• The attack has been contained, and the damage has been limited
• Initial triage has been completed and the scope of the attack is known
• Inventory of the infected systems and their data has been completed
• Relevant stakeholders have been notified of key information, including the communication plan going forward
• Incident response (IR) and disaster recovery (DR) plans have been retrieved from their secure location
Now the organization is ready to move from initial response, which is focused more on immediate damage mitigation, to IR, which is more focused on triage, investigation, forensics, and analysis. Here’s where the IR and DR plans put together by the IT and security teams (see: “Creating Disaster Recovery and Incident Response Plans” page) are going to be so important. There’s going to be a lot of pressure from all sides to get different services turned back on quickly, but the plans are there for a reason. Follow them unless an extenuating circumstance requires a departure from them.
Any deviation from the documented plans should be authorized by senior leadership. This rule empowers your team to tell any person or department requesting a change that they have to go through leadership. After all, it’s the leadership of the organization that has to decide the priorities of the organization.
It is possible that after the initial triage, the damage from the ransomware attack might turn out to be minimal and everything will be fully restored in a few days. But that’s rarely the case. As always, organizations should plan for the worst and hope that the thoughtful planning, combined with talented IT and security teams, prevent the worst from coming to pass.
NOTE: This page assumes you have a Disaster Recovery (DR) plan in place. If you need help creating a DR plan, consider reviewing these two resources:
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!