Include:
Tech
Cybersecurity
Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.

Location

333 West San Carlos Street
San Jose, California 95110
United States

WWW: acer.com

ChannelPro Network Awards

hello 2
hello 3

News & Articles

May 19, 2021 |

Incident Response Management

In the heat of a cyberattack, successful mitigation depends on good incident response planning and execution.

This article is based on a panel discussion at ChannelPro‘s Cybersecurity Online Summit held earlier in the year.

A decisive plan, fast response, and clear communication are all critical components when a cyberattack occurs. Here, seasoned channel pros provide advice on four incident response scenarios.

YOUR CUSTOMER JUST GOT HIT BY RANSOMWARE. WHAT’S THE FIRST THING YOU DO?

  1. Activate your incident response plan

Assemble your incident response team and implement the plan, which includes determining the type of breach and where the exposure is, advises Corey Kirkendoll, president and CEO of 5K Technical Services, in Plano, Texas. That may include bringing in your legal team and your insurance agency for guidance, particularly If you have a customer that deals with medical or financial records and must follow compliance regulations.

Corey Kirkendoll

A step-by-step plan is critical, agrees Jayson Ferron, CISO/CEO of Interactive Security Training. “”You should be able to have it on the wall [showing], I’m going to do this first, this second, this third, this fourth.”” It’s also important for proving due diligence, says Brian Weiss, CEO of iTech Solutions, in San Luis Obispo, Calif.

  1. Communicate, communicate, communicate

Immediately inform the client that they’ve been hit with ransomware and that you may need to cut off users from company resources in order to mitigate the threat, says Weiss.

Urge your client to involve their own insurance company right away if they have compliance regulations they need to adhere to, he adds. “”If they’re going to be responsible for funding for damages, they’re going to want to make sure you’re following what they want you to do. Otherwise, they might come back and say, ‘Hey, you didn’t perform due diligence. Therefore, we aren’t covering this set of damages.'””

  1. Isolate the threat vector

As soon as you know what the threat vector is, remove it from the network and begin mitigation efforts, Kirkendoll advises. After you understand the depth of the exposure, he adds, start collecting evidence logs. At the same time, locate backups and make sure they’re offline in case the attacker is still active in the network, says Michael Cocanower, CEO of Phoenix-based itSynergy.

THE ATTACK WASN’T JUST RANSOMWARE, THEY GOT INTO THE CLIENT’S DATABASE TOO. WHAT DO YOU DO?

  1. Verify backups

Once you’ve done so and know how far back the hack goes, you can perform a full or partial recovery, Kirkendoll says.

Brian Weiss

  1. Identify the access method

Whether it’s through the cloud or on premises, identify how the attack came in, Weiss advises. Was it via an API connection or through a user account? “”Shutting down the database could be a quick and easy way to cut off access.”” He adds that you may want to implement conditional access to block a particular IP or country.

  1. Determine the type and value of exfiltrated data

If there is potential exposure of personally identifiable information (PII), for instance, your customer may be subject to data privacy requirements, says Cocanower. Every state has different disclosure requirements and different reporting time frames, he adds. Bringing in the legal team from your customer’s cybersecurity provider can help you understand the obligations.

THIS TIME YOU ARE THE VICTIM, YOUR RMM HAS BEEN BREACHED. WHAT ARE YOUR FIRST THREE STEPS?

  1. Secure your RMM

Shut down your RMM, inform clients immediately, and begin remediation, Weiss says. This can involve disabling accounts, resetting passwords, and setting up conditional access, among other things. Bring in your RMM vendor too, Weiss adds. “”There may be things they know about that you don’t.””

If it’s a cloud-based RMM, he continues, “”you’re immediately looking for scheduled or quick jobs that [attackers] might have kicked off across your devices that maybe haven’t run yet … even if you cut off their access, they could have left something behind [and] it’s still doing damage.””

Know the emergency contacts for a cloud-based RMM provider, Ferron stresses, and be sure they spell out how they’ll notify you if another MSP in that shared environment had a breach.

Michael Cocanower

In addition, stop all automated scripts, Kirkendoll says, and make sure you have a way to access client devices outside of the RMM, so you can continue to manage those devices remotely if your RMM system isn’t available.

  1. Bring in the experts

Tap your insurance company as quickly as possible for access to legal, PR, and other resources, Cocanower says. And if you have clients with regulatory concerns, contact their insurance companies as well, Weiss adds.

If you’ll be performing a forensics analysis later, disconnect the server from the network but leave it running, Ferron advises. “”When the forensic team comes in, they can grab the memory that’s running in the server,”” he explains.

  1. Communicate facts

Once you’ve collected logs and fully understand what happened, communicate that to clients, Kirkendoll says.

Cocanower agrees. “”What you don’t want to do is create a bunch of confusion in the beginning where you’re putting out all kinds of information and then having to go back and correct some of that later.””

WHAT ARE THE BEST WAYS TO PREPARE YOUR CUSTOMERS AND YOUR EMPLOYEES FOR AN INCIDENT BEFORE ONE OCCURS?

  1. Train, train, train

5K Technical Services offers security awareness training both in-person and online, and conducts mock tabletop exercises on incident response. “”[Clients] get a chance to understand what we do in the event that something happens,”” Kirkendoll says. “”It also helps us continue to get better and helps make them aware of what is really important—what’s valuable when it comes to recovery—because that’s key for us as well.””

Jayson Ferron

  1. Focus on business continuity

Weiss says it’s important for clients to understand that an incident can happen so they recognize the importance of investing in business continuity technology and drafting their own incident response plan. “”There are things that they’re going to be responsible for doing on their end in order for you to be successful.””

  1. Use the power of storytelling

Talking with customers about the dangers of cyberattacks doesn’t always resonate, Cocanower says. Telling them a story about a real cyberattack, the sequence of events, what that customer had to go through, and what the implications were “”makes it very real”” and a more powerful message.

POST-MORTEM

While a security incident is unfortunate, it’s also a tremendous time for learning, Cocanower says. “”If you aren’t disciplined about sitting down with your team after the flames have died down and really going through in a calm and methodical fashion, and determining what lessons can be learned, and then changing your processes based on those lessons, you’ve really wasted an opportunity.””

Cocanower says MSPs also need to be disciplined in following the same advice given to clients. “”All those things you put in place for your customers, like the risk assessments and the incident response plans, you need to be doing those for yourself as well.”” If you’ve done that, he says, you’re ready when an incident occurs: “”Pull your incident response plan off the shelf, turn to page one, and start following the directions.””

Image: iStock

Related News & Articles

Growing the MSP

Editor’s Choice


Explore ChannelPro

Events

Reach Our Audience