating or updating your IRP, get in touch with our Corporate Director Chris Kniffin, for more information.
