Sample Response Plan Outlines Steps
After a hospital was hit with a ransomware attack, the facility’s leadership asked Bruce Young, instructor of cybersecurity and information assurance at Harrisburg (PA) University to investigate the incident and develop an incident response plan to use if an attack happened again.
Young explained the root cause of the ransomware incident was a user accessing an infected website that prompted the user to update his Adobe Acrobat Reader.
“A dialog box stated the update was required to access the website content by clicking the ‘OK’ button. By clicking the ‘OK’ button, the user was allowed to view the website content, but unknowingly launched a ransomware attack that began infecting network drive shares, encrypting all files [to which] the user had access,” Young noted in his report. “Because the user was a high-level manager, access to network shares was extensive. Other network-shared directories were impacted, included any public shares and shares that had ‘everyone’ permissions.”
The user violated the hospital’s Acceptable Computer Usage policy, which states any company-owned devices are for business purposes only, and notes user activity is logged and can be monitored. The internet usage clearly indicated the website was not visited for business purposes.
Young used the NIST Computer Security Incident Handling Guide1 to create the following incident response plan for the hospital.
• Identify the security incident.
A security incident will be identified by the security control management tools notification from the security incident and event management system (SIEM) or by users notifying the service desk support personnel. Notification of an event will be assigned to the Cyber Security Incident Response Team (CSIRT) through an automated security tool event or manually assigned by service desk personnel. This will trigger the Security Incident Management Process for investigation by SIRT.
• Notify CSIRT.
The automated SIEM alert service or service desk personnel will immediately send a notification email to CSIRT. Notification controls are established in the service desk application to assure service level agreements are met according to specified policy. The service desk application will immediately notify the CSIRT begin investigating of the security incident.
• Begin CSIRT investigation.
CSIRT will investigate the security incident to determine the extent of the incident and the required resources to identify, analyze, contain, and recover from the incident. CSIRT also will determine whether the security incident requires remediation of the application, network, or system infrastructure to ensure the mitigation of the incident.
• Submit incident reporting form.
During its investigation, CSIRT will submit the Security Incident Reporting Form identifying the root cause of the incident in the appropriate required time frame as specified by the Security Incident Response policy.
• Complete investigation and report.
CSIRT will complete the security incident investigation and produce a final report. CSIRT will request any additional data required to complete the investigation.
• Complete forensic analysis.
CSIRT will complete the security incident investigation and conclude all issues and remediation of the incident have been implemented and actions taken to ensure the systems are restored.
• Collect lessons learned and report.
CSIRT will collect lessons learned from all parties involved in the response, and the final report is distributed and filed. Any additional actions to ensure the incident does not reoccur and the security control measures are identified for consideration (NIST 800-61, 2012).
REFERENCE
- Cichonski P, Millar T, Grance T, Scarfone K. Computer Security Incident Handling Guide. NIST. August 2012.
SOURCE
- Bruce Young, Instructor, Cybersecurity and Information Assurance, Harrisburg (PA) University. Phone: (717) 304-3624. Email: [email protected].
After a hospital was hit with a ransomware attack, the facility’s leadership asked an expert to investigate the incident and develop an incident response plan to use if an attack happened again.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.