Skip to content
11:11 Systems
Rethink Connected
11:11 Systems11:11 Systems
  • Why 11:11
    • Submenu
      • Column 1
        • Cloud Console
          Cloud Console
          Compliance
          Compliance

      • Column 2
        • Global Regions
          Cloud Regions
          Catalyst
          Planning and Assessment

      • WHY CHOOSE 11:11
      • Overview
      • Leadership
      • News & Media
      •  
      • Careers
      • Technology Partners
      • Customer Stories
  • Products & Services
    • Products & Services
      • CLOUD
      • Cloud Overview
      • Public Cloud
      • Private Cloud
      • Object Storage
      • Cloud Labs
      • Colocation/Bare-Metal
      • BACKUP
      • Backup Overview
      • Veeam Backup
      • Microsoft 365 Backup
      • Managed Backup for Cohesity
      • DISASTER RECOVERY
      • DRaaS Overview
      • DRaaS for Veeam
      • DRaaS for Zerto
      • DRaaS for Azure
      • Autopilot
      • SECURITY
      • Security Overview
      • Continuous Risk Scanning
      • Managed SIEM
      • Managed EDR
      • Managed Firewall
      • CONNECTIVITY
      • Connectivity Overview
      • SD-WAN
      • Multi-Cloud Connect
      • Managed IP
  • Solutions
    • Solutions Submenu
      • INDUSTRY
      • Education
      • Financial
      • Government
      • Healthcare
  • Partners
    • Partners Submenu
      • Overview
      • Become a Partner
      • Partner Portals
  • Resources
    • Resources Submenu
      • Events
      • Webinars
      • News & Media
      • White Papers
      • Podcast
      • Data Sheets
      • Customer Stories
      • Innovation Blog
  • Support
    • Support Submenu
      • Contact Support
      • Product Documentation
      • API Documentation
Search:
  • Console Login
  • Contact
Header Right Menu
Free Trial
  • Why 11:11
    • Cloud Console
    • Compliance
    • Cloud Regions
    • Planning and Assessment
    • WHY CHOOSE 11:11
    • Overview
    • Leadership
    • News & Media
    • Careers
    • Technology Partners
    • Customer Stories
    • Blog
  • Products & Services
    • CLOUD
    • Cloud Overview
    • Public Cloud
    • Private Cloud
    • Object Storage
    • Cloud Labs
    • Colocation/Bare-Metal
    • BACKUP
    • Backup Overview
    • Veeam Backup
    • Microsoft 365 Backup
    • Managed Backup for Cohesity
    • DISASTER RECOVERY
    • DRaaS Overview
    • DRaaS for Veeam
    • DRaaS for Zerto
    • DRaaS for Azure
    • Autopilot
    • SECURITY
    • Security Overview
    • Continuous Risk Scanning
    • Managed SIEM
    • Managed EDR
    • Managed Firewall
    • CLOUD CONNECTIVITY
    • Connectivity Overview
    • SD-WAN
    • Multi Cloud Connect
    • Managed IP
  • Solutions
    • INDUSTRY
    • Education
    • Financial
    • Government
    • Healthcare
    • Column 2
  • Partners
    • Overview
    • Become a Partner
    • Partner Portals
  • Resources
    • Events
    • Webinars
    • News & Media
    • Whitepapers
    • Podcast
    • Datasheets
    • Customer Stories
    • Innovation Blog
  • Support
    • Contact Support
    • Success Center
    • API Documentation
  • Contact
  • Console Login
  • Free Trial
Tags: The NIST CyberSecurity FrameworkCyberSecurity Awareness Month
Author: Brian Knudtson
Date: October 28, 2022

The NIST CyberSecurity Framework: Respond

So you’ve found a cyberattack in your environment. The first step is to not panic. The second step is to pull out your cybersecurity response plan, which you’ve hopefully written down during a non-stressful time well before the incident. If you don’t have that plan documented yet, bookmark this page and go find a reputable incident response service provider to help you out. When you return, we’ll discuss what you should do to prepare yourself for a cyber security incident response.

Due to your efforts to protect yourself in the third phase of the NIST Cybersecurity Framework — “Detect” — you now know you have a cybersecurity incident on your hands. If you haven’t yet read our first three CyberSecurity Awareness Month posts, which highlight the functions of the NIST CyberSecurity Framework, you can find them here (Identify, Protect, and Detect). Today, we tackle the start of the fourth stage — “Respond” — perhaps the most panic-prone stage. The adrenaline involved in responding to a cyberattack is why planning is critical in this phase.

Time is of the essence when fighting back a cyberattack, so figuring out what to do during the attack is not ideal. The plan should be figured out ahead of time and practiced regularly so everyone knows their role during the event. Of course, no plan survives engagement with the enemy, but that is no reason to not have a plan; it’s a reason to have multiple flexible plans focused on what needs to happen. Ultimately, your reaction should be second-nature so your brain can concentrate on analyzing data, not deciding what needs to happen next.

Blue Team … Assemble

One of the most important parts of your incident response plan is to identify the team that needs to be involved. This team should include not only internal employees, but also any external support, including vendor support contacts and third-party incident response, legal, and/or cyber forensics teams. Beyond identifying individuals and teams, the plan should include how everyone will be contacted, which is commonly done via call sheets, notification trees, and group messaging. It should also identify how all the team members will get together and coordinate, which should include both in-person or virtual options. 

Through all this planning, consider what technologies and systems you will be able to rely on during a security breach. For example, if your email server has been breached and you need to isolate it on the network, you will not be able to rely on it to send communications. Also, think of interdependencies that may be compromised. For example, if your Active Directory gets shut down with ransomware, collaboration tools like Teams may not be reliable for collaboration. Once the team is assembled, it’s time to start addressing the incident. 

Stop the Spread

Ideally, while you’ve been assembling, the systems have automatically started the response. Your primary tool here is an endpoint detect and response (EDR) product, which likely also participated in the detection of the intruder and was able to immediately execute the first priority: Stop the spread. By running on endpoints in your environment, EDR is able to directly detect anomalous program executions and block them as soon as it determines something nefarious is going on.

If the EDR tool couldn’t detect the anomalous behavior before it executed, it may be able to cut the system off from the network so that it cannot spread, receive instructions from command and control systems, and participate in data exfiltration. Partnering an EDR tool with managed services (MDR) or extended with technologies like SIEM and SOAR (XDR), can improve the speed in which the breach can be contained. 

Unfortunately, the spread cannot always be contained. This is where having an infrastructure based on zero-trust architecture in place before an attack can be a huge asset by limiting horizontal spread. In a worst-case scenario, you may have to disconnect the entire infrastructure from the internet or shut down the entire data center. 

Cleaning Up

However drastic the containment efforts may need to be, you’ll then need to focus on cleaning out the infection. This may be a system-by-system hunt, but is ultimately highly dependent on the type of infection and is why flexibility in the plan is important. Consider having an incident response team contracted and on-call to help with this effort. 

If it has already spread widely or it required a full data center shutdown, you may benefit from simply failing over the data center to your disaster recovery site. Cybersecurity incident response should closely align with, or simply be a special use case within, your business continuity and disaster recovery (BC/DR) plan. But we’re getting a bit ahead of ourselves, because this is part of the fifth phase. More on that in the next post in the series.

Incident Communications

In parallel with all of this, your organization will need to have a plan for communicating with your key stakeholders. You don’t want to leave key decisions around how and what you will communicate to employees, customers, partners, suppliers, legal counsel, law enforcement, and, possibly, the media until you’re in the heat of the moment. Understanding what different audiences need to hear and when may require coordinating with them during the planning phase. Understanding what legal reporting requirements you need to abide by will definitely need to be known ahead of time. 

Decisions around how often and at what depth you need to communicate will need to be defined and differences based on the audience considered. The key is to communicate early so you don’t get caught letting someone else tell your customers and partners what’s going on. Finally, just like communications amongst the response team, don’t assume any given communications channel will be available. Have multiple ways to communicate to these groups.

Digital Forensics

To close out the Respond phase, you’ll need to address the analysis of the incident. Some of this happens as you go along, but every incident should end with an analysis of what happened, the timeline, ramifications, and what can be done to prevent it in the future. In order to preserve and gather as much data as possible, the identification of key data should be in your plan. This will allow the entire team to gather the data you need to satisfy contractual, legal, and self-improvement obligations. Even if this data isn’t collected along the way, your team needs to make sure it isn’t destroyed as part of the mitigation efforts. Many companies choose to rely on an external digital forensics team to help with this planning and data gathering.

As you can see, there is a lot to be dealt with in a very fast, fluid, and high-pressure situation. Having tools like EDR and response plans in place before an incident occurs are critical to successfully navigating these items.

Categories: Cybercrime, Ransomware, SecurityBy Brian KnudtsonOctober 28, 2022
Tags: The NIST CyberSecurity FrameworkCyberSecurity Awareness Month

Author: Brian Knudtson

In his 20-year career, Brian has experienced many different perspectives of the IT industry. He has worked as a value-added reseller, vendor and service provider in roles in web development, system administration, post-sales deployment, pre-sales architecting, public cloud design and technical marketing. Currently, Brian is the Director of Cloud Market Intelligence at 11:11. He enjoys spending time with his wife and three kids. He is also heavily involved with the Destination Imagination program and has been a long-time member of the VMware community, notably starting the Omaha VMUG and putting on VMunderground at VMworld. You can find him online occasionally blogging at http://knudt.net/vblog and tweeting at @bknudtson.

Post navigation

PreviousPrevious post:The NIST CyberSecurity Framework: DetectNextNext post:The NIST CyberSecurity Framework: Recover

Related Posts

Security
You Can’t Win: Learning to Live with Security Pessimism
March 13, 2023
Building a Championship-Caliber Data Security Strategy
February 15, 2023
Veeam 12
Veeam 12 Preview: Multi-Factor Authentication
February 7, 2023
Preparing for 2023 with 11:11 Systems: IT Trends in Security, Cloud, and More
February 1, 2023
What is 11:11 Systems?
What is 11:11 Systems? A company built on cloud, connectivity, and security
January 30, 2023
11:11 Systems Wins 2022 Backup and Disaster Recovery Award from Cloud Computing Magazine
January 25, 2023
PRODUCTS & SERVICES
  • Cloud
  • Backup
  • Disaster Recovery
  • Managed Security
  • Connectivity Solutions
  • Compliance
COMPANY
  • Why 11:11
  • Customer Stories
  • Careers
  • Leadership
  • Technology Partners
  • News & Media
  • Contact Support
CLOUD REGIONS
  • North America
  • EMEA
  • APAC
CONNECT
  • LinkedIn
  • Twitter
  • Facebook
  • Youtube

© 2023 11:11 Systems Inc., All Rights Reserved | Privacy Notice

Go to Top
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information that allows us to process data such as browsing behavior. Not consenting or withdrawing consent, may adversely affect certain features and functions. By clicking Accept, closing this message, or continuing to browse, you consent to these technologies and accept our Privacy Notice.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}