By Joshua Goddard, 7Safe Cyber Incident specialist
A version of this article was first published by 7Safe, PA's technical security and cyber education business.
Unless you’ve been living in a faraway cave for the past few days, you’ll have been following the ‘cyber pandemic’ hitting public and private sector organisations worldwide. The so-called WannaCry ransomware attack has infected hundreds of thousands of computers globally running the Microsoft Windows operating system.
The attack was so bad because organisations failed to patch their systems in a timely manner as they weren't prepared for it. How was a delivery company able to keep delivering parcels, while a car manufacturer had to halt its production line? The answer is likely that one had a tried and tested incident response plan – the other didn’t.
Why do you need an incident response plan?
So you don’t have to halt your production lines – at least not for very long. An incident response plan is a necessity for any organisation that relies on IT – ie every organisation. It helps an organisation prepare, respond to and follow up on any cyber attack. It defines exactly who should be doing what, where, and in what situation. It’s the go-to document your entire IT team should have access to at 9pm on a Friday evening because an adversary has inconsiderately launched some heinous act against you outside of normal business hours. You need it to save your bacon.
What should your incident response plan contain?
Phase 1 – Preparation
“The best way we can avoid getting hit is to make ourselves a smaller target.”
The preparation part of your plan will identify threats, vulnerabilities and preventative or proactive measures to implement. It’ll schedule regular assessments on infrastructure vulnerability through scenarios and rehearsals. It’ll also keep track of who knows what – a training log and education framework is essential. From this planning, you’ll implement appropriate controls. Then review and repeat. Ensure you make a note of which drawer the frozen peas are in – you will get hit, and it will hurt.
This global cyber attack was a first for many organisations. Their incident response plans should’ve recognised worming ransomware as a threat. The scenario should have been played out, and controls should have been in place to prevent it, or at least help manage it (eg process execution and file integrity monitoring).
Phase 2 – Response
“We’ve been hit. The evil software is wriggling its way through our systems!”
This part of your plan will clearly outline what systems you have, what they should be doing and how they talk to each other. This will help you identify exactly what’s going on and what might happen next. From here, you can form a plan of attack (or defence) with policy on how you can eliminate or contain any threat, and restore systems to business-as-usual if necessary. Keep the peas pressed on for now.
In the recent attack, the immediate response should have been to stop the ransomware from spreading by limiting how it communicates. The malicious processes encrypting data should have been terminated. Systems that weren’t infected should have been patched. For systems where the response wasn’t quick enough, data should have been restored from the latest backup and patched.
Phase 3 – Follow-up
“Thank goodness that’s over. Is it really over? Why did we get hit? What actually happened? Management are all over my back – it all happened so fast!”
This part of your plan will outline the scope of the investigation and reporting following an incident. It will explain how to critically review the incident and any action taken, as well as detailing how to report such information and to whom.
In this attack, after systems were back online and nothing more malicious could be found, the ‘how?’ should have been identified and reported. The incident response plan should have been modified according to any lessons learnt.
So how do I make an incident response plan?
Get your cyber security team together and talk it through. Identify a core team of incident responders responsible for the plan and its execution. Incident responders require a very broad, but very specialist, set of skills. They need to be skilled in cyber security, operating systems, networks, digital forensics, threat hunting and investigation.