Written by Alice Liu, Cybersecurity and Incident Response Consultant, CISSP, HCISPP, and CEH
Imagine, being interrupted in the middle of dinner with a phone call from the IT team reporting that some employees can’t get into their files. They have black screens counting down with a statement saying, “Pay us the ransom if you want your information back.” Now what?
Determine an Incident Response Leader
It is critical to have an Incident Response leader. Leading an incident with a group of people causes confusion and opens the possibility of major errors. The lead needs to be capable of thinking clearly under pressure but also able to understand both technical issues and have strong communication and tracking abilities. They should also be versed in data regulations and able to work with legal and compliance, if needed. Having someone familiar with how to run an incident is a huge added benefit. It can help a company avoid common pitfalls of incident management that are difficult to recover from.
Do Not Fall Prey to Action Bias
The urge to do something, anything, when things have gone awry are strong. It is critical to think through what information needs to be captured that can only be gathered before things are changed to start containment. Getting an image capture of the systems involved and turning on and keeping logs are all essential to figuring out what happened in the long run. Developing a checklist of what is often needed prior to an incident can help tremendously.
Don’t Wait Too Long to Act
On the other side, waiting too long to mitigate the problem and not thinking through how else the hackers may switch tactics can leave the company still exposed. It is critical to continue monitoring and to be hypervigilant of any other possible changes. Closely watching administrator accounts and limiting any external access that isn’t required will help minimize damage.
Protect the Logs
It is also critical to keep logs and evidence from the beginning of the incident. Logs can roll off and then no longer be retrievable. The loss of logs will greatly impact your ability to answer questions about what was compromised. If a system is shown as accessed, it is required to assume that everything was accessed and proceed accordingly to regulations if it is needed to notify people affected and to declare if it is a breach. Logs can be used to rule out access to large amounts of data, saving companies money and reputation loss.
Have a solid backup and restore plan. Oftentimes if ransomware has gotten a strong foothold, backups maybe your only option. If they are functional, it will save endless amounts of time rebuilding critical infrastructure. This process should be reviewed and tested regularly.
Develop an Incident Response Plan and Test It
Managing an incident gracefully centers around both experience and having a plan. A solid plan that outlines which teams need to be involved, communication strategies, and approval chains. Running through the plan with affected parties by doing a table-top, not only helps companies meet regulatory guidelines, but will also help ensure smoother management of incidents in the future. Trying to define who will make decisions in the midst of an incident adds even more stress during an already stressful time.
If you need help developing a Computer Security Incident Response Plan or other Incident support, Fortuna BMC can help.
About the Author
Alice Liu is a cybersecurity professional that has worked both incident response and operations. With extensive experience managing incidents, forensics, and their declarations along with audits and implementing security solutions across complex business environments. She runs ALT-C Consulting, headquartered in Sacramento, CA.
Cybersecurity and Incident Response Consultant, CISSP, HCISPP, and CEH