Test Your Incident Response with a Hypothetical Crisis

Imagine getting to the office Tuesday morning, ready for another productive day, when your lead admin walks in with bad news. The file infrastructure is down, and so is everything else. It’s been encrypted by ransomware, and you’re the latest target of a zero-day ransomware attack that managed to bypass your antivirus. What do you do?

That’s what we’re here to find out. Let’s walk through a hypothetical situation to test your incident response readiness.

Phase 1: Containment

The ransomware is moving across your network, actively hunting down backups so it can delete them.

Do you have a kill switch protocol? Your team must immediately disconnect the infected machines from both the wireless and wired networks. Don’t worry about a graceful disconnection; this is manual isolation to keep the rest of your network safe.

Make sure your employees know how to physically isolate their machines without waiting for IT approval in the event of a crisis.

Phase 2: The Backup Audit

Once your IT partner has been notified, you need to remember one key statement: “I’m not paying the ransom.”

You can restore a backup, provided it’s available. So, are your backups immutable? These days, hackers target standard cloud backups first, and if your backups are read/write, the hacker has probably already encrypted those, too.

If your backups were deleted right now, do you have an off-network or immutable backup that the hackers can’t touch?

Phase 3: The Virtualization Pivot

While you’re figuring out this whole mess, you have clients calling and a team that’s sitting around idly.

This downtime is costing you thousands in billable revenue and reputation loss. Can you virtualize your business to get it back in order before it collapses under the downtime? With a modern Backup and Disaster Recovery solution, you don’t have to wait for your physical servers to be rebuilt; you just spin up a clean backup in the cloud. Your team can log back in and get to work on the “clone” of your business while the cleanup of the physical hardware happens in the background.

So, can you get back to 100 percent productivity in under 4 hours, or are you looking at a four-day rebuild?

Phase 4: Forensics and Compliance

With the immediate crisis resolved, it’s time to turn toward the legal work required.

You’ll probably have reporting requirements for your insurance and potentially your state’s data privacy board. Do you have a breadcrumb trail you can follow to figure out what data was accessed and how? If you have Endpoint Detection and Response, you can show how the breach was contained to a single folder and no client data was stolen. Without those logs, you have to assume the worst and notify every client that you’ve been had—and that’s both embarrassing and potentially damaging.

Check to make sure you have forensic logs required by your cyber-insurance policy and other regulatory bodies to prove you weren’t negligent.

So how did it go? Think you’re ready to handle a potential crisis? Whether you failed the drill or not, know Suffolk Computer Consultants can get your incident response to where it needs to be. Learn more today by calling us at 631-905-9617.