< Back to Thought Leadership

The Importance of Incident Response Plans – Containment & Eradication

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

This is the third installment in our five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are not responding to a stressful situation.

The first article discussed the preparation phase of the plan and last month we examined detection processes. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Today, we are focusing on the next phase of the response plan which is Containment and Eradication. The containment and eradication phase of the plan is where the execution of tasks to solve the incident take place, at least in the short term.

Ransomware Incident Response Plan – Containment 

Containment deals with limiting the amount of damage that has happened or will potentially happen from a cybersecurity incident that has been detected.

For example, if a workstation or server has been infected with malware and is under the control of a remote attacker, you would consider disconnecting that machine from the network so the attack cannot spread further. You may also put a new firewall rule in place to block the path of the attacker. Finally, you should scan all the machines on the network to ensure the malware detected has not spread to other assets on the network.

Three Types of Cybersecurity Containment

The SANS Institute, a nonprofit cybersecurity think-tank considers containment from three perspectives:

  • Short-term containment—limiting damage before the incident gets worse, usually by isolating network segments, taking down hacked production server and routing to failover.
  • System backup—taking a forensic image of the affected system(s), and only then wipe and reimage the systems. This will preserve evidence from the attack that can be used in court, and for further investigation of the incident and lessons learned.
  • Long-term containment—applying temporary fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems, and addressing the root cause—for example, fixing a broken authentication mechanism or patching a vulnerability that led to the attack.

Again, the purpose of this plan is to make decisions about what actions you are going to take when you are levelheaded and not in a stressful situation. This planning should also involve many containment strategies. Your strategy for containing a malware/ransomware attack is quite different than if you are trying to contain a Denial-of-Service attack. You should be considering how to contain each type of attack as part of your planning process.

Ransomware Incident Response Plan – Eradication

Eradication are the steps taken to remove the threat from the environment. This could range from simply identifying the malware from the machine and deleting it, to formatting the hard drive of the infected machine (and restoring backups/recovering data). This could also include having to disable breached users. During eradication, it is important to identify all affected computers within the organization so that they can be remediated.

The next article in the series will focus on the fourth phase of an incident response plan, Recovery: how do you get back to normal operations after you have contained and eradicated the incident?

If you would like to discuss incident response planning in more detail, feel free to reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

indiana sales tax

New Indiana Sales Tax Rule for Not-For-Profits – Sales Tax Collection & Filing Threshold Increased

By Cory Schunemann, CPA, Manager at Blue & Co. Indiana’s 2023 Senate Enrolled Act (SEA) 417 made another change to the sales tax collection requirements for not-for-profits after 2022’s SEA 382. Not-for-profits with taxable retail sales in excess of $100,000 in the current or prior year are now required to collect and remit sales tax. […]

Learn More
Clipboard with paper that reads Employee Retention Credit | IRS Orders Immediate Stop to New Employee Retention Credit Processing – What You Need to Know | What You Need to Know About ERC

IRS Orders Immediate Stop to New Employee Retention Credit Processing – What You Need to Know

By Amy Sandlin, CPA, Tax Senior Manager at Blue & Co. On Thursday, Sept. 14, the IRS announced a moratorium on processing of new Employee Retention Credit (“ERC”) claims through at least December 31, 2023. This decision is in response to a flood of questionable claims and trusted tax advisors expressing a slew of concerns […]

Learn More

Changes to Medicare Bad Debt and S-10 Template Effective this Month

The new Medicare Bad Debt template (Exhibit 2A) and S-10 template (Exhibit 3B and 3C) have been finalized by Medicare and are now required for cost reporting periods ending on or after September 30, 2023. This deadline is quickly approaching, and Blue & Co. wants to be sure you are prepared. If you are feeling […]

Learn More