Incident Response Plan 101: From BIA to Execution
In this very dense episode of The Backup Wrap-up, we delve into the critical world of incident response plans, from the business impact analysis (BIA) to finalizing its creation. Our expert guest, Dr. Mike Saylor, CEO of Blackswan Security, shares invaluable insights on crafting and implementing effective incident response strategies. We explore the key components of a robust plan, from conducting a business impact analysis to creating scenario-specific playbooks.
Learn why having an incident response plan is crucial in today's cyber threat landscape and how to design one that works for your organization. We discuss the importance of regular updates, secure storage, and testing through tabletop exercises. Whether you're an IT professional or a business leader, this episode provides practical advice on preparing for and managing potential security incidents. Don't miss this essential guide to strengthening your organization's cyber resilience through comprehensive incident response planning.
Speaker:
You found the backup wrap up your go-to podcast for all things
Speaker:
backup recovery and cyber recovery.
Speaker:
In this episode, we tackled the critical topic of incident response plans.
Speaker:
Once again, we've brought our resident cyber expert, Dr.
Speaker:
Mike Saylor from Black Swan Security, who starts by defining what an IR plan is and
Speaker:
how it's different from DR and BC plans.
Speaker:
We then talk about how you need different kind of response plans
Speaker:
for different kinds of incidents.
Speaker:
Like a cyber attack versus a failed RAID array.
Speaker:
We also delve into RACI diagrams and how they define who is
Speaker:
responsible, accountable, consulted and informed on any incidents.
Speaker:
Then we dig into where this plan should live and how you should make sure you
Speaker:
have access to it and the bad guys don't.
Speaker:
This is a packed episode I think you're gonna really like.
Speaker:
By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I've been passionate about this topic for over 30 years.
Speaker:
Ever since I had to tell my boss that our production database was toast
Speaker:
and there were no backups of it.
Speaker:
I don't want that to happen to you or anybody, and that's why I do this.
Speaker:
On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.
Speaker:
This is the backup wrap up.
Speaker:
Welcome to the show.
Speaker:
If I can ask you for just a quick second to go, press, subscribe or
Speaker:
follow so that you'll always be able to get our content, that would be great.
Speaker:
I am w Curtis Preston, AKA, Mr.
Speaker:
Backup, and I have with me a guy who keeps trying to get me to watch
Speaker:
this weird new version of the Lord of the Rings Prasanna Malaiyandi
Speaker:
ah, yes.
Speaker:
And you still have not seen it, although I did.
Speaker:
So my parents, so what I'm referring to is there's this new, it's not
Speaker:
even a Bollywood movie, I think it's technically a Telugu movie.
Speaker:
It's so tollywood, but it is called ky, A 2398 or something like that.
Speaker:
So it's supposed to be Yes, very.
Speaker:
Fantasy oriented.
Speaker:
Supposed to be really good shot in the modern day era or actually in the future.
Speaker:
And it has some pretty famous actors.
Speaker:
So from both the Telegu scene and the Thumb, and also from Hindi cinema.
Speaker:
So pretty much star in all star cast.
Speaker:
But I've been asking you, my parents actually went and saw it.
Speaker:
They said it was like three and a half hours and it was really long, but.
Speaker:
That might be like a.
Speaker:
couple naps.
Speaker:
Yeah, but it might be a couple naps.
Speaker:
for you, But it's only one episode or one movie.
Speaker:
I've been also trying to get you to watch Bahoo Bali one and two or the beginning
Speaker:
yeah.
Speaker:
That's the Lord of the Rings.
Speaker:
When I was talking about though, isn't it?
Speaker:
Oh, that's y.
Speaker:
Oh, you're right.
Speaker:
That is the Lord of the Rings
Speaker:
and that's like seven hours.
Speaker:
That's like seven hours long.
Speaker:
that's six hours.
Speaker:
But, uh, my wife and I, we did watch it y or over the weekend and so it's fine.
Speaker:
And it's really good though, Curtis, you should watch it.
Speaker:
You have until August 6th.
Speaker:
Uh, okay.
Speaker:
So as of this recording, I have one week to watch it.
Speaker:
Yes.
Speaker:
All right, well, we have with us again, our, um, can, can we call you our,
Speaker:
our resident cybersecurity expert?
Speaker:
Can
Speaker:
I feel like I've, I, I, I feel like I do reside here now.
Speaker:
I think so we've done enough episodes.
Speaker:
Um, so, uh, the CEO of Black Swan Security, Mike Sailor,
Speaker:
welcome to the show once again.
Speaker:
Thanks guys.
Speaker:
Great to be here.
Speaker:
So this week we want to talk about, we talk a lot about this.
Speaker:
It comes up a lot, uh, you know, in shows.
Speaker:
And everybody says you need a response plan, right?
Speaker:
And, uh, you know, an incident response plan.
Speaker:
And we talk, some people talk about a ransomware response plan, a cybersecurity
Speaker:
response plan, an incident response plan.
Speaker:
Can you just help?
Speaker:
Define all of those, like what, you know, do they, do they fit?
Speaker:
And, and of course I talk about a disaster recovery, uh, plan.
Speaker:
Where do all are, are these like Russian nesting dolls?
Speaker:
Well, and what's an incident response plan to start with?
Speaker:
Yeah.
Speaker:
are Russian nesting dolls.
Speaker:
Uh, so an incident response plan is what are you gonna do in the event that an
Speaker:
event, in the event that an event occurs?
Speaker:
you then classify as an incident.
Speaker:
And so first part of an incident response plan is, how do I do that?
Speaker:
You can't, you, you gotta define the difference then if
Speaker:
you're gonna use that event
Speaker:
That's where I'm, that's where I'm going.
Speaker:
Oh.
Speaker:
part is, the first part of, of your incident response plan is how do
Speaker:
I, how do I intake an event report?
Speaker:
Uh, could be smoke, it could be, uh, my computer's acting weird.
Speaker:
It could be.
Speaker:
Um, the website's down, uh, and then how do I classify that event as a type of
Speaker:
incident and then as a type of incident, what, what level of incident is it?
Speaker:
1, 2, 3, or, or however your organization classifies things.
Speaker:
And so the first part is that that analysis and categorization of an
Speaker:
event into, uh, an incident and, uh, incident type and criticality.
Speaker:
Right, and, and then
Speaker:
go ahead.
Speaker:
So then you have an incident, and based on what that incident type is, you
Speaker:
would have what's called a playbook.
Speaker:
So that playbook could be ransomware, that playbook could be denial of service,
Speaker:
the website's down, uh, operational, you know, uh, outage type of playbook.
Speaker:
Uh, or it could be, uh, misconduct, uh, you know, employee, employee misconduct
Speaker:
or trying to access stuff that shouldn't, unauthorized access type playbook.
Speaker:
Um, and you would.
Speaker:
You, you would do an analysis of your organization's most likely threats
Speaker:
and build playbooks based on those.
Speaker:
And then playbooks are like we've talked about in the past, just
Speaker:
sort of everything documented.
Speaker:
Hey, if this happens, here's all the people involved.
Speaker:
Here's all the steps that everyone takes.
Speaker:
Here's who's responsible for what actions, here's who I have to
Speaker:
talk to, and all the rest of that.
Speaker:
Right.
Speaker:
And here's who needs to be informed.
Speaker:
Right.
Speaker:
At least an outline.
Speaker:
Uh,
Speaker:
something's better than nothing.
Speaker:
And then, and then back to Curtis's question about disaster recovery.
Speaker:
And how does incident response plan it?
Speaker:
It is nested because an event becomes an incident and an incident
Speaker:
can then become a disaster.
Speaker:
'cause essentially a.
Speaker:
The, you know, you have a Dr.
Speaker:
Runbook, right?
Speaker:
Or a play, you know, you're saying playbook, playbook,
Speaker:
runbook, same thing to you.
Speaker:
Yeah.
Speaker:
It is.
Speaker:
So, um, it, it's a, I I think of it a, a bit like programming where Dr.
Speaker:
Runbook is, you know, is a function, is a library that can
Speaker:
be called by the bigger program.
Speaker:
Right.
Speaker:
So that, that to me is like the.
Speaker:
The, the deepest, nested part, right, because only after we've had an
Speaker:
incident, we've classified an incident.
Speaker:
We've classified it as a cybersecurity incident.
Speaker:
We've classified it as a, it's a ransomware event, and it's a
Speaker:
ransomware event that needs restore.
Speaker:
Right now we, you know, and then we have done our preparatory steps that
Speaker:
we need to do because, you know, I talk about a lot about this a lot,
Speaker:
and that is one of the big differences between a disaster recovery response
Speaker:
and a, a ransomware response is that almost always the disaster is over.
Speaker:
Right.
Speaker:
The flood has receded.
Speaker:
Um, because you, you can't start, you can't start your recovery
Speaker:
until the flood has receded.
Speaker:
The winds have stopped, the earthquake is over, the fire has
Speaker:
been put out, whatever the disaster was, it's over call the DR person.
Speaker:
The, the big difference with a cyber event is that the attack is ongoing
Speaker:
and you've got to put that fire out.
Speaker:
Uh, to, to use that analogy before you can ever call the DR person, and that's why
Speaker:
I'm saying it's sort of the most nested within, within the, the nesting dolls.
Speaker:
What do you think of that comment?
Speaker:
Completely agree.
Speaker:
And, and just to add a level of complexity with regard to backups,
Speaker:
uh, during your incident response.
Speaker:
If it's a ransomware where there's some compromise that happened
Speaker:
that led to the ransomware, then you've gotta make sure then also
Speaker:
that the backups you're restoring don't also include the compromise.
Speaker:
That you're trying to,
Speaker:
to tie off?
Speaker:
Correct.
Speaker:
lot more, a lot more attention to detail and, and analysis, uh, during
Speaker:
an incident than for sure, than, than, uh, cleaning up after a disaster.
Speaker:
So you have these, so you said you take the event, you identify it,
Speaker:
you put it into the right bucket of incidences, and then you.
Speaker:
Put a severity alongside it, and then you just sort of execute
Speaker:
your incident response plan.
Speaker:
Now, are these like, I am sure it's hard to cover every single incident
Speaker:
and severity or priority, right?
Speaker:
That goes alongside it.
Speaker:
So how do you sort of decide like, which ones am I actually going to
Speaker:
create an incident response plan for?
Speaker:
Which ones do I not need to?
Speaker:
Because it all comes down to.
Speaker:
Like resources in the company, right?
Speaker:
It does.
Speaker:
And, and that's where you're gonna start.
Speaker:
So in, in your incident response plan, and this, this goes.
Speaker:
Kind of back to the left a little bit in understanding the business
Speaker:
and the, the way it operates and how technology supports the business and,
Speaker:
and all the critical components of, uh, where, where the, the business
Speaker:
revenue and, and, um, focus is.
Speaker:
Uh.
Speaker:
Create an inventory of, of your, of your resources, both on the IT side.
Speaker:
We should already have that, especially from a disaster recovery perspective.
Speaker:
And I'll add this comment too.
Speaker:
If you have a mature disaster recovery plan, then a lot of
Speaker:
the work that you're gonna.
Speaker:
Put into creating your incident response plan should have already been done.
Speaker:
I've got an inventory of all our, our IT assets and where our data is
Speaker:
and the SLAs for, you know, if this machine's offline for an hour, we, we
Speaker:
lost a million dollars type of thing.
Speaker:
Well then, and the, and the, the resources we need to address those
Speaker:
disaster recovery activities.
Speaker:
Who's the sy?
Speaker:
Who owns that system?
Speaker:
Who's our network administrator?
Speaker:
Who's our active directory?
Speaker:
Who's who?
Speaker:
Who's our website?
Speaker:
You should, you should know who.
Speaker:
All those subject matter experts and stakeholders and owners are both on
Speaker:
the IT side and the business side.
Speaker:
Right?
Speaker:
So understanding that, um.
Speaker:
That environment of resources is critical to being successful in incident response.
Speaker:
All right, well then to your question about do we, you know, we can't possibly
Speaker:
have a playbook for everything, but what, what you'll learn, especially
Speaker:
after you, you do your first playbook and your first tabletop exercise,
Speaker:
is that there are very common
Speaker:
elements of every incident response.
Speaker:
You've got a leader.
Speaker:
That knows how to, that understands the environment and knows how to
Speaker:
categorize an event appropriately.
Speaker:
And then from that categorization of incident and priority can assemble
Speaker:
the right people from this inventory of resources to be effective
Speaker:
at responding to that incident.
Speaker:
You know, if it's ransomware, it's kind of an all hands on deck thing,
Speaker:
but if the website's down, I, I already know, I, I can look up who to call.
Speaker:
I need our
Speaker:
ISP, our host, our hosting site, the the person that wrote the website,
Speaker:
the person that knows all the backend systems that support the website.
Speaker:
I've got all that hammered out, and we'll get on a call and I've got their phone
Speaker:
number and their email and where they live and account numbers and all that stuff.
Speaker:
So you don't have to basically cry wolf every single time.
Speaker:
You don't, and you, and you should not.
Speaker:
Uh, so you know when, when an incident happens and, and or an event happens and
Speaker:
you're like, this is a true incident.
Speaker:
You don't go push the button.
Speaker:
You, you, you call the next person and get some, some, some feedback and
Speaker:
some collaboration, uh, and then you start to expand the team as necessary.
Speaker:
You don't, you don't call everybody to the table for every answer.
Speaker:
and, and I think you, I think you.
Speaker:
You mentioned this a little bit earlier, but I just want to, um, you know,
Speaker:
when you, when you said that a lot of the work would've already been done,
Speaker:
if you have a DR plan, that's great.
Speaker:
If you don't have one, uh, that's not good.
Speaker:
But, but I want to say that if this is the first time you're
Speaker:
doing any of this kind of work, the really key first thing is the BIA.
Speaker:
Right?
Speaker:
It's like.
Speaker:
Because, you know, as nerds as it people, we, we, we very often, we, we
Speaker:
focus immediately on the, you know, the cyber aspect or the recovery aspect
Speaker:
or the backup aspect and you know, how are we gonna get our network up?
Speaker:
Okay, okay.
Speaker:
We need to figure out what actually matters, right?
Speaker:
What makes the company money?
Speaker:
What's going to cost the company money when it's down?
Speaker:
Right.
Speaker:
What are things that we can do without and, and how long and
Speaker:
how long can we do without them?
Speaker:
Uh, how much money are we losing when this part of the company is down?
Speaker:
Right?
Speaker:
Um, and when this part of the company is down, is there something else that
Speaker:
the people that work on that part of the company can do to continue
Speaker:
to make money for the company?
Speaker:
Uh, or do we just send them home?
Speaker:
Um, you know, so they're not twiddling their thumbs.
Speaker:
and Curtis, when you said BIA, you meant business impact assessment, correct.
Speaker:
you.
Speaker:
Thank you.
Speaker:
What do you, what do you think, Mike?
Speaker:
Any, any additional.
Speaker:
Absolutely.
Speaker:
And so the BIA is valuable in so many ways.
Speaker:
BIA will help you on your insurance.
Speaker:
It helps you on your business continuity, your disaster recovery, your incident
Speaker:
response, all your risk assessments.
Speaker:
It's, it's very critical.
Speaker:
And any, any due diligence for like acquisitions and mergers and all
Speaker:
that stuff, it's, it's very critical.
Speaker:
It's also a good, uh, it's also a good tool for process.
Speaker:
Uh, improvement and overhead analysis.
Speaker:
Uh, it, it's, it's, it's really good.
Speaker:
Well then, uh, to touch on something you mentioned, uh, you know, if,
Speaker:
if this incident, or if this event happens and people can't do their
Speaker:
work and you send them home, or what else could they be doing?
Speaker:
Uh, that also touches on business continuity.
Speaker:
So how do we keep running the business without technology, which is really
Speaker:
what disaster recovery focuses on.
Speaker:
Business continuity is that.
Speaker:
that.
Speaker:
that contingency plan for, you know, I can't use the phone anymore or, or
Speaker:
that system's down and, and now we've gotta revert to pen and paper and,
Speaker:
uh, how do I, how do I keep taking orders or scheduling
Speaker:
repairs or whatever the case might
Speaker:
Somebody go find a big box of carbon paper.
Speaker:
Yeah, like Curtis's, uh, doctor's office or
Speaker:
that direct show that happened in the Midwest summer.
Speaker:
Remember that episode Curtis?
Speaker:
Yeah.
Speaker:
The derecho.
Speaker:
Yeah, that's a great episode.
Speaker:
We, we, we did have somebody on here who, who lived in a place,
Speaker:
um, and they experienced a derecho.
Speaker:
Have you ever even heard of a derecho?
Speaker:
I've heard the term, but I don't, I'm, I'm assuming It,
Speaker:
it's a,
Speaker:
it just means a, a hurricane that forms over land.
Speaker:
Um, don't have any idea why it's called what it's called,
Speaker:
but that's what it's called.
Speaker:
Um, so yeah, so we've done our, our business impact analysis.
Speaker:
We, you know, we, we, we know all the parts.
Speaker:
We know the.
Speaker:
We know where to focus our efforts.
Speaker:
And then we need to focus on the things that are likely to happen, the things that
Speaker:
are likely to give us the biggest impact.
Speaker:
And, you know, persona you talked about, you know, we can't do everything.
Speaker:
We talk a lot on here about good, better, best, right?
Speaker:
Good.
Speaker:
Is to have something, to have some kind of outline for anything.
Speaker:
If you have nothing, anything is better, is better than nothing.
Speaker:
On a back of an napkin is fine too.
Speaker:
Yeah.
Speaker:
Yeah.
Speaker:
Um, and the what if you've got nothing, once you've done the impact analysis and,
Speaker:
um, you've decided on, you know, we're gonna focus on, I, I think it wouldn't be,
Speaker:
it wouldn't be crazy to say we're gonna focus on a ransomware event that takes
Speaker:
out our, you know, priority one servers.
Speaker:
What would be your next step?
Speaker:
Well, I'll add some, I'll add some color to that scenario because part of
Speaker:
your analysis may, may indicate that in the event of an, of an incident like
Speaker:
that, you cannot reallocate people.
Speaker:
Those people have to keep doing whatever it is they're doing.
Speaker:
So your incident response plan should identify resources that you
Speaker:
can bring in to augment your staff.
Speaker:
And address the incident or vice versa.
Speaker:
Maybe it's your, your full-time, people addressing the incident, but
Speaker:
then you need to bring in staff, you know, some contractors to continue
Speaker:
daily operations or whatever that is.
Speaker:
Or that you've got zero capability of responding to that incident and
Speaker:
you've gotta bring in a third party, 100% to, to support and you're just
Speaker:
providing them guidance or oversight.
Speaker:
And I mean, it's, it's kind of like, uh.
Speaker:
The, the flood, the flood response, the blackman mooring or whoever it is
Speaker:
Yep.
Speaker:
where you've got a flood.
Speaker:
Nobody, I don't know how to clean up a flood or respond to a flood.
Speaker:
I know how to, I may know where the water shutoff valve is, but 100% of that
Speaker:
response is gonna be some third party.
Speaker:
And so that business impact analysis is gonna help you determine.
Speaker:
What proportion of inside, outside, you know, extra help you're gonna
Speaker:
need and who's gonna do what?
Speaker:
All right, so then, then the event happens, uh, and you're gonna, you're
Speaker:
gonna use that resource playbook depending on what that that event is,
Speaker:
um, to bring in the right, the right resources, the right people, and,
Speaker:
and start managing that response.
Speaker:
So.
Speaker:
If you'll have your playbook or your incident response
Speaker:
plan, you've executed on it.
Speaker:
You knew who the resources to pull in.
Speaker:
I'm sure along the way, as you're going through this actual event,
Speaker:
you probably see some gaps.
Speaker:
Maybe you're probably fine tuning, tweaking, adjusting, adding to
Speaker:
your incident response plan to update it so the next time it
Speaker:
happens, you're better prepared.
Speaker:
I guess the one question I have is.
Speaker:
Environments change.
Speaker:
We've always talked about it, right?
Speaker:
New systems come on board, new sites come up, new applications get deployed.
Speaker:
There are new threats out there.
Speaker:
What sort of frequency should people be thinking about going and revisiting
Speaker:
their incident response plans?
Speaker:
Because it's not helpful if, say, today, right?
Speaker:
You have an incident response plan for how to deal with telephone communications
Speaker:
from like 30 years ago, right?
Speaker:
So how do you make sure that your plans are also up to date as the
Speaker:
world changes, as your environment changes and as the people change too?
Speaker:
as a, as a good, as a good practice, good governance would be reviewing
Speaker:
all your policies, procedures, and plans at least once a year.
Speaker:
But I'll, I'll caveat that with any significant change to your personnel,
Speaker:
your environment, or the way your business operates should then dictate a
Speaker:
review of all the things that support.
Speaker:
And, uh, not only support all of those things, but also support the response
Speaker:
activity to any, any related incidents.
Speaker:
Uh, so as often as it makes sense, but at least once a year.
Speaker:
Okay.
Speaker:
And I'll, I'll add to that too, that there's often two types
Speaker:
of incident response plans.
Speaker:
There's the very technical one with the playbooks and the contact
Speaker:
information, the technical details.
Speaker:
That's for the.
Speaker:
The internal response team consumption.
Speaker:
And then there's kind of a general population incident response plan,
Speaker:
which is more like a guide to, well, how do I report stuff and what do
Speaker:
I expect?
Speaker:
And,
Speaker:
um, you know, some that, that same plan may also include a provision that says you
Speaker:
as an employee or contractor may be called upon as a subject matter expert to help.
Speaker:
Respond to an incident.
Speaker:
And
Speaker:
so putting all that, all that stuff out there as far as expectations
Speaker:
and guidance in a, in a, a shorter,
Speaker:
you know, kind of condensed manual,
Speaker:
similar disaster recovery, you know, there, there's like your evacuation plan
Speaker:
and then there's the tech, the, the, the true disaster recovery plan
Speaker:
that has a lot more detail on it.
Speaker:
I like the idea of, I, I think one of the most crucial elements, if not the very
Speaker:
first element that goes into an IR or DR plan, is the, the contact list, right?
Speaker:
Who do you call for?
Speaker:
What, who's responsible for what?
Speaker:
Um, what is Mike Sailor's cell phone number?
Speaker:
Um, you know, to, to call.
Speaker:
Because he's our guy to bring in, in the case of scenario, and again, you,
Speaker:
you, you have to update that information 'cause that stuff changes all the time.
Speaker:
Right.
Speaker:
Um, and
Speaker:
And, and don't.
Speaker:
Don't just Google Mike and his cell phone number and put it in your contact list.
Speaker:
Actually, you, you've gotta call these people and say
Speaker:
hello and
Speaker:
and you know, I'm, I'm, we need to, we need to establish a, a, a relationship or
Speaker:
a rapport so that you, you are, uh, you will answer the phone when I call you,
Speaker:
uh, and, and
Speaker:
know that it's important.
Speaker:
Yeah.
Speaker:
'cause I don't answer, I don't answer unknown, uh, phone numbers.
Speaker:
So, um, yeah.
Speaker:
Same.
Speaker:
Um, yeah, so we've got our contact list.
Speaker:
Uh, we've got our vendor list, right?
Speaker:
We've got our, um, all of tech, the technologies that are involved.
Speaker:
Um, and we've got an escalation list, right?
Speaker:
A list of what's go, who's going to be called when, and then also.
Speaker:
Who's going to be called when those people don't answer the phone?
Speaker:
Um, right, because I, I know that comes up in a, in a, um, like in a
Speaker:
tabletop, well, it comes up all the time.
Speaker:
Right.
Speaker:
Uh, Fred, who's the one that's responsible for A, B, C, uh, he's on vacation, right?
Speaker:
He, he's in Aruba.
Speaker:
Uh, good for Fred.
Speaker:
And he's taken an actual vacation and he is unplugged the cell phone.
Speaker:
And, uh, you know, and he's not taking our calls, so who's gonna take
Speaker:
Fred's call when Fred's not there?
Speaker:
That should be the case for every responsibility in the,
Speaker:
you know, in the company, right?
Speaker:
Uh, correct, and, and you should have a chart.
Speaker:
And, and if you remember from a previous episode, we call that a racy diagram.
Speaker:
That's right.
Speaker:
Yeah.
Speaker:
Uh, and spell that out again.
Speaker:
RACI,
Speaker:
responsible, accountable, consulted, and informed.
Speaker:
And so for everybody on your response team, you would, you would
Speaker:
indicate, and sometimes that changes based on what the playbook is.
Speaker:
Uh, but who's, who's, who are your primary responsible, uh, accountable
Speaker:
people for all the different types of incidents that you include, uh, in, in
Speaker:
your, in your, in your response plan.
Speaker:
Persona is the first person I call, uh, when I need to do something.
Speaker:
I don't know how to do, because I have this feeling that he
Speaker:
knows, he, he's watched a YouTube video about how to do it.
Speaker:
What does that seem, does that seem reasonable persona?
Speaker:
97% accurate, I would say.
Speaker:
he, he watches a lot of YouTube videos.
Speaker:
Um, all right.
Speaker:
So we have our, we have our, our list, our contact list, we have
Speaker:
the actual procedures, the actual runbooks that are, you know, the
Speaker:
different things that we're gonna do.
Speaker:
Uh, is there anything else that needs to go into response plan?
Speaker:
Yep.
Speaker:
So.
Speaker:
So at the, at the end of your response plan, you, you should
Speaker:
have as much reference material as you think is, uh, necessary.
Speaker:
So, you know, there's your, your instant response team contact list, but down at
Speaker:
the bottom, kind of to your point of, of third parties, but more than just
Speaker:
name and phone number, you may need an account number or a policy number
Speaker:
or, um, something specific, a pin.
Speaker:
Uh, you know, if there's, you know, multifactor, um, and then.
Speaker:
Something at the end.
Speaker:
Uh, towards the end, we have, I, I typically suggest appendices.
Speaker:
And so one of the escalation points of an incident is
Speaker:
whether or not it was a breach.
Speaker:
And the difference between incident and
Speaker:
breach can be significant
Speaker:
for a lot of different reasons.
Speaker:
What, you can get sued over a breach, right?
Speaker:
A breach might require that you, you
Speaker:
have, uh, reporting, reporting obligations to the state or.
Speaker:
What have you.
Speaker:
So then, so there's a, there's usually an appendix that helps you walk through
Speaker:
kind of a decision tree to determine if a, if an incident was a breach,
Speaker:
well then we've got all of this, you know, maybe, especially if you're a
Speaker:
publicly traded company, what are your reporting requirements, uh, by state,
Speaker:
by statute, and then some things that you want to pre, uh, pre-negotiate.
Speaker:
Is with, and this is with like management and legal or hr, how do
Speaker:
we communicate different types of incidents internally and externally?
Speaker:
And so having those predefined templates for emails or phone calls
Speaker:
already in your plan, so you're not on
Speaker:
the phone for an hour negotiating with internal audit or legal about,
Speaker:
all right, how are we gonna say this?
Speaker:
You've, you've got all that stuff outta the way.
Speaker:
So Mike.
Speaker:
So we have everything documented.
Speaker:
I think one thing we didn't cover is where does this document live?
Speaker:
Because right if, because if it's like on your normal internal systems
Speaker:
and you get hit with a ransomware attack, now your incident response
Speaker:
plans are also potentially gone.
Speaker:
If you get hit by a hurricane or a flood and you have it in
Speaker:
physical paper form in the site location, those are probably gone.
Speaker:
So.
Speaker:
How do people store these and make Sure.
Speaker:
it's still accessible?
Speaker:
I've seen a lot of variations of this.
Speaker:
I've seen the All right, who's, whose turn is it to take the metal
Speaker:
box home in the trunk of their car?
Speaker:
Uh, I've seen people store it with their tapes at Iron Mountain.
Speaker:
I've seen people, uh, uh, pay for a service where it's like a cloud-based
Speaker:
disaster recovery thing, where different stakeholders have the ability
Speaker:
to log in and update their stuff, and that's where the plan lives.
Speaker:
Uh, and then, uh, I've also seen some pretty creative, uh, approaches to this
Speaker:
with like $0 retainers with a, a law firm.
Speaker:
And so pre-negotiate, get all the paperwork outta the way.
Speaker:
And I would, I would suggest this with an instant response firm.
Speaker:
And, and even, uh, uh, you know, if, if, if your staff isn't capable of, of
Speaker:
quickly fixing or building or re-imaging stuff, then go find a, a firm that, that
Speaker:
can provide you those resources and, and get all the paperwork done today.
Speaker:
And, but to my point, uh, uh, or back to my point about the law firm.
Speaker:
So $0 retainer establishes and it gets all the deconfliction out of the way.
Speaker:
Uh, but send, give them your, your Dr and incident response plan.
Speaker:
And because you're gonna call them anyway,
Speaker:
uh, make sure that you've got their phone numbers, but you're, it's great.
Speaker:
Great point.
Speaker:
I've seen in a lot of cases where, you know, we're trying to, there's an
Speaker:
incident, we're trying to coordinate response and their networks, their
Speaker:
internet's down, their email's down and, and, you know, how do, how do we even
Speaker:
coordinate among their response team?
Speaker:
And so having a, having a relationship with someone that can.
Speaker:
That can provide you that, that communications medium, but also, uh, be
Speaker:
a, a good place to keep your, your plan.
Speaker:
Yeah, I, I, my personal preference is I like having an electronic version
Speaker:
because it's easier to maintain, but I also like having that paper version and
Speaker:
the way I like having the way I like.
Speaker:
Creating a paper version is in a loose leaf type of a notebook, so that allows
Speaker:
me, when I update a couple of pages, I can just rip out at those pages and
Speaker:
replace those pages so that I'm not printing an entire tree of documentation
Speaker:
every time I go to update the runbook.
Speaker:
Um, and I do like that idea of having it, having it stored somewhere else
Speaker:
other than the company, but close by.
Speaker:
Right.
Speaker:
If we're talking about actual paper.
Speaker:
It needs, you know, you talked about a law firm, you talked about an instant
Speaker:
response team somewhere that stuff is stored, that's accessible to us as a
Speaker:
company, but, uh, but not too accessible because it's in the data center that,
Speaker:
uh, that we're trying to recover.
Speaker:
Or at least a copy.
Speaker:
Right.
Speaker:
Store it somewhere
Speaker:
A copy.
Speaker:
Yeah.
Speaker:
Um, of course the more copies you have, the more trouble you
Speaker:
have maintaining those copies.
Speaker:
Right.
Speaker:
But the, the, um, the, uh, and I think the, the, the physical paper
Speaker:
issue is less of an issue during a cybersecurity event as it, than it is
Speaker:
in a, in a disaster where the, you know, the building blew up or was on fire.
Speaker:
But, I cannot overstate the value of, um, of a paper document, right?
Speaker:
In a, in an event that potentially takes out your, you know,
Speaker:
everything that you have, right?
Speaker:
I mean, I mean, I'm, you know, I'm a, I'm a huge fan of the
Speaker:
cloud putting stuff in the cloud.
Speaker:
Uh, what if you got no internet, right?
Speaker:
Cloud's, cloud's great, but you can't see the clouds anymore.
Speaker:
Yep.
Speaker:
Yep.
Speaker:
So off switching topics, so we have the cybersecurity incident
Speaker:
response plan, which for company documents, who all the people are,
Speaker:
how they respond, and all the rest.
Speaker:
I.
Speaker:
This is a goldmine for malicious actors, right?
Speaker:
So if they got their hands on this right, they know your entire playbook.
Speaker:
It's like if you got the military plans for like the nuclear weapons and
Speaker:
like how things will respond, right?
Speaker:
So how, like how should people go about protecting these from these bad actors?
Speaker:
So it should be considered or classified as a, a confidential or sensitive
Speaker:
document, so password protected, you know, make sure it's stored
Speaker:
appropriately with restricted access.
Speaker:
Uh, but you're right.
Speaker:
In fact, uh.
Speaker:
We did a tabletop exercise on ransomware for a, an engineering company.
Speaker:
Uh, and then shortly after the tabletop, they actually had a ransomware attack.
Speaker:
Uh, come to find out the threat actors had been in that environment for six months
Speaker:
or actually privy to the tabletop exercise and had access to their instant
Speaker:
response plan and their insurance
Speaker:
policies and all these other things, which then help them better
Speaker:
strategize and facilitate the attack.
Speaker:
And.
Speaker:
Uh, which, and they got paid, you know, they, they made several million
Speaker:
dollars off of that deal because they were, they were informed, uh, and
Speaker:
they knew what the capabilities were.
Speaker:
They knew that they were gonna be, um, ineffective at responding
Speaker:
to a ransomware attack, um,
Speaker:
Yeah.
Speaker:
sure that you, you fix all the problems identified in a tabletop exercise,
Speaker:
and this organization did not.
Speaker:
Well, I, I think that's a great question.
Speaker:
P and I think it goes back to the same thing that we advise for
Speaker:
backup systems segregation, right?
Speaker:
Making sure that it's just not on the same systems with the same usernames
Speaker:
and passwords protected by active directory and an admin and an active
Speaker:
directory admin password, right?
Speaker:
It's gotta be more than that.
Speaker:
And, and that's, and I think that's where SaaS providers can be very helpful.
Speaker:
Right.
Speaker:
Uh, I like this idea, you know, um, that you talked about Mike, of having
Speaker:
a, you know, basically services that will, that they probably have, I.
Speaker:
Templates and things that you can use for an incident response
Speaker:
plan and help build it out.
Speaker:
It makes making that easier.
Speaker:
And then also it's, it's stored in a different environment than yours.
Speaker:
Uh, of course you gotta vet all their security because persona, you are 100%
Speaker:
right, that that would be a gold mine.
Speaker:
Just like backup systems are a gold mine.
Speaker:
You get, you get in charge of the backup system and you have, you know,
Speaker:
why, why hack all the servers when I can just restore the data that I want?
Speaker:
Right?
Speaker:
Um, any final thoughts, Mike?
Speaker:
Any final things we need to say about creating an an incident response plan?
Speaker:
Yes, the design of that plan will drive its effectiveness.
Speaker:
And so, uh, from an audit perspective, um, well, even more fundamentally
Speaker:
controls perspective, an incident response plan or program would be considered
Speaker:
a control, uh, that helps drive the effectiveness of your organization.
Speaker:
I.
Speaker:
There's two parts of a control.
Speaker:
There's the design of the control, and then there's the operational
Speaker:
effectiveness of a control.
Speaker:
And so we can put this plan together.
Speaker:
We can have all these whiteboarding sessions and phone
Speaker:
calls about who's doing what.
Speaker:
And we put it all in this document.
Speaker:
We feel great about it, but it doesn't mean a thing if you don't walk through
Speaker:
it to see how effective that design is.
Speaker:
And that's, you have to do table, you have to do an exercise to test
Speaker:
the effectiveness of your plan.
Speaker:
'cause like Mike Tyson said.
Speaker:
Yeah, everybody has a plan until I hit 'em.
Speaker:
And so your response plan is, that's all it is, is a plan until, until you get hit.
Speaker:
And if you don't, if you haven't, if you haven't walked through
Speaker:
it, you're not gonna know how well you, uh, respond to that.
Speaker:
That hit.
Speaker:
Yeah, I really thought you were gonna rhyme earlier.
Speaker:
You know, you something.
Speaker:
I forgot what you said.
Speaker:
It's, uh, you don't got that thing or something.
Speaker:
I thought you were gonna rhyme there, but, you know, uh, but I, yeah, I,
Speaker:
I, I thought exactly about that.
Speaker:
That Mike, that Mike Tyson comment.
Speaker:
You know, everybody, everybody got play until they get hit in the face.
Speaker:
Absolutely.
Speaker:
All right, well thanks again, Mike for uh, walking us through
Speaker:
and thanks again for some great questions this time.
Speaker:
Persona,
Speaker:
I, I think I'm starting to think more like a bad actor, which is kind of.
Speaker:
Fun.
Speaker:
that's what you gotta do, right?
Speaker:
Gotta think like a bad actor.
Speaker:
Absolutely.
Speaker:
All right, and thanks to our listeners, we do this for you.
Speaker:
Uh, reach out to us, say hi.
Speaker:
Go to backup wrap up.com and put in a comment.
Speaker:
I love getting comments from people.
Speaker:
Um, and, uh, you know, rate us go.
Speaker:
You know, if you love us, rate us.
Speaker:
If you hate us, don't.
Speaker:
Anyway.
Speaker:
Uh, that is a wrap.
Speaker:
The backup wrap up is written, recorded and produced by me w Curtis Preston.
Speaker:
If you need backup or Dr.
Speaker:
Consulting content generation or expert witness work,
Speaker:
check out backup central.com.
Speaker:
You can also find links from my O'Reilly Books on the same website.
Speaker:
Remember, this is an independent podcast and any opinions that you
Speaker:
hear are those of the speaker.
Speaker:
And not necessarily an employer.
Speaker:
Thanks for listening.
Listen On
