New Year’s Resolution: Develop an Incident Response Plan

Developing An Incident Response Plan

Ringing in the New Year will inspire businesses & organizations around the globe to improve and grow in their industry. Let it also be a time that your team puts into place an efficient & effective cyber security incident response plan.

The New Year is an excellent time for business and organizational leaders to think more about how they will approach cybersecurity and securing their information for the upcoming months. Each New Year brings about the thoughts of what can be done internally to improve the overall effectiveness of a security framework. If you have not had time to create a tangible incident response plan, this is a perfect opportunity to formulate a response to cyber threats like ransomware.

Proven Data provides some background on how a robust incident response plan can be applied to several scaled businesses & organizations. We also focus attention on the rising severe threat of ransomware which addresses an example for extortion based cybercrime:

Highlights of An Incident Response Plan

Attempt to Isolate the Ransomware

Once the indicators of ransomware start becoming evident, there must be an initiative to proactively contain and block any defray of the malware to other parts of the local network. As cyber adversaries continue to improve the effectiveness of their ransomware attacks, they are now focusing on moving laterally within a network to encrypt data the data on every accessible computer. Here are the steps you can take to isolate ransomware on your network:

  1. Search for computers that have files that are inaccessible or have been renamed with different file extensions.
  2. Disconnect these machines from the network to avoid further encryption of data. Do not attempt to shut the machine down to prevent permanent data loss. 
  3. Enforce a strong password policy to avoid on your network to prevent users from creating weak passwords.
  4. Take an inventory of your local / domain accounts and reset passwords. Attackers may create additional login accounts once they obtain domain admin access to inflict further damage once ransomware has been remediated.

Finding out how your team & business will try and stop the malware will be specific to how the current network layout is organized and how your teams access their data. For larger organizations, this process may be completed by your IT team, which further signifies the importance of collaboration between departments for defending against cyber attacks like ransomware. Smaller companies must get familiar with the basics of how their local network infrastructure is laid out to see where they might be able to implement the technical incident response plan more acutely.

Check For All Backups

The primary method in which to recover from a ransomware attack without reaching out to the actors for decryption is to check to see if there are data backups that are intact. Sometimes businesses forget they might have a copy of offline backups somewhere, or it is possible that there was a storage location that was left untouched in the ransomware encryption process. This option is becoming rarer as ransomware variants dig deeper & become more dynamic to encrypt and disrupt all possible backup attempts. Backups are the most effective way to recover from encryption & underscores how critical a proper backup plan becomes to defending against ransomware attacks.

Determine Business Continuity Process

One of the main objectives of a successful ransomware attack is to ensure the business is not able to physically operate without access to their critical data, and functionality will stop. Employees will not be able to use their documents and informational sets needed to call clients, respond to incoming business queries, and change inventory lists or contribute value to the organization. The incident response plan should directly address what each employee can do in the event of a ransomware attack that discusses exactly how that role will continue without access to their data. 

Examples of business continuity plans might include other ways in which employees can communicate with clients in the case that their email or account lists & contacts become encrypted in a ransomware attack. Are there printed documents & records that show where to contact accounts & clientele from other businesses? Industries such as manufacturing and shipping are hot targets for ransomware attacks because of their notorious long-living lists of shipping history sheets and client databases. Specific ransomware variants exceed at encrypting network structures that are notorious for these types of industries.

Create a List of Contacts

If there is one thing universally agreed upon, it is that ransomware attacks cannot be resolved and the issues addressed by anyone in their single self. A strong response to a ransomware attack will include not only the employee reactions but also a list of outside contacts that might be leveraged to help address the scenario and assist the organization back to proper security standards. The list of contacts might include cyber attorneys, malware researchers or your local authority cyber office to communicate further and have a deeper understanding of the issues. 

In the examples of healthcare, medical & legal industries, critical information such as personally identifiable (PII) or data relating to records might be in breach of HIPAA laws & regulations. With an ever-changing landscape of cyber risk and breach notification laws, we encourage more companies to look closer at their list of available contacts that can help them. The U.S. Department of Health and Human Services provides a Ransomware Fact Sheet that further showcases the needs for breach notifications in certain instances. Many different stakeholders outside of IT will need to be in the loop for what is happening on developments within the ransomware attack.

Grow Stronger & Get More Secure

A ransomware attack can leave organizations unsure of their posture in cyber security and where they are vulnerable to outside cyber threats. Every member & employee must understand the importance of their efforts in defending against these growing cyber-attacks and how they can move forward and prosper in their cyber security. Cyber attacks need to bring employees closer together and looked upon as an opportunity to fix their security efforts and harden defenses. Following a ransomware or cyber attack, digital forensics can help clarify the places in which the cyber attack occurred and other vulnerability concerns. New cyber security policies & procedures will be enforced to help mitigate these risks and close vulnerabilities.

Updating the Incident Response Plan

The success factor of an incident response plan will depend on the efforts to update & mandate it’s stated actions regularly. As cybercrime and in particular, ransomware continues to unfold; businesses have to be keen on how these threats affect their data & operations. Taking a look at the incident response plan quarterly will significantly increase the effectiveness and resilience of the security framework structure. 

Take advantage of the breath of new fresh air this New Year and focus that opportunity on creating an incident response plan. It should not be an overwhelming task that seems impossible or a wasted effort. Collaborate and communicate with your colleagues and employees to find a solution that applies to your business and kick-off to a positive cyber start!

Recommended Posts