Incident Response 101
It’ll be all right on the night – NOT
When a disaster such as a ransomware attack strikes your organisation, how well are you prepared? A cyber incident response plan is much more than having hardware and software in place, or even having a contract with a managed security services provider.
The people within your organisation who comprise the cyber security incident response team are perhaps more important than any of these factors.
First, the response plan must be clearly formulated, and communicated to all members of the response team – and their alternates; the fact that a staff member has been designated as part of the incident response team means nothing if she or he is on leave or otherwise unavailable on the day of an incident.
Each member of the team must be fully aware of their roles and responsibilities in the event of an attack. Perhaps more importantly, it is not enough that each member has the capability of carrying out the tasks – they must have the authority within the organisation to be able to make decisions and carry out the resulting actions.
But… simply having an idea of how to go through the motions of the response is only half the battle. I have worked in large enterprises where business continuity was paramount, and which also happened to be located in a region subject to natural disasters (earthquakes, typhoons, etc.). Continuity of service was critical – financial and reputational risks were at the forefront of the minds of management.
Not only was it obligatory for there to be effective practices for cyber incident response and recovery, the incident management plan had to be fully documented with all the dependencies for each silo clearly delineated, kept up to date, and circulated throughout the organisation. As changes were made to infrastructure and applications, part of the sign-off procedure for the implementation of such changes was conformity with the incident response plan.
Futhermore, these plans were rehearsed on an annual basis. Over the course of a weekend, a “plugs out” test was carried out, whereby the network cables connecting the data centre to the Internet were literally pulled out of their sockets, and the work began to set up shop in the disaster recovery data centre some distance away using data which had been automatically replicated.
Not only was this a test of the technology, it was a test of the people involved: did the phone tree used to assemble the response team work properly; did those responsible realise the importance of their place in the plan; were all the steps taken in the correct order; and finally, how long did it take before something approaching normal service could be resumed?
Only through similar rehearsals, involving those who really will carry out the actions and make the decisions (no deputising of roles by senior management because it’s “only” a rehearsal!), with full participation by all relevant third parties, will it be possible to make a full recovery from a cyberattack if the worst occurs.
First Response has experience in the production and implementation of cyber incident response and recovery plans, incl. first responder training and establishment of an incident response framework. If you feel that our skills and expertise might be of value to your organisation, please feel free to give us a call or email info[at]first-response.co.uk, and see how we can help you.