Believe it or not, ransomware and other cyberattacks are the last sign that an adversary has broken an organization’s network. In fact, when it’s obvious that a company has been the victim of an attack, it usually means that cybercriminals have been on the lookout for days, if not months. The question is, if cyberattacks take longer to run, can organizations be prepared and act in real time to minimize the damage from cyberattacks?
The best way forward for companies is to have a structured incident response plan so that they can act as quickly as possible when they are under active attack.
ALSO READ: ITP.net Security Week: Navigating the Cyber Battlefield
Sophos recommends the next 10 steps to create an effective cybersecurity incident response plan, based on real-world experiences Sophos Managed Threat Response i Sophos quick response computers, which have tens of thousands of hours of experience in dealing with cyberattacks.
Here are 10 key steps to creating an effective cybersecurity incident response plan:
1. Determine key stakeholders
Proper planning of a possible incident is not the sole responsibility of the security teams. In fact, an incident is likely to affect almost every department in an organization, especially if the incident becomes a large-scale breach. To properly coordinate a response, organizations must first determine who should be involved. This often includes senior management representation, security, IT, legal and public relations.
2. Identify critical assets
To determine the scope and impact of an attack, organizations must first identify their top priority assets. Distributing top-priority assets will not only help determine a protection strategy, but will greatly facilitate the scope and impact of an attack.
3. Do desktop exercises
The response to incidents is like many other disciplines: the practice is perfect. While it is difficult to fully replicate the intense pressure that teams will experience during a possible breach, hands-on exercises ensure a more closely coordinated and effective response when a real situation occurs. It is important not only to do desktop technical exercises, but also broader exercises that include the various business stakeholders identified above.
4. Deploy protection tools
The best way to deal with an incident is to protect it against it. Your organization must ensure that it uses adequate endpoint, network, server, cloud, mobile, and email protection.
5. Ensure maximum visibility
Without proper visibility of what is happening during an attack, organizations will struggle to respond appropriately. Before an attack occurs, security and computer equipment should ensure that they can understand the scope and impact of an attack, including determining the entry and persistence points of opponents.
6. Implement access control
Attackers can take advantage of weak access control to infiltrate an organization’s defenses and increase privileges. Organizations should regularly ensure that they have adequate controls in place to establish access control.
7. Invest in research tools
In addition to ensuring the necessary visibility, organizations should invest in tools that provide the necessary context during a research.
Some of the most common tools used for incident response include endpoint detection and response (EDR) or extended detection and response (XDR), which allow organizations to hunt around their environment to detect commitment indicators (IOC) and attack indicators (IOA). .
8. Establish response actions
Detecting an attack is only one part of the process. To respond properly to an attack, IT and security teams must ensure that they can perform a wide range of corrective actions to interrupt and neutralize an attacker.
9. Carry out awareness training
While no training program will ever be 100% effective against a particular adversary, educational programs (i.e., phishing awareness) help reduce the level of risk and limit the number of alerts they must alert. respond to security equipment.
CHECK IT OUT: ITP.net launches 2021 security week
10. Hire a managed security service
Many organizations are not equipped to handle incidents on their own. Fast and effective response requires experienced security operators. To ensure this, organizations should consider working with an external resource, such as a managed detection and response (MDR) provider.
In short, when a cybersecurity incident occurs, time is of the essence. Having a well-prepared and well-understood response plan that all key parties can implement immediately will dramatically reduce the impact of an attack on an organization.