“What is an Incident Response Plan (IRP)?”

I asked three friends and professionals with decades of Information Technology (IT) and Cyber Security experience this question. As expected, they all had different explanations of what an IRP means to them. They all had the same general concept of how an IRP should be constructed and acted upon. However, when I asked, “What is your role in the unlikely chance that a security event kicks-off an IRP response at your company?”  they struggled to find a real-life example of what they would do in their specific companies.  I followed up with one last question, “When is the last time you read your Incident Response policy?” Crickets.

 

In today’s 21st-century business environment, it is imperative for the longevity of your business that you have a well-defined and organized IRP in place. It doesn’t need to be perfect, but it should have basic guidelines for every employee to follow. Some basics are:

  • Plan out your list of roles and responsibilities
  • Identify and document the critical parts to your infrastructure
  • Document the tools you need to triage an Incident Response
  • List out your communication (internal and external) plan
  • Include your business continuity plan

 

These are basic things you should have in your IRP, but there is one more thing I would highly recommend: a runbook (also known as a playbook). Think of it as an offensive or defensive playbook for a football team. Having a runbook outlines the steps on how to respond to malware, ransomware, DDOS, network outages, phishing, and much more.

 

Early in 2019, Conversant Group’s after-hours help desk was contacted to assist with a company’s computer problems. Their problem was not a simple one; they had been hit with ransomware and it was rapidly spreading across their network.  This made it easy to identify their problem as most of their computers had a message notifying them, they had ransomware with instructions on how to “fix the problem”. Our Cyber Security Incident Response Team (CSIRT) quickly began the “containment” phase of our IRP Runbook. This phase took some time to accomplish due to there being several bits of crucial network infrastructure information we desperately needed (for more details, see our fantastic whitepaper that explains our entire ordeal dealing with this ransomware attack, and some limiting factors we encountered).

After everything was contained, it was time to start the “eradication” phase. This phase can be very time-consuming and most times the most stressful (especially when dealing with ransomware). Eventually, we were confident that all traces of the ransomware were eradicated so we began the time-consuming process of “recovery” to normal operations. Lastly, we started the most important phase of all: “Post-Incident Activity” (commonly called ‘lessons learned’). This may not seem like an important phase, but that couldn’t be further from the truth. This process deals with how to apply the hard-won experience the company just earned to implement correct Defense in Depth mitigating controls, and more importantly, the correct software configuration to your security appliances.

Another important thing we need to address – if the executive leadership team within your company does not buy into the IRP process, then there no point in implementing an IRP framework. There are products on the market such as KnowBe4 that will help you ensure that your users have both read and accepted general policies.  Computer threats are an unfortunate reality that we all must live with. It is sad but true. That is why having a plan to react to a security “event” is just plain smart. It may seem confusing at times. You may even feel like your in an Abbott and Costello “Who’s on First” skit, but you must have a well-designed (and regularly tested) IRP.

Finally, at the bottom of this blog are resources you might need to help your IRP. If you still need help, consider giving Conversant Group a call… we know a few things about IT and cybersecurity.

 

CRITICAL LOG REVIEW CHECKLIST FOR SECURITY INCIDENTS

NETWORK DDOS INCIDENT RESPONSE CHEAT SHEET

PRESENTATION: INCIDENT RESPONSE WITH MODEST RESOURCES

INCIDENT RESPONSE JUMPKIT CHECKLIST

IT SECURITY INCIDENT REPORTING FORM

INCIDENT RESPONSE EVIDENCE CHAIN-OF-CUSTODY TRACKING FORM

INITIAL SECURITY INCIDENT QUESTIONNAIRE FOR RESPONDERS

SECURITY INCIDENT SURVEY CHEAT SHEET FOR SERVER ADMINISTRATORS

INCIDENT RESPONSE WITH MODEST RESOURCES PRESENTATION – SCENIC CITY SUMMIT

RANSOMWARE CASE STUDY