Pratum Blog

Laptop with Completed Checklist and text Creating an Incident Response Plan

This year’s non-stop ransomware wakeup call has motivated many organizations to dust off their incident response (IR) plans—or create one for the first time. If you’ve ever endured a breach, you know the value of a well-designed IR plan. By guiding decisions in the critical first hours of an incident, the IR plan can keep a minor situation from turning into an operational shutdown, as well as help your team track down the breach’s root cause, file cyber insurance claims, manage messages to customers and more. Use the following guidelines to make sure your IR plan includes all the essentials.

Check Your Industry’s Requirements

Start by determining what others require of you. In many industry sectors, IR plans are mandated by state law, federal guidelines (such as HIPAA) or your biggest customers’ vendor contracts. For example, more than a dozen states require any company in the insurance industry to maintain a written IR plan, among other best practices. And your cyber insurance underwriter will almost certainly offer you a better rate if you have policies such as an IR plan in place.

Guides for Creating Your Plan

One go-to standard for IR plans is NIST publication 800-61, known as the “Computer Incident Handling Guide.” This 79-page document walks you through all the elements required in an IR plan considered up to industry standards. The guide provides details on tasks such as structuring an IR team, handling incidents as they occur and coordinating responses across departments and organizations. NIST’s approach boils down to this four-part Incident Response Life Cycle:

Incident Response Life Cycle

You should also review the SANS Institute’s more concise guide, known as the Incident Handlers Handbook. SANS recommends that every plan provide a specific process for these six areas:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

What to Put In Your Plan

Based on these resources and other industry guidelines, these are the key elements to include in your IR plan:

  • Your definition of an “incident” – Writing your organization’s specific description of a computer security incident will determine what triggers your IR plan. Typical items that constitute incidents are loss or accidental disclosure of sensitive info, an intrusion or attack on the network or the discovery of a vulnerability that could affect operations. Vague definitions of incidents can trigger unnecessary IR responses even for low-level situations.
  • IR team structure – The team’s size depends on your organization’s size and complexity. The team plan should include:

    – An incident coordinator tasked with managing meetings, keeping notes and documenting actions.

    – People with strong tech skills, IR experience and an understanding of the business.

    – Multiple people with strong communications skills they can use to share information clearly and efficiently in the right directions.

    – Representation from key related areas such as legal, HR, and the physical facilities team.

    – An executive sponsor who can champion the team’s concerns up the ladder and provide visibility to the overall business.

    – A system for rotating IR team members on a planned basis to avoid burnout and promote fresh perspectives.

  • Roles/responsibilities – Clearly outline exactly who does what and establish a clear team leader. Some states’ regulations for certain industries require companies to officially report the name of the person of contact (POC) for information security. Be sure to consider duties your IR team may have in non-emergencies, such as training employees, monitoring threat alerts and participating in relevant industry groups.
  • Incident-reporting procedure – The team’s ability to respond effectively relies on finding out about the incident in a clear, timely manner. Describe whether notifications should take place through a help desk ticket, e-mail, phone call, etc. The plan should also specify procedures for preserving potential evidence. Your company’s ongoing security training should cover the incident-reporting procedure.
  • Communications plan for outside entities – You will probably need to notify people beyond your company war room about incidents. A chart like the one below from NIST shows the variety of parties with which you may need to interact. In your plan, establish clear rules of communication. Sharing the wrong information at the wrong time with the wrong entity could have implications for your cyber insurance, breach notification liabilities, class action suits, breach of contract claims and more. Incident Response Team Web
  • Post-event reporting – After the situation is resolved, the team should issue a report summarizing what happened and what remediations are required. Your plan should provide specifics on who will compile that report and the leaders who get a copy.

Keep It Simple

As you write the plan, remember Einstein’s rule that “Everything should be as simple as possible, but no simpler.” It’s easy for IR plans to get very long and complex, especially as you continue to revise it over the years. But in the excitement and confusion a real incident, people can only follow so many policies. So streamline your plan to the essentials so that it’s more likely to see real-world use.

Building Your External Team

Just as critical as your organization’s internal team is the lineup of external service providers you’ll call on in an emergency. It’s essential to identify and get to know your providers in advance for two reasons. First, service providers that get to know your organization in normal times will be prepared to spring into action with an informed point of view at a moment’s notice. Second, securing the providers ahead of time will help you use your preferred vendors rather than being stuck with an unknown company from your cyber insurance carrier’s preferred provider list. Once you’ve picked a vendor, ask your cyber insurance company to add them to the preferred list to ensure you get to work with your selected partners.

Your external vendor team should include:

  • An attorney with cyber expertise
  • A digital forensics team
  • A breach coach
  • Cyber insurance contact
  • Public relations firm, if your industry is in the public eye

How to Test Your Plan

Your IR plan isn’t a set-it-and-forget-it proposition. You won’t know if it works unless you test it. And you won’t know if it continues to work unless you incorporate a specific, regular schedule for review. At minimum, review it once a year. If your business is highly dynamic, it may require more frequent review. Common elements that prompt plan updates include:

  • Changing personnel on the IR team
  • Implementing new technology platforms
  • Winning contracts with new clients
  • Entering new geographic or industry markets with different requirements
  • Increasing budgets that expand your resources

Along with annual reviews, you should plan annual testing exercises that apply the plan to a specific simulated scenario. And whenever a breach actually occurs, review your IR plan at a “lessons learned” meeting to identify areas that need revision.

If you need help creating an IR plan tailored for your specific situation, contact Pratum today.

Screenshot of StopRansomware website

A new federal ransomware website gives one-stop access to a wide variety of government resources for fighting the ransomware wave pummeling America in the summer of 2021. Even small organizations should take time to understand their ransomware risks. Big attacks get the headlines, but 75% of all ransomware attacks strike small businesses, and the government knows it can’t fight this battle without the private sector doing its part. So the feds gathered a long list of resources into a new site called In this article, we summarize how the site arms you with information for understanding, reporting and combatting ransomware.

The "One-Stop Ransomware Resource"

This site offers three main sections:

  • Basic ransomware information
  • Resources to report and respond to actual attacks
  • Guidelines to reduce the risk of falling to ransomware

The site’s core message is that businesses have to take cybersecurity into their own hands. The government can rattle cyber sabers with Russia all day, but the best defense is each organization following fundamental cyber hygiene best practices. In June, the Biden administration told businesses just that in an open letter. The site’s resources support the letter’s call for businesses to step up to protect both the nation and their own economic interests. The letter stated, “The most important takeaway from the recent spate of ransomware attacks on U.S., Irish, German and other organizations around the world is that companies that view ransomware as a threat to their core business operations rather than a simple risk of data theft will react and recover more effectively.”

Throughout the site, you’ll find information from and links to multiple agencies including:

  • The FBI
  • Department of Homeland Security
  • The Secret Service
  • CISA (Cybersecurity and Infrastructure Security Agency)
  • NIST (National Institute of Standards and Technology)
Reporting Ransomware Screenshot

What’s On

As you look through the site’s resources, you’ll find most of the site’s recommendations very familiar If you pay attention to basic cybersecurity hygiene. But the reality is that most of these best practices will still be news to many organizational leaders who have gotten away so far with assuming that ransomware won’t come looking for them.

Key Messages for Ransomware Attacks

The site’s resource section includes a wide variety of slide shows, videos, articles, etc. that highlight essential steps that can massively reduce an organization’s ransomware risk. Several guides provide insights on the risks for specific industries, including K-12 education and healthcare. You’ll also find links to the government’s Sector Risk Management Agencies, which focus on guidance for 16 specific critical infrastructure sectors.

The site provides incident response resources for companies facing an actual attack, including steps to follow during the first hours of an attack. Links let you report the attack to a variety of agencies, with the promise that reporting to any one of them will cascade the message to all other appropriate agencies.

CISA and FBI Alerts Screenshot

One of the best pages to bookmark is the alerts section that provides links to official update feeds from CISA and the FBI. Some of the advisories include papers for responding to specific situations, such as best practices for preventing business disruption from the Darkside ransomware that hit Colonial Pipeline earlier this year.

While you’re in the Alerts section, pay attention to the advisory about the potential sanctions you may face if you pay a ransom. Your decision about whether to pay should factor in potential violations of national security laws.

Other Government Ransomware Moves

Along with the new website, the government has been rolling out multiple other ransomware-related actions in recent weeks. Here’s a recap:

State Department offers $10 million reward – Anyone willing to share information about foreign hackers targeting critical U.S. infrastructure could see a big payoff. The U.S. State Department launched the big bounty, which is explained in detail at the Rewards for Justice site.

Rewards for Justice

Biden issues executive order on cybersecurity – On May 12, President Biden issued an executive order on improving national cybersecurity. Key provisions of the order include facilitating more breach reporting by IT providers, mandating full use of security tools such as multifactor authentication on federal systems, requiring better software security in the government supply chain and creating a review board to examine hacking incidents.

REvil goes AWOL – We don’t know what role the government played in the July shutdown of the famed hacking group known as REvil. On July 13, the organization’s online footprint suddenly disappeared. Did the hackers decide to disband on their own? Did the U.S. Cyber Command take them out? Did Russia strike in response to increasing U.S. pressure to deal with the extensive hacking harbored there? It’s a solid bet that one or both of the governments played a role.

As you seek to make sense of this era of ransomware and create a defense and response plan specific to your organization, contact Pratum for expert advice.

How You Can Stop Ransomware Poster

Ransomware Poster

Stopping ransomware starts at the front line of every employee’s computer. This poster will help you and your employees keep your organization safe.

Get Poster
All images used in this article are from
Person holding phone using MFA to access laptop

Go ahead, try to predict the death of passwords. You’ll wind up sounding like the 1960s futurists always predicting that we’d abandon cars any year now for personal aircraft buzzing above the gridlock. Back in 2004, even Bill Gates pronounced passwords obsolete when he declared them insufficient for truly securing critical data. At the time, Gates noted the chronic issues of people using the same password on many platforms and writing them down so they can remember them.

The kids learning to walk on the day that Gates threw that password shade are now college students generally continuing the sins of their digital ancestors. Most people still use ridiculously weak passwords, with “123456” being the most popular choice of 2020. The top 50 passwords of 2020 can all be cracked by automated hacking tools in under a day, with most being crackable in under 1 second. But that’s not say we’re not worrying about those lame passwords, since Google reports that searches for “password strength test” jumped 300% in 2020.

But choosing a stronger password throws us right back into the hassle loop. Stronger=harder to remember, which explains why about 2/3 of Americans use the same password across multiple sites. That’s a bigger problem than most people realize, considering that roughly 15 billion passwords are for sale on the dark web on any given day. (You can check whether your e-mail address or phone number as been part of a data breach at this site.)

The Trade-Offs of Passwords

So we all agree: Passwords are a pain and actually pretty mediocre at their one job of securing data. Roughly 80% of system breaches involve a compromised user credential. And the research firm Forrester estimates that about half of IT help desk calls relate to password resets, at an average cost of $70. In one case study, Aetna insurance noted how customers would deluge the help desk with password resets during open enrollment (one of the few times each year most people touch their insurance app). The company dubbed it “Password Armageddon.”

Even so, passwords survive largely because switching to other tools requires more inconvenience for users and a significant migration effort and expense on the part of the IT team. This chart from Microsoft sums up the trade-offs between passwords and several alternatives we discuss below:

Password Convenience Quadrant

If you’re looking to improve your organization's IT security or Identity and Access Management, here are some options to consider.

Passphrases – These extended versions of passwords are harder to crack because of their length and mix of words. A basic one might be “HowIMetYurMoth3r!” That’s better than a password or a string of normal words, and it meets common password requirements for capitalized letters, punctuation, etc. It throws in a couple of curveballs with a misspelled word and a number standing in for a letter. But it still lacks enough of what experts call entropy, or randomness. Humans almost inevitably think in patterns, so if you want a truly strong passphrase, use a randomizer tool like Diceware. Of course, a great passphrase still has a major weakness if you reuse the same one on multiple platforms.

Single Sign-On – Many companies have adopted this setup, which lets users rely on a single username and password to access a wide variety of programs and services. No more typing in a different password for Office 365, the company intranet, the expense reporting system and every other cloud-based service. SSO has clear advantages in the realm of user experience and workload for IT teams constantly dealing with password issues. SSO’s main challenges are complexity of implementation and dealing with legacy applications that may not support it. And SSO obviously carries the problem of giving a hacker access to all your systems if they compromise the SSO itself.

Multifactor authentication – If you’ve ever talked to a cybersecurity expert, you’ve probably heard them preach the importance of MFA. We’re doing it again here. Virtually every vision for eliminating passwords requires MFA because of stats like Microsoft’s finding that MFA reduces the odds of being compromised by 99.9%. MFA lets people access data by providing two of the following three things:

  • Something you know – This is the password or PIN. If you know it, someone else can at least theoretically figure it out, too. Which is why you need other factors.
  • Something you have – Also known as an “ownership factor,” this is a physical item like a cellphone, badge, hardware token, etc.
  • Something you are – Biometric factors, which could be fingerprints, retina scan, voice recognition, etc.

Password Replacement Options

Password-less Authentication – These systems rely on MFA’s “something you have” and “something you are” elements to grant access. There’s no password to memorize, or steal. So logging into a system typically requires you to have an item (your phone, a hardware token, etc.) and a biometric factor like those described below. Many of the systems also incorporate some version of public key cryptography that generates a unique key for logins. In simple terms, this system puts a padlock on a system that everyone can see. But only you get the key.

PINs – They’re not quite the same as a password. Microsoft now supports PINs that are tied to a specific device. That means that even if you gave a hacker your system password, they couldn’t get into anything without accessing it through your physical device. That turns the computer itself into a “something you have” factor for MFA.

Biometrics – Scans of fingerprints and facial features have gone mainstream in recent years with smartphone features and Windows 10’s Windows Hello option for logging in with a facial or fingerprint scan. Your unique appearance is far more difficult to steal than a password, but hackers are finding ways to spoof faces to fool the systems. So even with the go-to security system of every spy movie in place, MFA still provides a needed extra layer of security.

Along with reading faces and fingerprints, companies have spent years researching some other incredibly subtle ways of identifying you. Your computer may eventually identify you by your typing rhythm, and your phone may recognize you through the pressure you exert on the screen. (It’s an old idea. During World War II, telegraph operators recognized each other by their tapping rhythms in a method known as “Fist of the Sender.”)

Advanced threat detection – Next-gen endpoint detection tools such as Managed XDR can stop hackers even if they have an authentic username and password. (This process is sometimes known as risk-based authentication.) These tools constantly watch for developing threats by tracking where a user is logging in from, what they’re trying to access and more. With this 360 defense in place, even a stolen password won’t be enough for someone acting suspiciously to get to critical data.

Need help figuring out how to implement some of these tools to move past passwords’ inherent limitations? Contact us today.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.