This article is based on a panel discussion at ChannelPro’s Cybersecurity Online Summit held earlier in the year.
A decisive plan, fast response, and clear communication are all critical components when a cyberattack occurs. Here, seasoned channel pros provide advice on four incident response scenarios.
YOUR CUSTOMER JUST GOT HIT BY RANSOMWARE. WHAT'S THE FIRST THING YOU DO?
- Activate your incident response plan
Assemble your incident response team and implement the plan, which includes determining the type of breach and where the exposure is, advises Corey Kirkendoll, president and CEO of 5K Technical Services, in Plano, Texas. That may include bringing in your legal team and your insurance agency for guidance, particularly If you have a customer that deals with medical or financial records and must follow compliance regulations.
A step-by-step plan is critical, agrees Jayson Ferron, CISO/CEO of Interactive Security Training. “You should be able to have it on the wall [showing], I'm going to do this first, this second, this third, this fourth.” It’s also important for proving due diligence, says Brian Weiss, CEO of iTech Solutions, in San Luis Obispo, Calif.
- Communicate, communicate, communicate
Immediately inform the client that they’ve been hit with ransomware and that you may need to cut off users from company resources in order to mitigate the threat, says Weiss.
Urge your client to involve their own insurance company right away if they have compliance regulations they need to adhere to, he adds. “If they're going to be responsible for funding for damages, they're going to want to make sure you're following what they want you to do. Otherwise, they might come back and say, ‘Hey, you didn't perform due diligence. Therefore, we aren't covering this set of damages.’”
- Isolate the threat vector
As soon as you know what the threat vector is, remove it from the network and begin mitigation efforts, Kirkendoll advises. After you understand the depth of the exposure, he adds, start collecting evidence logs. At the same time, locate backups and make sure they’re offline in case the attacker is still active in the network, says Michael Cocanower, CEO of Phoenix-based itSynergy.
THE ATTACK WASN'T JUST RANSOMWARE, THEY GOT INTO THE CLIENT’S DATABASE TOO. WHAT DO YOU DO?
- Verify backups
Once you’ve done so and know how far back the hack goes, you can perform a full or partial recovery, Kirkendoll says.
- Identify the access method
Whether it’s through the cloud or on premises, identify how the attack came in, Weiss advises. Was it via an API connection or through a user account? “Shutting down the database could be a quick and easy way to cut off access.” He adds that you may want to implement conditional access to block a particular IP or country.
- Determine the type and value of exfiltrated data
If there is potential exposure of personally identifiable information (PII), for instance, your customer may be subject to data privacy requirements, says Cocanower. Every state has different disclosure requirements and different reporting time frames, he adds. Bringing in the legal team from your customer’s cybersecurity provider can help you understand the obligations.