How an Incident Response Playbook Can Help Your Business Respond to a Cybersecurity Threat

If your business has been affected by a malware attack, having an Incident Response Playbook in place can help you know what to do—and when.
March 22, 2018

Cybersecurity threats are increasing all over the world, and savvy business owners are reshuffling their priorities and readily ramping up their security engagement and efforts. However, no matter how best practices are implemented, there is always a possibility of having a security breach. If you find yourself at the end of a breach, having a response laid out ahead of time will allow you to combat any vulnerability, limit the damage the breach and begin remediation rapidly and effectively.

There are multiple attacks small businesses are vulnerable to, usually due to not utilizing the appropriate cost and resources to focus on your network's infrastructure. Everyone wants the latest, greatest machines and servers, but they may not want to invest the money needed to properly secure them. One of the most common attacks small businesses will combat is malware attacks. Malware (commonly referred to as malicious code) is a program that is hidden in another program with the intent to destroy data and run destructive and intrusive programs or software to compromise the confidentiality, integrity and availability of a system or network infrastructure.

It's critical to consider employing a safe practice by implementing an Incident Response Playbook (IRP). These six steps can help get you started creating your own IRP. 

1. Preparation

Our daily lives, economic vitality and national security depend on a stable, safe and resilient cyberspace. As thriving businesses, we need to work extra hard on keeping our data safe from threats of any kind. The first step for your IRP should be preparation. You want to develop a few good and practical cyber habits such as: staying on top of your anti-virus updates; keeping all workstations and servers patched to prevent the latest vulnerability; and scanning your network frequently.

It is vital to teach and train employees on how to spot infections and the necessary steps to take should the system or network have a security incident.

2. Detection and Analysis

You will need to have some anti-virus software that runs regularly scheduled checks on all systems in/on the network for malicious code. Stay up-to-date on latest alerts that have been published and analyze any anomalies that are happening on your systems or network.

3. Containment

Possibly the most challenging step of the process is containing the malware incident. This could mean taking everything offline (such as email, web browsing or internet access) until the incident is dealt with. Someone will need to be ready to make this decision quickly based on the activity of the malware incident. The faster the malware is contained, the better the outcome will be.

4. Eradication and Recovery

Restore the confidentiality, integrity and availability of the data on infected systems or network, and revert any quarantine measures that were put in place. Once you have successfully contained the incident, you will need to remove the cause of the incident. This may include reverting to a trusted working backup or of the system. If the cause of the security breach was a virus, it may be as simple as removing it from the machine or server. It could also be a more complicated incident requiring the need to identify and mitigate exploited vulnerabilities. This step is where you and your team should determine how the breach or virus was initially executed in the environment. 

5. Reporting

Reporting is the most critical part of an IRP, where you'll gather all the information from the incident and assemble a lessons learned document. The purpose is to have something you can reference for any future incidents. These lessons learned will come in handy and help make your IRP better for any other future incidents. This document should provide details on the incident, such as why the incident occurred, what was done to remedy the attack and what can be done to possibly prevent the incident from occurring in the future. Once the document is compiled and completed, it should be immediately distributed to your security team so it can be easily referenced in case of another future incident.

6. Training

Splurging on tools to combat incidents can be a costly approach and still leave you vulnerable. That's why it is vital to teach and train employees on how to spot infections and the necessary steps to take should the system or network have a security incident. The best way to accomplish this is through yearly web-based training courses or in-class, hands-on training sessions. Having an annual training refresher requirement is a great way to not only teach new employees about malware and other security vulnerabilities, but also remind current employees of what they should be on the lookout for. Even as new threats arise and are exposed, this ongoing education can be used to make all your employees aware of the latest attacks. This training coupled with a well-developed IRP may help position your business to be ready for any potential attack that may come your way.

Photo: Getty Images