While companies invest more in cybersecurity and take cybersecurity seriously, ransomware and successful cyberattacks are increasing. While a successful breach is not inevitable, it is becoming more likely despite best efforts to prevent it from happening.
Just as Noah didn’t build the Ark, so must companies face the reality that they have to plan and train their employees on how to respond in the event of a cyberattack. Obviously, the worst time to plan your response to a cyberattack is when it happens.
With so many companies falling victim to cyberattacks, an entire cottage industry of Incident Response (IR) services has arisen. Thousands of IR engagements have helped surface best practices and preparedness guides to help those that have yet to fall victim to a cyberattack.
Recently, cybersecurity company Cynet provided an Incident Response plan Word template to help companies plan for this unfortunate occurrence.
Planning to Avoid the Most Worst
The old saying “hope for what’s best” doesn’t quite apply here. Companies are working actively to prevent cyberattacks, and not just hoping for the best. It is worthwhile to plan for what the company should do after a breach so that they can act immediately and not wait for the plan to be put together. When a breach occurs, and attackers have access to the network, every second counts.
An IR plan outlines the roles and responsibilities of the response team. It also identifies the top-level processes that the team will use to respond to cyber incidents. The IR Plan Template created by Cynet recommends following the structured 6-step IR process defined by the SANS Institute in their Incident Handler’s Handbook, which by the way, is another great IR resource.
The six steps described are :
- Preparation–review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).
- Identification–monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. Collect additional evidence to establish the type of incident and its severity and then document it.
- Containment–perform short-term containment, for example, by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.
- Eradication–remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
- Recovery–bring affected production systems back online carefully, to prevent additional attacks. To ensure normal operation, test, verify and monitor the affected systems.
- Lessons learned–no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.
The IR Plan Template helps organizations codify the above into a workable plan that can be shared across the organization. Cynet’s IR Plan Template provides a checklist for each of the IR steps, which of course, can and should be customized based on each company’s particular circumstances.
The Cynet IR Plan Template explains the Cynet IR Team Structure and the roles and responsibilities of each member to avoid everyone running wild during the chaotic effort to repair from a cyber attack. With a lot of moving pieces and tasks to accomplish, it’s critical that the staff prepare and know what will be expected of them.