< Back to Thought Leadership

The Importance of Incident Response Plans – Containment & Eradication

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

This is the third installment in our five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are not responding to a stressful situation.

The first article discussed the preparation phase of the plan and last month we examined detection processes. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Today, we are focusing on the next phase of the response plan which is Containment and Eradication. The containment and eradication phase of the plan is where the execution of tasks to solve the incident take place, at least in the short term.

Ransomware Incident Response Plan – Containment 

Containment deals with limiting the amount of damage that has happened or will potentially happen from a cybersecurity incident that has been detected.

For example, if a workstation or server has been infected with malware and is under the control of a remote attacker, you would consider disconnecting that machine from the network so the attack cannot spread further. You may also put a new firewall rule in place to block the path of the attacker. Finally, you should scan all the machines on the network to ensure the malware detected has not spread to other assets on the network.

Three Types of Cybersecurity Containment

The SANS Institute, a nonprofit cybersecurity think-tank considers containment from three perspectives:

  • Short-term containment—limiting damage before the incident gets worse, usually by isolating network segments, taking down hacked production server and routing to failover.
  • System backup—taking a forensic image of the affected system(s), and only then wipe and reimage the systems. This will preserve evidence from the attack that can be used in court, and for further investigation of the incident and lessons learned.
  • Long-term containment—applying temporary fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems, and addressing the root cause—for example, fixing a broken authentication mechanism or patching a vulnerability that led to the attack.

Again, the purpose of this plan is to make decisions about what actions you are going to take when you are levelheaded and not in a stressful situation. This planning should also involve many containment strategies. Your strategy for containing a malware/ransomware attack is quite different than if you are trying to contain a Denial-of-Service attack. You should be considering how to contain each type of attack as part of your planning process.

Ransomware Incident Response Plan – Eradication

Eradication are the steps taken to remove the threat from the environment. This could range from simply identifying the malware from the machine and deleting it, to formatting the hard drive of the infected machine (and restoring backups/recovering data). This could also include having to disable breached users. During eradication, it is important to identify all affected computers within the organization so that they can be remediated.

The next article in the series will focus on the fourth phase of an incident response plan, Recovery: how do you get back to normal operations after you have contained and eradicated the incident?

If you would like to discuss incident response planning in more detail, feel free to reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

Indiana Sales Tax Changes for Nonprofits

By: Angela Crawford, CPA, Senior Manager The recently enacted Senate Enrolled Act (SEA) 382 (2022) makes significant changes in the way not-for-profit organizations purchase and sell items exempt from sales tax. Sales tax information Bulletin 10 has been revised to reflect these changes. While sales tax-specific changes are detailed within the bulletin, here are the […]

Learn More
Facility Emergency Department Leveling | Stethoscope laying on top of financial reports | Blue & Co., LLC

Is Your Current Facility Emergency Department Leveling Process Working?

Blue & Co. has performed many Emergency Department Leveling Reviews for hospitals. The two most utilized leveling criteria are “points-based” or “intervention-based.” In either case, each hospital must determine which facility resources (or attributes) to include within its criteria, and how these resources crosswalk into ED visit levels (99281-99285). This can create significant reimbursement differences […]

Learn More
Cybersecurity in the Construction Industry

Cybersecurity in the Construction Industry

By: Tom Skoog, Cybersecurity & Data Management Practice Leader Cybersecurity for the construction industry is a growing challenge. The industry is moving towards digital connectivity, not only across the supply chain, but also ‘on site’ as more metrics related to performance, progress, and health & safety are monitored in ‘real time’. This increase in connectivity […]

Learn More