It’s 5:00 on Friday afternoon. You’re ready for a well-deserved weekend of relaxation and sleep. But as you log off your computer, it happens. Your network is hit with a cyber attack!
Your weekend is gone, but that’s the least of your worries.
Your life doesn’t flash before your eyes, but those cyber security briefings and warnings of what could happen certainly are!
That’s water under the bridge. So, what do you do now? Do you have an incident response plan? That is, do you have a “cyber” incident response plan?
Fortunately for you, this is when you wake up and realize it was all a bad dream. But it was real enough to make you decide to do something to prepare for an incident because, as you know, “it’s not a matter of if but when.’
As you start to create an incident response plan, it may feel like starting at the end instead of the beginning. But you’ll see that this is ok as long as you start somewhere.
Imagine that your dream is a premonition that something bad will happen in the next day or two. Are you ready for it? What do you HAVE to do right now?
The first thing you will need is an incident response plan. The plan must be written on paper (since it may not be accessible online if you’ve been hit with a cyber attack). You should also ensure that several copies of the plan are stored in safe places to access it quickly.
The plan should specify when the incident response team should be notified. Not all cyber events will require the full army. Some may only require the IT team. Some may require your cyber security team, your Security Operations Center (SOC), law enforcement, legal advisors, forensics teams, and more.
The members of the team should have clearly defined roles. Who will be responsible for communications (internally and externally)? Who will contact the FBI? Who is in charge of notifications for compliance purposes?
The team members must be available to respond at any time of the day or night. If they are unavailable, alternates should be identified that can be called instead. Make sure to have all the contact information for each team member and alternate (phone, email, text), and keep this list current.
The means of initial notification must be clearly defined. For example, if the attack started as an email compromise, you may not reach out by email. Or you may have a secondary email account set up (via a different internet provider) for emergency use only. And be sure it does not include the organization’s name to keep it safe from a secondary attack.
Be aware that communications may be monitored, so when sending out notification of an incident, use a pre-scripted message that everyone understands, such as, “The incident response team is to meet at our designated location immediately” whether that location is a physical location or a virtual meeting that is outside the organization’s network.
The IT team should have hardware available specifically for use in the event of a cyber incident. Items such as a laptop for remote restoration of the organization’s infrastructure and other devices.
In addition to having a plan and tools, the team should exercise to this plan against different scenarios to improve response and identify any areas needing improvement.
Conducting these exercises will not only improve your response, but it will also make everyone feel more prepared. It will also provide the next steps to develop your cyber security plan. As part of the planning process for an incident, the team will identify the hardware and software that will have to be inspected and/or wiped and restored. This inventory will be used to create the foundation for your cyber security plan because you must know what you have to know and how to protect it.
So, while this may seem like you’re starting from the end, it really is not a linear process. It is a cycle of identification, protection, detection, response, recovery, identification, etc. There is no beginning and end in cyber security. It just…is. And it is always evolving.