An incident response plan can help companies stay in control of the crisis in the event of a cyber attack. Sophos Labs and the Sophos Managed Response and Rapid Response teams have developed a guide with ten crucial steps.
A cyber attack is now more likely than ever. Studies by Sophos, such as "The State of Ransomware 2021" prove that internationally 37 percent of the companies surveyed are affected by ransomware alone. While ransomware is perhaps the most devastating form of damage in recent years, it is far from the only type of malware that can cause serious problems for businesses.
Incident Response Strategy
Organizations and IT teams are therefore well advised to equip themselves with both effective security and a well thought-out and tried-and-tested incident response strategy. Such a plan can not only minimize the follow-up costs of a cyber attack, but also nip many other problems and even business interruptions in the bud. Sophos Labs have gathered their experience together with the Sophos Managed Response and Sophos Rapid Response team and are presenting the result in the Incident Response Guide available.:
1. Determine all those involved and affected
Not only the security team is responsible and affected by attacks, but many other people in the company. From the C-level to department heads to the legal or HR department, it is important to identify the key people and actively involve them in incident planning. At this point, alternative communication options should also be considered, since an IT failure can also affect the classic communication channels.
2. Identify critical resources
In order to develop a protection strategy and to be able to determine the extent and consequences of an attack in an emergency, the resources that have the highest priority for the company must be determined. This is the only way to restore the most critical systems in a targeted manner and with high priority in an emergency.
3. Practice and play through emergency scenarios
Exercises ensure that in the event of a cyber attack, action can be taken in a coordinated, fast and targeted manner. A plan is particularly good when everyone involved knows exactly what they have to do immediately at all times, instead of first looking for instructions or even trying to act intuitively. Different attack scenarios should also be defined in the exercises.
4. Provide security tools
A very important part of protection and therefore also of the incident response plan are preventive measures. This also includes suitable security solutions for endpoints, the network, the server and the cloud as well as for mobile devices and e-mails. A high degree of automation is important for the tools, for example through the use of AI, as well as a transparent and integrated administration and alarm console in order to detect potential attacks at the earliest possible point in time and, ideally, to eliminate them automatically.
5. Ensure maximum transparency
Without the visibility they need into what's happening during an attack, organizations struggle to respond appropriately. IT and security teams should have the tools to determine the scope and impact of an attack – including identifying attacker entry points and persistence points.
6. Implement access control
Attackers exploit weak access controls to subvert defenses and escalate their privileges. Effective access controls are therefore essential. This includes, among other things, the provision of multi-level authentication, the restriction of administrator rights to as few accounts as possible. For some companies, it can make sense to create an additional Zero Trust concept and implement it with suitable solutions and services.
7. Use in analysis tools
In addition to ensuring the necessary transparency, tools that provide the necessary context during an investigation are extremely important. These include incident response tools such as EDR (Endpoint Detection and Response) or XDR (Extended Detection and Response), with which the entire environment can be searched for Indicators of Compromise (IOCs) and Indicators of Attack (IOA).
8. Determine response measures
Recognizing an attack in good time is good, but only half the battle. Because after the discovery, the aim is to limit or eliminate the attack. IT and security teams must be able to initiate a variety of response actions to stop and eliminate attackers, depending on the attack type and the severity of the potential damage.
9. Carry out awareness training
All employees in a company should be aware of the risks that their actions may pose. Therefore, training is an important part of an incident response plan or prevention. With attack simulation tools, real-life phishing attacks on employees can be simulated without any security risk. Depending on the result, special training courses help to raise employees' awareness.
10. Managed Security Services
Not every company has the resources to implement an internal incident response plan and, above all, an incident response team with proven experts. Service providers such as MDR providers (Managed Detection and Response) can help. They offer 24/7 threat hunting, analytics and incident response as a managed service. MDR services not only help organizations respond to incidents, they also reduce the likelihood of an incident
In a cybersecurity incident, every second counts
"Every second counts in a cybersecurity incident and for most companies it is not a question of whether they will be affected, but when the attack will occur," explains Michael Veit, security expert at Sophos. “This knowledge is not new. Companies differ mainly in whether they implement this knowledge with appropriate precautions or whether they take the risk of jeopardizing their existence. It's a bit like buckling up in a car – it's very unlikely that you'll be unharmed in an accident without a seat belt. A well-prepared and well thought-out incident response plan that all affected parties in the company can implement immediately can significantly mitigate the consequences of a cyber attack.”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.