A good security strategy isn’t just about protecting organizations from attacks – it also means having a plan to get things back on track when a breach occurs. A good incident response plan can make the difference between an attack being a brief disruption or a disaster that costs millions of pounds and brings the business to its knees.
But assembling an effective IR playbook is no small task, writes Joseph Carson, Chief Security Scientist and Advisory CISO at ThycoticCentrify. A serious security incident can impact the entire business, which means the plan must account for a lot of stakeholders and moving parts. And the clock will be ticking too. For cases like ransomware and persistent threats, the first four to six hours make all the difference.
Now is not the time to be stumbling along, improvising as you go. Compare it to fixing a leak at home. Sure, you can go on YouTube and find some plumbing tutorials, but do you really want to do that while your kitchen fills with water? So, how do you ensure your IR preparations will stand up to a serious breach when the time comes?
The heart of a good incident response plan: Clear roles and responsibilities
A serious security incident is not simply an IT or security response. It’s a top-level business issue and many of the decisions will be elevated to the executive board. For example, will you negotiate with the threat actors and agree to a ransom demand, or ignore them and fix it yourself?
On the technical side, you need people with specific responsibilities like contacting an external IR specialist and managing their access to the building and systems. Someone also must document everything, taking notes in meetings and making sure actions are assigned and carried out.
Many other areas of the business also have important roles to play. If personally identifiable information (PII) is at play, the legal and compliance teams need to be on the case to handle responsibilities to the EUGDPR and any other regulations. This may include notifying the relevant data protection authority, law enforcement, and any affected victims .
PR and communications activity is one of the most frequently overlooked areas. They need to get ahead of the incident and deliver a clear and accurate message that shows the company has things under control, especially as breaches are often first discovered by third parties or announced by attackers themselves.
Ideally, the PR team should have worked with IT security in advance to prepare statements that can be used for different circumstances to avoid being stuck, creating them from scratch and then waiting on fact-checking and legal approval.
Speaking of communication, internal comms is an important area that is often forgotten in otherwise good Incident Response plans. We’ve become used to efficient digital comms channels. But what happens when ransomware locks everyone out of their email, knocks out the phone system, and shuts down access to Teams and Slack channels? I’ve encountered cases where a company is left helpless because they can’t access their contact lists, and even the IR playbook itself has been encrypted by ransomware.
Preparing mobile-based backup channels like WhatsApp groups is an effective way around this problem, as well as hard copies of important documentation such as contracts and IR plans.
Documentation is one of the single most important factors in dealing with a security emergency. This means gathering and correlating as much intel as possible about the nature and cause of the breach. Your priority is to construct a timeline of what has happened so that you can set about combating the threat and restoring operations. You’ll also want a full inventory of affected systems to narrow down the threat and help determine what elements of the business can still function. Tracking tools such as Jira that offer mobile functionality are useful here.
Gathering documentation on the attack can be challenging as adversaries delete logs to cover their tracks. The effect can be like trying to assemble a 1,000-piece jigsaw with only 200 pieces left in the box – you need to use the remaining data to gain a sense of what’s missing. Constructing a timeline of events enables you to trace the breach back to patient zero, helping you identify and close the source of initial access.
The road to restoration
After locating the initial compromise, you need to get to grips with any malware involved. What method does it use? Did it use manual deployment? Is it self-propagating? Does it have data exfiltration capabilities? Sandboxing tools such as Joe Sandbox are useful as they let you safely upload a copy of the malware and analyse how it operates.
From here, you can set about removing any traces of the malware throughout the systems. Teams should be on the lookout for additional hidden malware as threat actors often use hidden backdoors that can trigger secondary attacks or enable persistence.
With this done, you can restore systems from backups to bring the business up to full functionality. Ideally, businesses should have at least two sets of redundancies for their backups as attacks often target cloud-based duplicates first. Offline copies will mean losing a few days or weeks of work, but it’s better than starting from scratch. Unfortunately most backup strategies do not protect against ransomware as the attackers encrypted them also.
Practice makes perfect
An IR plan is only useful if it's kept current. Let’s say you put a lot of effort into creating a playbook back in 2018. Well since then, one of your key stakeholders has changed roles and another has left the business, and their replacements haven’t been clued in. Oh, and it turns out the contract with your IR service provider lapsed last year, so you have to negotiate a new one at premium rates. Reviewing your plans on a twice-yearly basis will stop these kinds of surprises from happening in the middle of a crisis.
It’s also recommended to carry out practice drills of the IR plan to highlight gaps that are missed on paper. For example, if you have an external IR team in, what admin details do they need to access the system? Without a specific set of credentials reserved for them, they could be relying on logins that have been compromised by the attacker. Incorporate privileged access into your IR plan.
A cyber crisis also throws up physical challenges. So, you have a team working around the clock to get rid of a ransomware outbreak. Who’s in charge of their physical access to the building?
A practical but often overlooked factor: is there somewhere they can go and take a nap after hours of crunch time? Who’s responsible for ordering takeaways? As an experienced security pro, I have my own go-bag stocked with useful items like IR guidebooks, energy bars, gloves and earmuffs in case I end up working in a refrigerated data centre. But organisations must also offer support.
Most enterprises will suffer a serious security breach sooner or later, so a detailed and tested IR plan is essential today. Proper planning and preparation can make the difference between having a plumber on speed dial and jamming a leak with your finger while you Google “plumbing for beginners” with your other hand.