Header image

Beyond the playbook: What to do when you're attacked

In an exclusive opinion, Emma Leith, director of consulting at Bridewell, looks at critical extra steps to protect your business from ransomware attacks

Effective incident response involves far more than just a playbook. Organisations must continuously plan, prepare, and remain current to improve response times and strategies for potential incidents, clearly defining the thresholds and triggers for playbook execution.

After an attack, it’s a race against the clock to investigate, contain and address a multitude of issues. But is your team confident in knowing exactly what to do and when?

Pre-planning and preparation
A proactive cybersecurity posture involves acting before any attack occurs. As such, organisations must plan early to ensure the right sequencing and timing for effective incident response, firmly establishing key definitions, classifications, responsibilities, and triggers.

This means classifying all potential incidents based on overall severity and business impact, and ensuring that all relevant personnel are familiar with these categories. Not only does this help determine the nature and extent of an incident – which facilitates the quick invocation of specific crisis plans – but it   also clarifies the involvement of key stakeholders, including the board and communications teams.

Accordingly, media spokespeople should be determined well in advance of an attack, with regular media training for effective communication during high-profile incidents. Key documents must be prepared, maintained, authorised and readily accessible for timely decision-making about the disclosure process. This also helps organisations to incorporate regulators’ predefined triggers and processes into their own incident response plan.

In light of increasingly frequent, sophisticated, and damaging ransomware attacks, a clear ransomware policy is crucial for the board to establish a pre-determined stance on paying ransoms, accounting for potential legal implications. Organisations can then enhance this policy by retaining an external ransomware negotiator.

By weaving together these different aspects at the earliest opportunity, organisations can create an effective playbook with specific plans for the immediate seconds, minutes, hours, and days following an attack.

Identification and containment
The more prepared an organisation is before an attack, the faster it can efficiently identify and contain the threat when it strikes, reducing the ‘time to value’ period. Prompt and effective triage post-incident will further accelerate this process.

In these critical seconds and minutes, pre-planned identification and classification systems are crucial in determining the incident’s scope, nature, and impact on the integrity and availability of affected data and systems. An impact assessment will also help guide response actions according to severity and potential consequences.

Technical teams are at the core of incident response, so they require training on immediate steps outlined in the playbook, including preserving evidence, conducting digital forensics, and investigating root causes and underlying issues from the outset. They must also know precisely where to access the data they need for initial information gathering, as the timely provision of essential facts is crucial for quick escalation and senior executive involvement. But, let’s not forget business and strategic stakeholders as they also have a key role to play.

Following identification and confirmation, the containment phase of incident response must similarly be underpinned by thorough planning, preparation, and robust documented guidance. After all, without a strong comprehension of potential damage, how can any organisation effectively mitigate it?

Eradication and recovery
Over subsequent hours and days, focus may well shift towards eradication and recovery phases. However, organisations must still adhere to pre-prepared definitions and processes. For example, to quickly recover a normal level of operation (NLO), businesses need a clear understanding of the baseline “normal” state.

Regular reviews of continuity planning are therefore essential to proactively identify any gaps, weaknesses, and outdated aspects before an incident occurs. In fact, these continuous reviews are vital in connecting all incident response stages together. The quicker and more effectively organisations utilise the playbook for identification and containment, the faster they can eradicate and recover from the attack.  

Lessons learned
Incident response is a cyclical process, with no fixed start or end point. Therefore, organisations must continually analyse lessons learned to identify improvements and reduce ‘time to value’.  Stepping back to review and evaluate the response is crucial for enhancing organisational resilience and preparing for future incidents.

Security leaders should also take this opportunity to periodically review their playbooks, complementing this with organisation-wide simulations and tabletop exercises to create a feedback loop to the initial pre-planning and preparation stages.

Today’s security landscape demands constant vigilance and proactive measures. By prioritising ongoing, comprehensive planning and preparation, organisations can strengthen their incident response and mitigate the potential consequences of a cyberattack before it even happens.

Upcoming Events


Beyond Cloud Security Posture Management:

Validating Cloud Effectiveness with Attack Simulation

image image image image