Believe it or not, ransomware and other cyber-attacks are the last sign an adversary has breached an organisation’s network. In fact, when it’s obvious that a business has been victimised by an attack, it typically means cybercriminals have been lurking for days, if not months. The question is, if cyberattacks take a while to execute, can organisations be prepared and act in real time to minimise the damage of cyberattacks?
The best way forward for businesses is to have a structured Incident Response plan, so they can act as fast as possible when under an active attack.
ALSO READ:Â ITP.net Security Week: Navigating the cyber battleground
Sophos recommends the following 10 steps to create an effective cybersecurity incident response plan, based on the real-world experiences of its Sophos Managed Threat Response and Sophos Rapid Response teams, who have tens of thousands of hours of experience when it comes to dealing with cyber-attacks.
Here are 10 key steps to create an effective cybersecurity incident response plan:
1. Determine key stakeholders
Properly planning for a potential incident is not the sole responsibility of security teams. In fact, an incident will likely impact almost every department in an organisation, especially if the incident turns into a full-scale breach. To properly coordinate a response, organisations must first determine who should be involved. This often includes representation from senior management, security, IT, legal, and public relations.
2. Identify critical assets
To determine the scope and impact of an attack, organisations first need to identify their highest priority assets. Mapping out highest priority assets will not only help determine a protection strategy but will make it much easier to determine the scope and impact of an attack.
3. Run tabletop exercises
Incident response is like many other disciplines – practice makes perfect. While it is difficult to fully replicate the intense pressure, the teams will experience during a potential breach, practice exercises ensure a more tightly coordinated and effective response when a real situation occurs. It is important to not only run technical tabletop exercises, but also broader exercises that include the various business stakeholders previously identified.
4. Deploy protection tools
The best way to deal with an incident is to protect against it in the first place. Organisation should ensure they have using appropriate endpoint, network, server, cloud, mobile, and email protection.
5. Ensure maximum visibility
Without the proper visibility into what is happening during an attack, organisations will struggle to respond appropriately. Before an attack occurs, IT and security teams should ensure they can understand the scope and impact of an attack, including determining adversary entry points and points of persistence.
6. Implement access control
Attackers can leverage weak access control to infiltrate an organisation’s defenses and escalate privileges. Organisations should regularly ensure that they have the proper controls in place to establish access control.
7. Invest in investigation tools
In addition to ensuring the necessary visibility, organisations should invest in tools that provide the necessary context during an investigation.
Some of the most common tools used for incident response include Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR), which allows organisations to hunt across their environment to detect indicators of compromise (IOCs) and indicators of attack (IOA).
8. Establish response actions
Detecting an attack is only part of the process. To properly respond to an attack, IT and security teams need to ensure they can conduct a wide range of remedial actions to disrupt and neutralise an attacker.
9. Conduct awareness training
While no training program will ever be 100% effective against a determined adversary, education programs (i.e. phishing awareness) help reduce the risk level and limit the number of alerts security teams need to respond to.
CHECK IT OUT:Â ITP.net kicks off Security Week 2021
10. Hire a managed security service
Many organisations are not equipped to handle incidents on their own. Swift and effective response requires experienced security operators. To ensure this, organisations should consider working with an outside resource such as a Managed Detection and Response (MDR) provider.
To sum it up, when a cybersecurity incident strikes, time is of the essence. Having a well-prepared, well-understood response plan that all key parties can immediately put into action will dramatically reduce the impact of an attack on an organisation.
