So How’s Your Incident Response Plan Feeling These Days?
The pipeline attack, the Solarwinds attack, now the Kaseya attack….this is not going away.
Welcome to our new normal in cybersecurity and IT.
If you haven’t figured it out by now, you need a solid incident response plan and you need it now.
Here are six things you can do today to reduce your risk related to incident response. The likelihood is that you will experience a ransomware attack, so the question is how you respond when it happens. I guess it goes without saying you should have robust anti-virus/anti-malware and monitoring solutions in place, but in case you haven’t done that already, that should be your first stop.
1. Ensure you have an inventory of all your electronic systems
If you don’t know what you have and where it resides, you can’t possibly protect your systems. This is basic 101 stuff, but if you find yourself in the dark, this should be your first priority.
2. Ensure you have an inviolable backup of your data
Many attacks replicate into backup data, so having a solution in place that will ensure you can recover, even if it’s back a couple of weeks, will be important. Of course, conducting a business impact analysis (BIA) as input to your Disaster Recovery Plan (DRP) is important, but if you don’t already have that data, start with protecting your backups.
3. Ensure you know where every server is and how it is connected
Is it on the local network, is it Internet connected, is it on a segmented VLAN, is it connected to a third party via a VPN connect? In front of or behind your firewall? In the DMZ? If you haven’t, consider disabling server VPN connections by default unless there is a compelling requirement to leave it always on.
4. Require 2 factor authentication
to get into systems from outside the network. Require 2FA to use Administrative credentials. This may not stop attacks that are delivered via software updates, but in some cases, it might slow the attack or prevent it from spreading.
5. Implement automation that monitors servers, file shares, Admin and users accounts
set to automatically disable any account that starts encrypting files and configure the system to send real-time text alerts. Oh, and make sure those alerts go to people who can and will respond, whether that's your Service Desk or your on-call team or your IT leadership team or all of the above.
6. Update your incident response plan
to reflect the most likely attack scenarios. Use recent attacks to understand current attack vectors and compare your response plans to those attacks.
Practice your incident response via tabletop exercises every month. Yes, every month. What’s practiced is what’s done in an emergency - just ask firefighters or Emergency Room teams. And, if you need help, reach out to a trusted vendor to assist in assessing and addressing gaps.
This is not a comprehensive list by any stretch, but these are top of mind things that you, your IT leadership, your organizational leadership and your Board of Directors will be looking at and asking about (and if they don't, they should).
This is serious business and while you may not be able to prevent being attacked, you certainly can contain the impact so you recover more quickly. Nothing can protect our systems 100%, but we can work to reduce our risk, especially by covering the basics.