Incident Response: Don’t Wait Until It’s Too Late to Plan


By Mat Gangwer, vice president of managed threat response

You’ve been hit by ransomware. You’re not able to enter Windows, open files or boot servers – all you can see is a nasty lock screen image demanding payment.

The decisions you make in the following seconds, minutes and hours will carry long-term consequences. Do you pull the ethernet cable to disconnect your servers or shut down your entire network? Or do you first sound the alarm and notify leadership – and how, exactly; is email safe to use and are phone systems compromised?

Without the guidance of an incident response plan, it can be difficult – if not impossible – to effectively respond amidst the chaos that ensues. From initial threat detection, containment and neutralization to the removal of adversaries from the network, there are a number of stakeholders and partners that need to collaborate, weigh business implications and determine next steps.

Now is the time to invest in incident response planning; Don’t wait until it’s too late. Follow these five steps to set the stage for internal alignment and streamlined collaboration:

  1. Maintain good IT environment hygiene. Robust IT environment hygiene minimizes the likelihood of incidents occurring – so routinely check your security controls and address any unpatched vulnerabilities, like open remote desktop protocol (RDP) ports
  2. Keep a hard copy of your incident response plan. Always have a physical copy of your incident response plan on hand. If your organization is hit with ransomware, digital copies of your plan could be among the files encrypted.
  3. Leverage Managed Detection and Response (MDR) specialists with incident response experience. Even experienced internal security teams benefit from MDR operations teams with extensive industry knowledge. These providers are well-versed in the specific threats you face and know how to respond swiftly and effectively.
  4. Prioritize cross-team collaboration. Cyberattacks affect all aspects of your organization. Ensure all teams – including finance, legal, marketing, and more – are involved in decision-making and risk assessment.
  5. Stay agile. Keep in mind that some aspects of your incident response plan require a flexible approach. Even with a robust plan in place, be prepared to adapt to new threat evolutions – and to adjust your incident response plan accordingly.

Proactive response planning allows internal teams to evaluate different response protocols through rigorous mock scenarios and tabletop exercises. This practice helps organizations strengthen their response muscles throughout the development lifecycle and identify problems with existing processes.

It also gives stakeholders the opportunity to build internal alignment and prepare for integrating outsourced MDR. Powered by human-led threat hunting executed at scale, MDR ensures incidents are less likely to occur in the first place. In a worst-case scenario where they do, on-demand intervention from an experienced MDR partner can significantly reduce impact severity.

Contact Sophos to get help building your own incident response plan or to learn more about how Sophos MDR and incident response services can help.

Sustaining Partners