ProLion Team, November 2022

How to Develop an Incident Response Playbook in a Few Steps

Ransomware attacks against all companies have increased dramatically since the pandemic. They’re getting more sophisticated and specifically targeting your storage and cloud infrastructure to maximize damage and increase the likelihood that a ransom is paid. These ransomware attacks are carried out with more research and exploit known vulnerabilities in storage systems, putting your environment at risk.

You need to have a plan in place to help mitigate the consequences of a ransomware attack. This incident response plan or playbook should be shared with your IT and cybersecurity teams to ensure that everyone is on the same page. 

What is Incident Response and Why is it Important? 

Having an incident response plan in place can actually reduce the costs of a data breach by over $300,000, according to some estimates. 

So, what is it?

Incident response (IR) refers to the steps an organization should take when facing a cybersecurity compromise. Often differentiated by the type of attack and compromise, proper IR involves developing playbooks and checklists to facilitate organizational response and to clearly define responsibilities. 

By having an IR plan in place, teams and departments know exactly what to do and who should do it, which can reduce how much damage an attack can do and, in the case of ransomware, limit how many files and assets are impacted. 

How Ransomware can Devastate an Organization 

Ransomware attacks have increased dramatically compared to previous years. Malicious hackers are targeting organizations with more precision and are even employing Ransomware as a Service (RaaS) gangs and cartels to increase their odds of success. 

Attackers are also using “double extortion” and “triple extortion” attacks, where attackers are threatening to leak or expose the data if the ransomware isn’t paid and deploying distributed denial-of-service (DDoS) attacks against the victim to further inflict the company. 

If ransomware does end up reaching your storage environment, it could paralyze the company, bring down the company’s website, and prevent you from accessing critical files. This is why an IR plan is necessary. 

Developing an Incident Response Plan in 8 Steps

When developing an IR playbook, it’s important to be actionable without creating an overly complex document. What’s most important is that anyone involved in the IR process can reference the playbook and easily understand what they have to do. Here are a few steps to developing this guideline. 

1. Preparatory Work

Before any action can be taken, it’s important to define who is doing what. This extends beyond the IT team, especially for ransomware attacks, which can impact multiple organizations. As you develop the rest of the playbook, consider what teams and individuals should be responsible for the following action items. 

These definitions should largely vary depending on the extent of the ransomware attack, but you’ll also have to consider internal and external communications as well as decision-makers who will need to sign off on key actions.  

2. Detection 

During a ransomware attack, it’s vital to detect the infection at all points in order to improve containment and isolation efforts. You should leverage your cybersecurity and IT departments, as well as any tools or technology designed to identify and detect unauthorized intruders or malware in your environment. 

You should also find out whether an attacker is still in your network or has access as that can affect how you respond. Investing in detection tools that specifically look for behavioral patterns of attackers, for example, by utilizing live data from NetApp FPolicy, can help. Otherwise, an attacker can leverage compromised backups or infiltrate the organization’s environment again.  

3. Scope and Prevention 

During this step, your responsible teams should scope out the assessment of the damage to understand what data is currently affected and what data is at risk. This requires understanding what security controls and network segmentation are in place and where the ransomware attack is happening. Make sure you’re as thorough as possible and looking for an infection across all servers, hard drives, and cloud storage. 

Knowing what could be affected will help inform preventative measures to prevent further infection and also inform communication and reporting. Tools and technology that record data access information can help you get a sense of the scope of an infection. 

4. Containment 

To prevent the ransomware infection from spreading to the rest of your environment, disconnect any infected assets from your network and remove access from an infected user. Tools that automatically flag and block suspicious users can be helpful here. You should also immediately report these suspicious users to your IT security department and work closely with them to prevent further damage.  

 5. Removal and Decryption 

Once you’re confident that the ransomware can’t inflict further damage, it’s time to take steps toward removing the threat actor and the ransomware infection.  

You may have to work with your IT security department to flush out the attacker carefully if they’re still in your environment and network. If an attacker knows that you’re trying to remove their access, they may take other steps to evade detection or install a backdoor, making overall recovery more difficult. 

If a hacker uses more sophisticated methods, they may be using a ransomware strain with an existing decryption key, so be sure to identify it if possible. However, if it’s not known, you may have to bring in third-party forensics and ransomware experts to help decrypt your files. 

Depending on the difficulty and challenge here, you’re going to need to speak to the board and executive team about the costs involved and whether it’s worth paying the ransom. However, if you’re part of that decision-making process, we highly recommend you make the case against paying the ransom for several reasons:  

  • It might encourage more attacks against you (even by the same threat actor) 
  • It will encourage the threat actors to continue deploying ransomware attacks 
  • There’s no guarantee your data will be released 

6. Recovery 

Organizations have multiple options to restore their files after a ransomware attack. In tandem with decryption efforts, you may want to see if backups are able to recover impacted files. You may also want to revert your storage environment to a previously unaffected state. 

It may be difficult to know exactly which files were impacted so it may be more helpful to use tools that specifically look at and identify files affected by ransomware and restore them to minimize any data loss.  

7. Analysis 

Investigating how the attack happened is crucial to ensure it doesn’t happen again. This will likely happen at the department level, but it may be important for you to assess if any existing security technology or security control in your environment malfunctioned. If the attack vector or exploit happened in your environment, it’s important to know whether it was preventable or if it requires additional security measures or technology. 

A compromise did happen, so it’s essential to audit whether a security tool failed to work as promised. 

8. Remediation 

You’ll have to work closely with the IT security team and provide documentation as well as any relevant analysis in order to streamline remediation efforts. This may require fixing known vulnerabilities, or identifying security gaps that may require additional tools or technology.  

Prevention is Still the Best Step Against Ransomware

Against storage environments specifically, ransomware can be paralyzing, which may result in extra hours of work, departmental pressure, and additional security-minded responsibilities.  

In case of any compromise, a regularly updated incident report should be top-of-mind at every organization. That’s why it’s important to be proactive and invest in preventative technology that will identify and stop attacks early on. 

To learn more about a ransomware solution that quickly detects and blocks attacks attempting to access your data and isolate affected users in real-time, check out ProLion’s CryptoSpike.