< Back to Thought Leadership

The Importance of Incident Response Plans – Containment & Eradication

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

This is the third installment in our five-part series on the importance of incident response planning as part of your cybersecurity program. The purpose of an Incident Response Plan is to proactively plan the actions you will take if you are faced with a serious cybersecurity event, while you are not responding to a stressful situation.

The first article discussed the preparation phase of the plan and last month we examined detection processes. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework that all incident response plans should consider, including:

Today, we are focusing on the next phase of the response plan which is Containment and Eradication. The containment and eradication phase of the plan is where the execution of tasks to solve the incident take place, at least in the short term.

Ransomware Incident Response Plan – Containment 

Containment deals with limiting the amount of damage that has happened or will potentially happen from a cybersecurity incident that has been detected.

For example, if a workstation or server has been infected with malware and is under the control of a remote attacker, you would consider disconnecting that machine from the network so the attack cannot spread further. You may also put a new firewall rule in place to block the path of the attacker. Finally, you should scan all the machines on the network to ensure the malware detected has not spread to other assets on the network.

Three Types of Cybersecurity Containment

The SANS Institute, a nonprofit cybersecurity think-tank considers containment from three perspectives:

  • Short-term containment—limiting damage before the incident gets worse, usually by isolating network segments, taking down hacked production server and routing to failover.
  • System backup—taking a forensic image of the affected system(s), and only then wipe and reimage the systems. This will preserve evidence from the attack that can be used in court, and for further investigation of the incident and lessons learned.
  • Long-term containment—applying temporary fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems, and addressing the root cause—for example, fixing a broken authentication mechanism or patching a vulnerability that led to the attack.

Again, the purpose of this plan is to make decisions about what actions you are going to take when you are levelheaded and not in a stressful situation. This planning should also involve many containment strategies. Your strategy for containing a malware/ransomware attack is quite different than if you are trying to contain a Denial-of-Service attack. You should be considering how to contain each type of attack as part of your planning process.

Ransomware Incident Response Plan – Eradication

Eradication are the steps taken to remove the threat from the environment. This could range from simply identifying the malware from the machine and deleting it, to formatting the hard drive of the infected machine (and restoring backups/recovering data). This could also include having to disable breached users. During eradication, it is important to identify all affected computers within the organization so that they can be remediated.

The next article in the series will focus on the fourth phase of an incident response plan, Recovery: how do you get back to normal operations after you have contained and eradicated the incident?

If you would like to discuss incident response planning in more detail, feel free to reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at tskoog@blueandco.com.

2023 E/M Coding Changes You Need to Know from the Physician Fee Schedule Final Ruling

New rules for reporting evaluation and management (E/M) services in most places of service took effect January 1, 2023. The coding and documentation revisions, adopted by the American Medical Association’s CPT Editorial Panel and approved by the Centers for Medicare and Medicaid Services (CMS), substantially simplify code selection and documentation. Effective January 1st, E/M services […]

Learn More

Consolidated Appropriations Act of 2023 Changes Impacting Rural Health Clinics

The Consolidated Appropriations Act of 2023, also known as the “Omnibus” package, was signed into law by President Biden on December 29, 2022. Rural Health Clinics (RHCs) need to be aware of some of the changes that will impact them including new grant opportunities and behavioral health provisions. Opportunities for Rural Health Clinics from the […]

Learn More
someone handing car keys to another person personal use of auto

The Importance of Personal vs. Business Use of Auto

By Pam Swartout, Manager and Jacoby Shade, Staff Accountant at Blue & Co. Many business owners provide a company vehicle to their employees as part of their employment. This is a company benefit that has tax implications and is extremely important for both the employer and employee to understand these implications. Employers can deduct only […]

Learn More