The popular saying “Keep Calm and Carry On” is a good mantra for any company that finds itself undergoing cyberattack, but what that pithy phrase does not mention is how one stays calm when a threat actor has locked down your system and is demanding a multimillion-dollar ransom?

This key is having an incident response plan in place and ready to be pulled off the shelf and put into action by a well-drilled team that includes people from the C-Suite to corporate communications to IT staffers. 

For the uninitiated or those with few resources, developing an incident response plan may seem daunting, and let’s be honest, it can be without a good teacher. 

However, Trustwave Security Colony can be that teacher. 

Security Colony is a powerful, industry analyst-recognized self-service resource for CISOs that gives them direct access to a variety of tools, including a guide to developing an incident response plan. 

The guide is a detailed soup-to-nuts breakdown of what goes into incident response and the critical steps to take once you’ve been attacked. 

1. The Plan

The first step is to ensure you have an incident response plan in place. This document will contain a wide range of information and pre-planned tasks and will help guide an organization through an attack.

To create an incident response plan, it is vital to determine exactly what problem the plan will solve, such as what assets need protection and what attack scenarios you might face.

Once the primary assets are understood, the plan must take into consideration the fact that an IT department or security team cannot stand on its own when responding to an attack. The plan must detail who security will collaborate with within the broader organization. In general, this should include having an executive sponsor, essentially someone with enough oversight to support the security team’s effort and insist that others get on board.

An incident response plan must have buy-in from managers across the company, who should review, contribute, and understand their roles in incident response. Build an advisory committee comprised of people from around the organization who will be involved in responding to the crisis. Include your public relations and corporate communications teams.

It also helps to reach out to local law enforcement for support. Many police departments now have dedicated cybersecurity teams that can help before and after an attack takes place. Additional outside help from a dedicated cybersecurity partner should also be an integral part of the plan, especially if your internal security skills are lacking.

2. Are We Under Attack?

Perhaps counterintuitively, one of the most challenging aspects of responding to an incident is realizing that your organization is under attack. Threat actors are adept at remaining under the radar and only letting a target know it has been victimized when it suits their purposes. 

A quick aside, organizations can get ahead of an attacker by using Trustwave SpiderLabs Advanced Continual Threat Hunt (ACTH) solution. ACTH proactively searches a client’s systems for indications that an attacker is lurking about before they pull the trigger. For more information, please click here.

Those without an early warning will have to be on the lookout for other signs. These include:

• Strange or unexpected system activity
• Alerts from a Network IDS or Antivirus system
• Unscheduled system crashes or server reboots
• Unexplained configuration changes, unusual files, unknown processes, unexpected website changes, etc.
• Influx of phishing emails, spoofed emails, etc.
• Unusual activity in log files, or gaps in or missing logs
• Email system showing a large number of bounced/invalid emails
• Large volumes of network traffic to unknown countries and networks

3. Incident Response Team: Assemble!

   When the security team spots one or several of these indicators, they should activate the incident response plan. It’s vital to bring together everyone previously tagged as part of the response effort and take copious notes of what is discussed during these meetings. The team should then immediately put into place a “need to know policy” with only those working on the problem being privy to the details.

Try not to use corporate assets like email or chat programs to communicate, as these may be compromised. Instead, use devices like telephones or devices not connected to the network.

4. Assessment

   Once the players are in place, including any third-party security partner, attempt to determine how much of the environment the attack has compromised. If you can’t make this determination, simply assume the worst as a starting point.

5. Containment

   The one thing you don’t want to do is make or allow the situation to worsen. Hackers love to move laterally through a system, so the first move would be to disconnect any potentially compromised parts from the rest of the system. Another counterintuitive move is to avoid running antivirus or vulnerability scanning tools against the compromised system as this may contaminate the system logs making recovering and analysis more difficult.

6. Eradication

   Eradication should not be confused with recovery. That is the next step in the incident response process. Eliminating the problem can be very difficult as the process depends on exactly what type of attack transpired. If a vulnerability was the cause of the attack, then patching and cleaning the system might suffice. For incidents involving malware, verifying the systems are in fact, secure and that the malware has been completely removed can be very difficult and time-consuming. For example, root kits can be challenging to detect without specialist skills and tools, and a key method hackers use to obtain persistence on digital media. Security experts generally recommend rebuilding systems entirely to prevent reinfection.

7. Recovery

   The most important facet at this stage is to make sure the recovery process does not result in another security incident. If backups are available, ensure they are not compromised, or else you will simply reintroduce the problem back into your system, which is exactly what the attacker wants. There is also a legal aspect to recovery, and one must ensure the team has performed all necessary due diligence before evaluating whether to terminate the incident. Finally, conduct logging and monitoring of the affected systems and network traffic to verify that the system or environment has effectively been remediated.

8. Lessons Learned

   Even though your desire might be to forget that the attack happened, the best course of action is to conduct a formal post-incident review. Check to see if the incident response plan was, in fact, effective, check if established security policies worked as expected, and that the initial risk assessment that the team conducted related to crucial corporate assets was accurate. Basically, did the bad guys go after what you expected, or were they interested in data that you did not believe to be important?

Establishing an incident response process takes time, effort, money, and skill, but it’s important to remember that it can and must be done. If your organization does not have the ability to do so, calling in a security partner might be required. 

If you are not ready for that step, a good first action is using some of the self-assessment tools supplied by Trustwave’s Security Colony. A detailed incident response plan can be found here for free, along with additional text and video resources.

Security Colony has been cited as a “major differentiator” by industry analyst firm IDC, as a powerful self-service resource for CISOs that gives them direct access to a variety of tools that will allow them to self-diagnose the problem.