An end-user receives an email from the help desk stating that there was irregular activity associated with their email account and they will not be able to
send or receive emails until it is resolved. Several end users click on the link in the email and immediately items on his/her workstation begin to
actstrangely.Suddenly,none of the files on the workstation canbe opened and now end in “.crypt”. A message pops up on the end user’s screen demanding
payment of 1.84Bitcoins asa ransomfor the organization’s now encrypted data. As of May 2021, Bitcoin is Approximately $54,301/Bitcoin, making the
ransom in this scenario just shy of $100,000.
Soonafter that, other employees begin to report they have a strange note popping up on their screen as well. Before long, all computers – workstations and
servers – have the popup on their screens and are unable to function.This is where the Incident Response process begins.
Create Your Runbook
There are several Runbooks for several types of threats (Malware, DDoS, Botnet, Social Engineering). Make sure the Runbook is the correct Runbook for the
scenario. An Incident Response Playbook (Runbook) is designed to provide a step-by-step walk-through for most probable and impactful cyber threats to
your organization. The Playbook will ensure that certain steps of the Incident Response Plan are followed appropriately and serve as a reminder if certain
steps in the IRP are not in place.
Your Runbook should consist of:
- An overview section of the identified threat details information about the threat.
- Preparation steps or triage processes needed to prevent or recover from the threat
Contact information of the in-house IR team
Communication tree
Escalation & notification procedures and reporting mechanism - Detection, Identification & Analysis of the likely symptoms from the type of threat
Steps implemented for detection
Identification matrix for High, Medium, and Low threat categories
Incident validation – tools or systems used to confirm and verify the possible delivery vector of the threat
Containment, Eradication & Recovery
The third phase, containment, is the initial attempt to mitigate the attacker's actions. It has two major components: stopping the spread of the attack and
preventing further damage to systems. It is important for an organization to decide which methods of containment to employ early in the response.
Organizations should have strategies and procedures in place for making containment-related decisions that reflect the level of risk acceptable to the
organization according to the threat type.
Post Incident Activity/Lessons Learned
Post-incident refers to the process of identifying lessons to be learned after actions and review. This section needs to address questions such as:
What happened?
Have we done well in protecting the organization’s network?
What could we have done better?
What should we do differently next time?