In addition to setting up appropriate defensive measures to keep intruders out, having an incident response plan established in case a ransomware attack or a breach does happen is essential. Each member of your team should know exactly what they have to do in response to an attack so that immediate steps can be taken to remedy the situation.
Companies worldwide are struggling to regain control after the massive Petya ransomware attack that quickly spread within 24 hours. As major companies in international shipping, advertising, energy, and pharmaceuticals are experiencing, the more time that passes without action means the more damaging the situation will be. Here is what every incident response plan should include, at a minimum:
- Create an organizational structure of the incident response (IR) team. You need to know the members and what each of their roles are within the team. You should designate ‘responsible parties’ who will own the IR processes. Then list all parties that might need to be alerted, and under what circumstances they would be contacted.
- Define what constitutes an incident i.e., what thresholds must be passed to move something from an event (which can be handled in a routine way), to an incident. Does the response differ for a ransomware attack versus an insider data leak or a third party breach? Every organization with a developed plan defines this differently, so figure out what works for your organization.
- Use an incident response framework. Clarify what organizational things need to happen along each stage of the incident response. For example, events are first recorded in a ticketing system, then are evaluated by a certain member of the team. If the threshold is passed, the IR team is activated and specified business officers are alerted, etc.
- Establish a documentation methodology and repository for all incidents. This includes after-action reports and root cause analyses that occur after closing an incident.
Don’t wait until a real ransomware or breach crisis to test your team. Establish a regular schedule to fully test and update your plans, and to give your team a chance to practice without real consequences. Specific playbooks for incident response can be developed during these tests, as well as when dealing with real events and incidents.