By: Tom Skoog, Cybersecurity & Data Management Practice Leader
This is the third installment in our five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are not responding to a stressful situation.
The first article discussed the preparation phase of the plan and last month we examined detection processes. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:
- Detection & Analysis
- Containment & Eradication
- Post Incident Activity: Lessons Learned
Today, we are focusing on the next phase of the response plan which is Containment and Eradication. The containment and eradication phase of the plan is where the execution of tasks to solve the incident take place, at least in the short term.
Ransomware Incident Response Plan – Containment
Containment deals with limiting the amount of damage that has happened or will potentially happen from a cybersecurity incident that has been detected.
For example, if a workstation or server has been infected with malware and is under the control of a remote attacker, you would consider disconnecting that machine from the network so the attack cannot spread further. You may also put a new firewall rule in place to block the path of the attacker. Finally, you should scan all the machines on the network to ensure the malware detected has not spread to other assets on the network.
Three Types of Cybersecurity Containment
The SANS Institute, a nonprofit cybersecurity think-tank considers containment from three perspectives:
- Short-term containment—limiting damage before the incident gets worse, usually by isolating network segments, taking down hacked production server and routing to failover.
- System backup—taking a forensic image of the affected system(s), and only then wipe and reimage the systems. This will preserve evidence from the attack that can be used in court, and for further investigation of the incident and lessons learned.
- Long-term containment—applying temporary fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems, and addressing the root cause—for example, fixing a broken authentication mechanism or patching a vulnerability that led to the attack.
Again, the purpose of this plan is to make decisions about what actions you are going to take when you are levelheaded and not in a stressful situation. This planning should also involve many containment strategies. Your strategy for containing a malware/ransomware attack is quite different than if you are trying to contain a Denial-of-Service attack. You should be considering how to contain each type of attack as part of your planning process.
Ransomware Incident Response Plan – Eradication
Eradication are the steps taken to remove the threat from the environment. This could range from simply identifying the malware from the machine and deleting it, to formatting the hard drive of the infected machine (and restoring backups/recovering data). This could also include having to disable breached users. During eradication, it is important to identify all affected computers within the organization so that they can be remediated.
The next article in the series will focus on the fourth phase of an incident response plan, Recovery: how do you get back to normal operations after you have contained and eradicated the incident?
If you would like to discuss incident response planning in more detail, feel free to reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at firstname.lastname@example.org.