fbpx

< Back to Thought Leadership

The Importance of Incident Response Plans – Containment & Eradication

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

This is the third installment in our five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are not responding to a stressful situation.

The first article discussed the preparation phase of the plan and last month we examined detection processes. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Today, we are focusing on the next phase of the response plan which is Containment and Eradication. The containment and eradication phase of the plan is where the execution of tasks to solve the incident take place, at least in the short term.

Ransomware Incident Response Plan – Containment 

Containment deals with limiting the amount of damage that has happened or will potentially happen from a cybersecurity incident that has been detected.

For example, if a workstation or server has been infected with malware and is under the control of a remote attacker, you would consider disconnecting that machine from the network so the attack cannot spread further. You may also put a new firewall rule in place to block the path of the attacker. Finally, you should scan all the machines on the network to ensure the malware detected has not spread to other assets on the network.


Three Types of Cybersecurity Containment

The SANS Institute, a nonprofit cybersecurity think-tank considers containment from three perspectives:

  • Short-term containment—limiting damage before the incident gets worse, usually by isolating network segments, taking down hacked production server and routing to failover.
  • System backup—taking a forensic image of the affected system(s), and only then wipe and reimage the systems. This will preserve evidence from the attack that can be used in court, and for further investigation of the incident and lessons learned.
  • Long-term containment—applying temporary fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems, and addressing the root cause—for example, fixing a broken authentication mechanism or patching a vulnerability that led to the attack.

Again, the purpose of this plan is to make decisions about what actions you are going to take when you are levelheaded and not in a stressful situation. This planning should also involve many containment strategies. Your strategy for containing a malware/ransomware attack is quite different than if you are trying to contain a Denial-of-Service attack. You should be considering how to contain each type of attack as part of your planning process.

Ransomware Incident Response Plan – Eradication

Eradication are the steps taken to remove the threat from the environment. This could range from simply identifying the malware from the machine and deleting it, to formatting the hard drive of the infected machine (and restoring backups/recovering data). This could also include having to disable breached users. During eradication, it is important to identify all affected computers within the organization so that they can be remediated.

The next article in the series will focus on the fourth phase of an incident response plan, Recovery: how do you get back to normal operations after you have contained and eradicated the incident?

If you would like to discuss incident response planning in more detail, feel free to reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

overhead and standard costs

Monitoring Your Costs: A Guide to Overhead and Standard Costs

By Nancy Orben, CPA, Senior Manager at Blue & Co. Manufacturers typically incorporate overhead and labor costs into their bill of materials, regardless of the costing system used. It’s crucial […]

Learn More
golden 15 candles on a confetti background | Blue Named One of Indiana’s Best Places to Work for 15th Year

Blue Named One of Indiana’s Best Places to Work for 15th Year

CARMEL, Ind. (March 11, 2024) – Blue & Co., LLC is honored to be named among the Best Places to Work in Indiana by the Indiana Chamber of Commerce. This […]

Learn More
How not-for-profits can make use of artificial intelligence

Empowering Change: How Not-For-Profits Can Make Use of Artificial Intelligence

By Chad Nieter, Senior Manager at Blue & Co. Artificial intelligence (AI) is technology that enables computers and digital devices to learn, read, write, talk, see, create, play, analyze, make […]

Learn More