For the last several years, the news of companies being breached has grown exponentially. These breaches may have been ransomware incidents, data exfiltration, or account compromises. They seem to be multiplying daily and are not limited to a particular industry or company size. You have probably asked yourself what you would do if it happened to your company. The time to think about what to do is before it happens. Being prepared to deal with a breach goes a long way towards a quick recovery and returning your company to business as usual. The best time to find and engage a trusted incident response partner is before an incident happens. Googling for help after an incident occurs, and you are in the middle of a firefight, is not an ideal situation.
What Do I Do First?
Plan, plan, plan – no matter how many times we hear it and admit that it makes perfect sense, this critical step is often put off because we all think we have time to get to it later. Unfortunately the next time it’s remembered is when a breach has actually occurred, when it’s too late.
Start by identifying a core team that will be assembled quickly when disaster strikes. Every member of that team must be assigned a role and must understand exactly what that role entails. At a minimum these three roles are key.
- Primary contact – Someone that will call the team together and interact with all the parties that will assist with the incident.
- Technical contact – This person should have, or be able to quickly get access to the systems and resources necessary to assist with an incident investigation.
- Communications – Informing senior management, legal, regulatory agencies and insurance companies is a key role and some prepared scripts that can easily be customized are ideal to have on hand.
Once this core team has been identified, they can work together to find a trusted incident response firm that can be either retained to be on call for any incident or, usually at a higher cost, be called in on an emergency basis when a breach has occurred. When identifying this critical resource, talk to your peers and other trusted partners about their experience and knowledge. It will be easier and more effective than a Google search, which can easily turn up hundreds of companies near and far. Come up with a short list of desirable companies and finalize the list by meeting with all of them and determining if they are a fit for your company. Questions to ask when discussing the engagement should include things like experience, tools they use, response time, and what the end product of an investigation would look like.
One component of responding to an incident often overlooked is recovery. In addition to identifying the breach method, and possibly responsible actor(s) as well as stopping them, if they are still in your network, putting everything back to normal quickly is paramount. This may include rebuilding systems, patching them, restoring data from backups, etc. Having a partner to help during recovery is just as critical as having an IR partner ready. Ensure that you identify one using the same thorough vetting process you did with your IR partner.
I Have my Team, IR and Recovery Partners – Now What?
Using the previously identified roles, come up with an action plan that defines what each one of them will be responsible for once a breach has been identified. Similar to a disaster recovery plan, this will allow everyone to be able to perform their function without having to make it up in the middle of a firefight.
Having created a plan, shared it with all stakeholders and gotten buy in is only the foundation. To be successful when calling this plan into action you must practice, practice, practice. It is very important to perform regular, at least twice a year (more often is better) tabletop exercises where the team is called together and a mock response is stepped through. During these exercises, responses can be tuned and corrected to ensure everyone clicks, and performs as expected. Ideally at least once a year this tabletop exercise should be performed unannounced to see how everyone performs in a crunch.
Do engage your IR and recovery partners during these practice runs to ensure you will all be in sync when the time comes. In addition their experience and expertise can help you to tweak your plans for effectiveness.
All Is in Place - Feel Better Now?
Having gone through all the preparation should make you and your team more comfortable with your ability to react and recover from a breach and be able to get back to normal operations quickly. Remember, plan and practice as often and possible and when the breach happens, the recovery process will be less stressful and have a bigger chance of success.
Getting Started – Where Can I Go for Help?
Gotham Technology Group offers a low cost IR & Remediation retainer that can get you started and assist with all of the above.
The service includes:
- Incident Response: Trained and experienced incident response analysts, cybersecurity experts who will ascertain the scope and depth of the incident.
- Systems Remediation: A team of senior remediation engineers who will in parallel initiate the recovery process and begin the work of assisting you in restoring your environment to a pristine state.
- Service Level Guarantee: 30-minute response to any security breach.
- Remediation Time: Enables an immediate start to recovery efforts and unused hours never expire.
- Quarterly IR Preparedness Reviews: Review of current external threats and review of your incident response plan as well as assistance with tabletop exercises.
Please contact your Gotham sales representative or firstname.lastname@example.org for further information.