cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion

Cheat sheet for Incident Response

This cheat sheet was developed by Cyber Security News.

 

I believe it is a good guideline, however I would change number 3 to Step 0 or 1 B.

 

My thought process is that during any Disaster/Incident alerting your team early allows them to begin the work that they need to perform (this should be according to the plan that has been developed).  I could be wrong and would appreciate others'  opinions.

 

1730739791990.jpg

3 Replies
Caute_cautim
Community Champion

@dcontestiI recently did an RFP (Request For Proposal) on a Ransomware incident response plan and to show lessons learnt during that process and to indicate experience etc.

 

Forming an Incident Response at Stage 3 is far too late, especially for Ransomware incidents - this should already be in the Incident Playbook, practiced regularly by the team and executives.   No mention of reporting early on to the Mandatory Cybersecurity Emergency Response team, which may be a government entity or to the Privacy Commissioners Office etc.  

 

Step 5 is too late - minutes count in a Ransomware incident scenario, employees need to be instructed on what to do via cyber security awareness training - isolation is key to reducing the impact.  If you have to verify your backups at the point of realisation it is far too late.

 

There are many issues with this simplified list, nice attempt but not good in practice.

 

Public Relationship Officer or PR person, needs to have set messages far earlier in the process, if the attack has progressed and is indicating outages to clients outside of the organisation - prepared messages are essential not to leave it to Step 8.

 

I agree with Step One, however, with no training, no practice and understanding - human beings unfamiliar will often go into "headless chicken mode" regardless of gender.

 

Regards

 

Caute_Cautim

 

 

Caute_cautim
Community Champion

@dcontesti   Here is some interesting links:

 

https://www.cert.govt.nz/information-and-advice/guides/how-ransomware-happens-and-how-to-stop-it/

 

https://www.incidentresponse.com/mini-sites/playbooks/malware-outbreak

 

Cisa provide some good links too and practice for the same event.

 

Good to have these well documented, and put into the playbook.

 

Regards

 

Caute_Cautim

ris4mis
Viewer

I would say what was Step 1 to be labeled something like: "Start" or "So you have a security incident ..." and then after the "Don't Panic" to add "Don't immediately pay ransom" and why.

 

Then, what was step 7 "Document" becomes Step 1

Then, what was step 3 "Form a response team" to be Step 2 and called "Form or activate an incident response team" and include instructions for proper notifications.

In general, the rest could follow in order...or be disregarded because of following an established incident response.

 

Of course, this should be simulated before having an actual incident ...