From determining key stakeholders to identifying critical assets to deploying protection tools, here’s how your organization can draw up a plan.
Believe it or not, ransomware and other cyberattacks are the last sign an adversary has breached an organization’s network. In fact, when it’s obvious that a business has been victimized by an attack, it typically means cybercriminals have been lurking for days, if not months. The question is, if cyberattacks take a while to execute, can organizations be prepared and act in real time to minimize the damage of cyberattacks?
The best way forward for businesses is to have a structured incident response plan, so they can act as fast as possible when under an active attack.
Sophos recommends the following 10 steps to create an effective cybersecurity incident response plan, based on the real-world experiences of its Sophos Managed Threat Response and Sophos Rapid Response teams, who have tens of thousands of hours of experience when it comes to dealing with cyberattacks.
10 steps to create an effective cybersecurity incident response plan
1. Determine key stakeholders
Properly planning for a potential incident is not the sole responsibility of security teams. In fact, an incident will likely impact almost every department in an organization, especially if the incident turns into a full-scale breach. To properly coordinate a response, organizations must first determine who should be involved. This often includes representation from senior management, security, IT, legal, and public relations.
To determine the scope and impact of an attack, organizations first need to identify their highest priority assets. Mapping out highest priority assets will not only help determine a protection strategy but will make it much easier to determine the scope and impact of an attack.
3. Run tabletop exercises
Incident response is like many other disciplines – practice makes perfect. While it is difficult to fully replicate the intense pressure, the teams will experience during a potential breach, practice exercises ensure a more tightly coordinated and effective response when a real situation occurs. It is important to not only run technical tabletop exercises, but also broader exercises that include the various business stakeholders previously identified.
4. Deploy protection tools
The best way to deal with an incident is to protect against it in the first place. Organization should ensure they have using appropriate endpoint, network, server, cloud, mobile, and email protection.
5. Ensure maximum visibility
Without the proper visibility into what is happening during an attack, organizations will struggle to respond appropriately. Before an attack occurs, IT and security teams should ensure they can understand the scope and impact of an attack, including determining adversary entry points and points of persistence.
6. Implement access control
Attackers can leverage weak access control to infiltrate an organization’s defenses and escalate privileges. Organizations should regularly ensure that they have the proper controls in place to establish access control.
7. Invest in investigation tools
In addition to ensuring the necessary visibility, organizations should invest in tools that provide the necessary context during an investigation.
Some of the most common tools used for incident response include Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR), which allows organizations to hunt across their environment to detect indicators of compromise (IOCs) and indicators of attack (IOA).
8. Establish response actions
Detecting an attack is only part of the process. To properly respond to an attack, IT and security teams need to ensure they can conduct a wide range of remedial actions to disrupt and neutralize an attacker.
9. Conduct awareness training
While no training program will ever be 100% effective against a determined adversary, education programs (i.e. phishing awareness) help reduce the risk level and limit the number of alerts security teams need to respond to.
10. Hire a managed security service
Many organizations are not equipped to handle incidents on their own. Swift and effective response requires experienced security operators. To ensure this, organizations should consider working with an outside resource such as a Managed Detection and Response (MDR) provider.
To sum it up, when a cybersecurity incident strikes, time is of the essence. Having a well-prepared, well-understood response plan that all key parties can immediately put into action will dramatically reduce the impact of an attack on an organization.
This article has been authored by Sunil Sharma, Managing Director – Sales, Sophos India and SAARC.
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.
Never miss a story! Stay connected and informed with Mint.
our App Now!!