You get to work at your usual time, and you go to log into your work computer. But instead of seeing the familiar login screen, you see a message that says:
"!!! Important Information !!!! All of your files are encrypted with RSA-2048 and AES-128 ciphers. Decrypting of your files is only possible with the private key and decrypt program, which is on our secret server. To receive your private key, follow one of the links:" ("Locky: Ransom.Locky," 2021)
You have been hit with ransomware, an increasingly widespread cyberattack that locks up all of your data until you pay a hefty fee. Your help desk section starts to receive phone calls from other departments in your organization, saying that many others have the same message on their screens. What do you do? Do you pay the fee? How important is the data on these machines? Is there a way to recover the data without paying the ransom? These are all questions you should have answers for inside your incident response plan, something that should have been prepared, implemented, and exercised before this day.
What is an incident response plan, and why is it needed?
Hopefully, with the above example, you can start to see why you need an effective incident response plan in place. The goal of an incident response plan is to have a step-by-step playbook to follow when disaster strikes. Think of it like a football team. A football team spends an entire week preparing for their opponent. They carefully craft plays and practice them before game day. Everyone on the team knows what they need to do when a particular play is called. Different plays are used in different situations depending on what the other team is doing. Incident response is very similar.
A good incident response plan will have instructions on what to do given a particular situation. Does the company get hit with ransomware? Follow the ransomware plan. What happens if customer data gets stolen? Follow your customer data leak plan. "An incident response plan ensures that in the event of a security breach, the right personnel and procedures are in place to effectively deal with a threat. Having an incident response plan in place ensures that a structured investigation can take place to provide a targeted response to contain and remediate the threat" (Fox, 2020). Without an incident response plan, your entire organization will be running around panicking, wondering what to do, and not handling the situation at all when disaster strikes—total chaos.
Keeping the Business Running
Let's face it, the entire purpose of an Information Technology (IT) department is to support the business from a technical standpoint. The mission is to ensure that people have the technology, tools, and networks to do their job. In the event of a disaster, people still need to be able to complete their work. Disasters range in scope, but the main threats we need to consider are natural disasters and cyberattacks.
When it comes to natural disasters, the main danger is loss of power. To ensure bits flow through your network, you should implement redundant power supplies and backup power sources for your critical infrastructure. Redundant power will ensure operations can continue despite the rest of the local area being without power. Another massive concern with natural disasters is property damage and loss of equipment. For this, It is a good idea to implement hot, warm, and cold sites. "Hot sites are essentially mirrors of your datacenter infrastructure. The backup site is populated with servers, cooling, power, and office space (if applicable). The most important feature offered from a hot site is that the production environment(s) are running concurrently with your main datacenter" (Segue Technologies, 2013). A cold site is a similar backup location in a disaster situation but does not offer the necessary equipment to resume operations promptly (Techopedia, 2011). A warm site is a middle ground between the hot and cold site options.
When it comes to cyberattacks, there are many things to take into consideration. According to fortinet.com, the most common types of cyberattacks are denial-of-service, man-in-the-middle, phishing, ransomware, password, Structured Query Language (SQL) injection, Uniform Resource Locator (URL) interpretation, Domain Name System (DNS) spoofing, session hijacking, brute force, web, insider threats, trojan horses, drive-by, cross-site scripting (XSS), eavesdropping, birthday, and malware attacks. This list is a great baseline to get started with but keep in mind that this is not a complete list of all the possible threats. The goal is to keep operations running despite an ongoing cyberattack, or at the very least, returning to normal operations as fast as possible.
Considerations when creating and implementing an incident response plan.
According to incident response consortium, the five steps to take in creating an incident response plan is:
Take Stock of What's at Stake
Evaluate Your Risk Potential
Start Building an Action Plan
Form an Incident Response Team
Get Your Workforce Involved
David Ellis from SecurityMetrics says the six phases in the incident response plan are:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
It is recommended to look at these sources and others to learn more about the intricacies of these steps and phases. This text serves as a bird's eye view of creating and implementing an incident response plan and is not an all-encompassing guide.
Summary
Without an incident response plan, you are in for very troubling and dark times when your business is struck by disaster. It is essential to understand the need to keep business continuity in the event of a natural disaster or cyberattack, or at the very least, resume operations as soon as possible. An incident response plan aids your organization by providing concise guidance when disaster strikes. Planning and implementing a good incident response plan is no easy task. It takes time and thought. However, resources outside this text can help your organization get started and follow through with your plan.
References
Ellis, D. (n.d.). 6 phases in the incident response plan. SecurityMetrics. https://www.securitymetrics.com/blog/6-phases-incident-response-plan
Fox, N. (2020, November 11). What is an incident response plan and how to create one. Varonis. https://www.varonis.com/blog/incident-response-plan/
Incident Response Consortium. (2017, December 1). A guide to creating an incident response plan. https://www.incidentresponse.com/a-guide-to-creating-an-incident-response-plan/
Locky: Ransom.Locky. (2021, March 18). Malwarebytes Labs. https://blog.malwarebytes.com/detections/ransom-locky/
Segue Technologies. (2013, November 20). The three stages of disaster recovery sites. https://www.seguetech.com/three-stages-disaster-recovery-sites/
Techopedia. (2011, August 18). What is cold site? - Definition from Techopedia. https://www.techopedia.com/definition/998/cold-site