The question becomes less if you will have an incident and more when you will have one. Ignoring this fact will place you and your organization in a precarious position. Proper planning for an incident will indicate to your customers, stakeholders, and key leadership that you take security seriously and will instill confidence in their business systems. Should an incident occur, your preparation will allow you to quickly identify the scope of damage because you will have identified the data that requires special handling and protection, including PII, PHI, intellectual property, corporate confidential information, and financial information about your organization.
However, preparation isn’t just an effort for your security team.
Note: Security Team
Students may find it incredibly helpful to start by defining and creating a graphical representation of the Cybersecurity Incident Response Team (CSIRT). Definition of the CSIRT should be based upon your understanding of the organization. You may need to conduct some research for illustrative examples.
Starting the exercise with a defined understanding of the CSIRT will result in more a focused, better defined incident response.
It means that you assist organizational leadership in communicating the goals of the security policy and the importance of the employees’ roles in supporting it. Aside from the benefit of having a smoother recovery, having a comprehensive incident-handling process regarding special data may protect you from civil or criminal procedures should your organization be brought to court for failing to protect sensitive data. Once you’ve gotten buy-in from organization leadership for your incident response plan, you need to continue to refine and improve it as threats evolve.
For this assignment, you will create an incident response runbook (aka. playbook or “use case”), which is a written guide for identifying, containing, eradicating, and recovering from cybersecurity incidents. The document is usually the output of the preparation phase of the Incident Response process and is a part of your overall Incident Response Plan.
An end-user receives an email from the help desk stating that there was irregular activity associated with their email account and they will not be able to send or receive emails until it is resolved. Several end users click on the link in the email and immediately items on his/her workstation begin to act strangely. Suddenly, none of the files on the workstation can be opened and now end in “.crypt”. A message pops up on the end user’s screen demanding payment of 1.84 Bitcoins as a ransom for the organization’s now encrypted data. As of May 2021, Bitcoin is Approximately $54,301/Bitcoin, making the ransom in this scenario just shy of $100,000.
Soon after that, other employees begin to report they have a strange note popping up on their screen as well. Before long, all computers – workstations and servers – have the popup on their screens and are unable to function. This is where the Incident Response process begins.
Create Your Runbook
There are several Runbooks for several types of threats (Malware, DDoS, Botnet, Social Engineering). Make sure the Runbook is the correct Runbook for the scenario. An Incident Response Playbook (Runbook) is designed to provide a step-by-step walk-through for most probable and impactful cyber threats to your organization. The Playbook will ensure that certain steps of the Incident Response Plan are followed appropriately and serve as a reminder if certain steps in the IRP are not in place.
Your Runbook should consist of:
1. An overview section of the identified threat details information about the threat.
2. Preparation steps or triage processes needed to prevent or recover from the threat
Contact information of the in-house IR team
Escalation & notification procedures and reporting mechanism
3. Detection, Identification & Analysis of the likely symptoms from the type of threat
Steps implemented for detection
Identification matrix for High, Medium, and Low threat categories
Incident validation – tools or systems used to confirm and verify the possible delivery vector of the threat
Containment, Eradication & Recovery
The third phase, containment, is the initial attempt to mitigate the attacker’s actions. It has two major components: stopping the spread of the attack and preventing further damage to systems. It is important for an organization to decide which methods of containment to employ early in the response. Organizations should have strategies and procedures in place for making containment-related decisions that reflect the level of risk acceptable to the organization according to the threat type.
Post Incident Activity/Lessons Learned
Post-incident refers to the process of identifying lessons to be learned after actions and review. This section needs to address questions such as:
Have we done well in protecting the organization’s network?
What could we have done better?
What should we do differently next time?