Cyber & IT Supervisory Forum - November 2023

a. No Ɵ fying incident response stakeholders . This is key. With the excep Ɵ on of perhaps the very smallest organiza Ɵ ons, working through the incident response plan requires a concerted e ff ort of various individuals and, in many cases, teams of individuals to perform certain du Ɵ es prescribed in the plan. This may include things such as designated IT response teams to handle containment and remedia Ɵ on and communica Ɵ ons teams to handle internal and/or external communica Ɵ ons with customers, vendors, law enforcement, and regulators. And due to the chaos that is present during the incident, it is absolutely essen Ɵ al that ALL par Ɵ es understand their roles and responsibili Ɵ es during an incident. This can prevent cri Ɵ cal tasks form being duplicated or even overlooked completely when the response process is started. The organiza Ɵ on must have a process to mobilize knowledgeable sta ff and teams to enable the most e ffi cient and e ff ec Ɵ ve response. b. Preven Ɵ ng or isola Ɵ ng ransomware (in this case) from spreading to other systems. c. Mi Ɵ ga Ɵ ng any and all exploited vulnerabili Ɵ es. d. Implemen Ɵ ng of “out of band” communica Ɵ ons to prevent poten Ɵ al threat actor use of secure sign ‐ on (SSO) to access the organiza Ɵ on’s containment and remedia Ɵ on e ff orts. e. Gran Ɵ ng authority to a speci fi c individual(s) to shut down a third party’s access to the network. In the ini Ɵ al stages of the a Ʃ ack, the source of the infec Ɵ on may not be clearly understood. Management of third ‐ party connec Ɵ ons to the organiza Ɵ on is essen Ɵ al to manage any addi Ɵ onal risks coming from those connec Ɵ ons, and to prevent the propaga Ɵ on of the ransomware between third ‐ party vendor connec Ɵ ons that might exist. f. Implemen Ɵ ng alterna Ɵ ve strategies for connec Ɵ ng to cri Ɵ cal third ‐ party vendors in the event of an infec Ɵ on. g. Immediately contac Ɵ ng federal law enforcement. Agencies such as the FBI and USSS have subpoena powers to access logs and other cri Ɵ cal informa Ɵ on quickly, possess knowledge of threat actor behaviors and ransomware variants, and may have access to decryp Ɵ on keys. h. Performing threat hun Ɵ ng to minimize any addi Ɵ onal “back ‐ door risks” that might accompany the ini Ɵ al a Ʃ ack. If any of these steps are outsourced to a third party, or the organiza Ɵ on has a cyber insurance policy that provides breach coach assistance, or course, it would be prudent very early in the process to also: i. Immediately no Ɵ fy legal counsel, as well as the cyber insurance company, if applicable. j. Determine the scope of the infec Ɵ on by engaging specialized third par Ɵ es or, if appropriately experienced, by using in ‐ house or managed service provider resources .

15