What is an Incident Response Plan?

This week on no hardware required. We're talking about incident response plans. And incident response teams.

My co-host is Steven Manley. Our CTO. Thanks for joining.

[00:00:14] W. Curtis Preston: hi and welcome Druva's No Hardware Required podcast. I'm your host w Curtis Press, AKA a Mr. Backup. And I have with me a guy who says he's wearing a blue shirt today, but I swear it looks, he looks gray to me. Stephen Manley

[00:00:27] Stephen Manley: Yani or Laurel? Yani. Or Laurel? Which

[00:00:31] W. Curtis Preston: Oh yeah.

[00:00:31] Stephen Manley: Remember the

[00:00:34] W. Curtis Preston: Yanni or Laurel, I do remember. I remember that one quite a bit. Um, and I remember hearing nothing but. people would hear nothing but the other. Um, yeah, I don't remember what one I, what one I heard. I think I tried really hard to hear the other one, but

[00:00:51] Stephen Manley: Yeah,

[00:00:52] W. Curtis Preston: You and I and um, others around me, I dunno if you've noticed, we've been talking a lot about ransomware and one of the things that comes up a lot. When we talk is people say, you know, we say, well, you need a DR plan.

We knew that, right? You need a a, a ransomware recovery plan. We knew that. There's this other thing that comes up a lot, and that is you need an incident response plan. And, uh, there are actually incident response firms. The only ones that come to mind for me when I think about that.

Is there any chance that you saw the movie Plane this most recent movie with, uh, Gerard Butler in it?

[00:01:28] Stephen Manley: Sure. No, I saw, I saw the uh, I saw the previews for it, and it looked like a classic Gerard Butler movie, right? One of those where you go, this'll be awesome when I'm flying to India or the UK or something, and I'll watch it for two hours and then I'll get off the plane. I'm like, and someone will say, oh, what movies did you watch?

I'm like, can't remember. Looks like one of those.

[00:01:50] W. Curtis Preston: well in the movie he lands or, uh, he lands a plane, a commercial plane with a bunch of passengers in a random island in the Philippines, uh, due to problems that they had. And, um, so they kind of go off the radar, et cetera, and, and they bring in, an incident response firm. This is what, see, I, I was gonna bring it back.

They bring in an incident response firm, and basically they had the guy and that guy coordinates everything and he suddenly basically owns the, you know, it's like he owns the company because he decides what anybody says about anything, what anybody does. They have to go through that guy first, you know?

Is that the kind of thing that we're talking about here, or is it something d.

[00:02:34] Stephen Manley: I'll tell you, I think, I think that's a lot of it. You know, you meet so many of these companies that are going through it. and, and I think deep down inside, if you told them there's someone coming who's gonna tell you what to do and how to do it and when to do it, and how it's gonna go, you know, before the incident they, oh, no, no, we don't, once the incident strikes, like, thank God you're here.

Please, please point us in the right direction. And, and, and I think a lot of it is because this is so much different than a disaster recovery or anything. People have been through that once they're mired in it, they realize, I just, I don't have the toolbox for this yet, so I, I mean, I, I don't necessarily think it's, it's literally a person who flies in and, and takes control.

But I do think, you know, you need some sort of plan in place of how are we going to do this? Because if you try to do it when the incident happens, uh, chickens with their head cut off, that sort of thing comes to.

[00:03:32] W. Curtis Preston: right? I, I do think, I would think that there is maybe not the same as the , the guy in the movie, but there are incident response firms that could be made available to you, uh, via your cyber insurance carrier. Uh, and, and by the way, that may be the. The best thing from the cyber insurance carrier, it's certainly not, it's no longer they're gonna pay their ransom for you.

That's not really their purpose anymore. Their purpose is to help minimize the overall cost to the company and the overall impact of the company, which they might still be insuring. Um, and I know that part of that response, could be, here's our IR team, they will help you.

Here's our cybersecurity team. They will help you. Um, so is is, do you think the, the incident response plan is, this is like, you know, we talk often that the DR plan is a, is a subset of the ransomware recovery plan. Is the ransomware recovery plan, a subset of the incident response?

[00:04:36] Stephen Manley: Oh, 100%. Uh, ju just to give you some examples, some real world examples we've, we've had where people have got hit, um, you know, the very first thing that comes up and you think it's gonna be, oh, how do I recover? How do I get the business up and running? , but some of the first questions are, do I pay the ransom or not?

What are the legal implications of me paying the ransom? That's not a recovery situation, that's a business decision. Um, what, what kind of communication do I do internally and externally? That's not a recovery decision. That's a, that's an internal comms decision. You know, what, what kind of legal exposure do I have?

When do I bring in and notify insurance? So, so, so much of the incident response plan is, is, is people and process. In some ways, I almost liken it to, for a while, back in the old days, we used to pretend that disaster recovery plans were business continuous plans. and then you'd meet an actual customer and they'd say, no.

A business continuance plan involves people and processes and things way outside of the technology. So we love that you're doing this part with the tech Well. Don't pretend you're covering my entire, my entire business continuance because you seem a little silly.

[00:05:49] W. Curtis Preston: Right, right. Whether we're talking the incident response or the ransomware response, I do think that in addition to having these plans, it, you need other people that are not part of your world. . And the key here is that the, again, whether they're IR people or RR people, they are people that this is what they do.

They know what's next, right? They know what not to do. They know, um, Uh, you know, the things to say, you talked about publicly, they know what not to say. They know what you're legally required to say. Um, they know what you really don't want to say, uh, , right? Um, and also from a ransomware perspective, um, I, I think again, there are, there are. Natural responses that I think a, a normy, if I can, if I can use that phrase, a normy would have, you just found out there's a massive ransomware infection and a normal person might have some things in their response tool bag that a person who knows what they're doing. Um, says, please don't do that. Right?

Like, for example, you know, let's say deleting all the logs, we know that that would be a really bad thing to do, right? Because we really want those logs. That's just an example of the kind of thing. A person who knows ransomware knows. These are the things that, um, you know, that you're gonna have to.

[00:07:25] Stephen Manley: I can't name the customer, but to your point on deleting the logs, we did have a customer, um, that, that, uh, basically almost the very first thing they did, uh, was they deleted the logs. Now, they didn't do it intentionally by any stretch

[00:07:40] W. Curtis Preston: are you serious?

[00:07:42] Stephen Manley: Well, so, so, so what happened was they, they got infected and, and again, they didn't, they didn't really have a plan in place.

And when they got infected, um, you know, they looked at all the systems that, that had the infection. And this, this enterprising, well, I'm, well, I better just wipe these systems clean. Well, one of those systems was so, so it was not a, I'm gonna go delete the logs. It was, I'm going to go get rid of all this ransomware.

Oh, maybe I should have thought that through a little bit more. To your point, it, it, it's, it's the people with the muscle memory that aren't gonna panic anymore. Those, those people who've been through this dozens to hundreds of times, they're just so valuable so that you don't do some, cuz you may do more damage in your panicked response than, than the ransomware's doing.

[00:08:29] W. Curtis Preston: So what it sounds like, um, I think we're, we're in violent agreement that, you know, we need this incident response plan. And of course, the. The time to create an instant response plan, uh, is way before you need an instant response plan, right? It's sort of like, uh, the, the old Dramamine commercials, right?

You know, the time to take Dramamine is too late to take Dramamine. Um, you, you, you don't develop the plan in the midst of the disaster, right? You, you, you have meetings beforehand. You talk to your cyber insurance company, and you. , you develop relationships or create contracts perhaps with these people who will, right.

We talk a lot on air. What do, what do you think the odds are that an average company or or organization would get infected with ransomware these days?

[00:09:20] Stephen Manley: Oh man, the numbers, the numbers seem enormously high. I think the last I saw in the calculations was what, over a three year period, at least a third of the companies in the world are gonna get hit with ransomware of one form or another. So that's, again,

[00:09:35] W. Curtis Preston: you're, you're, you're reading more

[00:09:37] Stephen Manley: I'm low.

[00:09:38] W. Curtis Preston: magazines than I've read . I've read a lot worse than that. Uh.

[00:09:42] Stephen Manley: than that,

[00:09:43] W. Curtis Preston: Yeah, I, you know, um, I mean, again, I just contrasted with what I grew up with, right? I grew up from, with, in Florida with, with, uh, sinkholes and hurricanes. And, and unless you lived in, you know, lower, you know, southeast Florida and you knew you could get, you could count on a hurricane once a year.

Or if you lived in another part of the country, you're like, well, we're not Florida, right? We're not, we don't, we're outta hurricanes every year. Y your odds were pretty low that a natural disaster would take you out or a terrorist action. Those were, that was the other thing we were concerned with back in the day.

Um, but I don't think, I think if your, um, if your plan is based on, well, it's probably not gonna happen to us, um,

[00:10:30] Stephen Manley: Yeah.

[00:10:30] W. Curtis Preston: Maybe you should rethink that.

[00:10:32] Stephen Manley: Yeah. Yeah. I th I think, I think that's, I think that's, that's definitely right. And, and, and I think the other one, um, and, and, and I, I finally started to see this turn cuz it, cuz it used to always be like, every ransomware article, every ransomware podcast, every ransomware video started with, you know, it's not a question of, if it's a question of.

and, and, and, and, and, and while that's entirely true, I was pleased to see that. Now the opening lines have been because you're going to get infected. The real question is how are you going to respond? Because if in fact you understand that as a question of when, then you really need to start thinking about your response because prevention, you know, and, and you should absolutely do your best to try to prevent it.

I'm not saying, you know, open up the gates and say, come take me. But you've gotta be planning for the response because it's not gonna happen to me, is unrealistic and everybody knows it.

[00:11:29] W. Curtis Preston: Yeah. And the other thing is that if you, you know, basically this is the concept of assumed breach, right? If you assume that you will at some point get infected in some way, Uh, you know, at some point somebody's gonna click on the wrong email. Somebody's gonna take the wrong phone call. I mean, the number of phishing attacks I get on a pretty regular basis, pretty high.

Um, and somebody's gonna click on the wrong thing and you will have. , a ransomware infection somewhere in your environment. The question is, how will your systems respond? Right? How will your business respond? Hopefully, again, this is, I, I guess really what we're talking about is preparing in advance for all of this, preparing in it from a, you know, getting an IR firm, getting a cybersecurity firm that you can count on.

You can just basically call, it's time, come on. . Right. For some reason I got this image of the rock showing up. I don't know why, but, um, I don't think the rock is gonna

[00:12:29] Stephen Manley: Like in Santa Andreas.

[00:12:31] W. Curtis Preston: Yeah, exactly.

[00:12:32] Stephen Manley: That'd be perfect, right?

[00:12:34] W. Curtis Preston: Yeah. The other advantage of having this discussion in, in advance and preparing your incident response plan is that these folks, again, that know ransomware will tell you, here are some other things that you can do in your network that will help your response be much better, right?

To detect that ransomware is happen. To detect that it's in, in one, there's one infected box because if you can find out that it's infected, that you have an infected box and it's trying to work through your network, if you can find that out upfront, um, you know, why is this random Windows box reaching out to this, you know, d n s address that's 172 characters. Uh, that's not something somebody's typing. They're trying to access a command and control server, right? If you can, if you can do that, uh, in advance, then um, I think that's the key to, to being, to responding successfully to a ransomware attack.

[00:13:32] Stephen Manley: I think the other thing that having an incident response plan helps you do, and, and I've seen this over and over again, is again, an incident response from a cyber attack is potentially the most cross-functional thing you're ever gonna do as a company. And, and so it becomes so critical that people understand what their roles and responsibilities are because you don't want someone.

Overreaching, again, doing something, uh, beyond their ca capacity, beyond their scope and causing more trouble. But you also don't want someone, you know, with the alligator arms going, oh, I've gonna catch, oh, no, I can't quite catch it. Uh, and, and, and so on. So, so helping people understand this is your role, this is your role, this is your role.

When, when the bad things happen, then everybody's at least got a general sense of, of what part they play. Because you don't need hero ball, but you also don't need, you know, my, my in-laws trying to reach for the check after a dinner.

[00:14:36] W. Curtis Preston: No, let, let me get it. Let me get it. Um, yeah, I was going, I, it, it took me a second for you to, for me to figure out what you meant by alligator arms. E even growing up with alligators, I was like, oh, you mean, you mean like T-Rex arms, right?

[00:14:48] Stephen Manley: Exactly, exactly.

[00:14:50] W. Curtis Preston: T-Rex arms not very helpful. Um, yeah, so basically it, it, so it's.

It's a superset, uh, containing the Ransomware Recovery Plan. The Disaster Recovery Plan. And it includes things that have nothing to do with technology, right? It includes much more about people, um, and how people respond. And I think just to use a very, uh, Recent example, how people respond to what's going on, um, can have a significant effect to how things go.

I'm thinking about svb, um, right, because, without getting into all the stuff of what, what, what caused it and everything, what truly caused that run on the bank was a bunch of VCs saying, calling their companies and saying, get your money outta here now. , um, their money was never really, what it appears is their money never really was at any major risk.

It wasn't like these guys had done, gone a bunch of hedge funds or something. It was a bond thing. They had made a bad, dumb investment, but their, their investment was intact. But when you start, you know, panicking, uh, you create a run on the bank, which is what happened, uh, which is what can happen in a a ransomware situation.

You want to have calm, cool. People that have, um, you know, thought through this, um, and can help you, uh, go through it yourself in as calm as possible. I, I don't know if it's, I mean, I've been in the midst of some of those, not, not in the midst, not like, You know, at the center of a ransomware attack where I'm the one that's gonna lose their job if this go , if this goes poorly.

But I've been in the midst of some of, some of those other ones. Um, and it's high stress, right? Um, so you need, you need some dispassionate people to, I think, to help you along. And I think that's all, that's what that incident response is all about.

[00:16:53] Stephen Manley: what, what I like to tell our customers is, is, is when I get on the phone with someone that's in the middle of a ransomware, uh, attack, and they're in their, in their incident response, I tell people, I'm not talking to you on the worst day of your life. I'm talking to you on a succession of the worst days of your life.

And so the only way to get through that is is to, is to have that plan in place because it gets a whole lot darker before you start to see the light at the end of the tunnel. And you've just gotta be ready for that and everybody's gotta be ready for that. So, You know, I hate to, yeah. I don't wanna end on a down note.

The good news is there, if you do it right, there is light at the end of the tunnel. Um, but, but this is not easy. This is, this will be the hardest thing you've ever done in your work life, most likely.

[00:17:41] W. Curtis Preston: Yeah. But it will be if you have a plan that you thought through when you are not in the middle of the, the heat of the battle. . Uh, all right. Well, thanks for chatting about our latest topic,

[00:17:54] Stephen Manley: Love it. Be safe, everybody.

[00:17:55] W. Curtis Preston: Thanks to our listeners, and be sure to subscribe so that you don't miss an episode. And remember, here at Druva, there's no hardware required