In a world of constant and fast-paced technological advancement, combating evolving cybersecurity threats remains a top priority for businesses of all sizes. For small to medium-sized businesses (SMBs), the responsibility of safeguarding critical systems and their sensitive internal and customer data often falls to managed service providers (MSPs). As an MSP, you must be prepared to handle any cybersecurity incident that comes your way, both for your own organizations and your clients. This in-depth guide outlines the essential steps that MSPs should take to prepare for a cybersecurity incident and how to successfully navigate through cybersecurity incident response.<\/p>\n
First, we should define what an \u201cincident\u201d is. That\u2019s when a threat actor has made it past at least an organization\u2019s first level of defense and may have gained some access to some data or systems.<\/p>\n
Thus, incident response<\/a> refers to the approach and set of procedures that an organization follows when facing a cybersecurity incident or breach. It involves a series of coordinated actions and strategies aimed at minimizing the damage caused by the incident, restoring normal operations, and preventing future incidents of a similar nature.<\/p>\n There may be smaller events that don\u2019t rise to the level of \u201cincident,\u201d when data hasn\u2019t been compromised. Those may be handled more quickly without a full incident response plan being enacted, although they should still be documented for reference in case a similar threat does become an incident.<\/p>\n Here are the four stages of incident response, according to the\u202fNational Institute of Standards and Technology (NIST)<\/a>:<\/p>\n Before we delve further into these steps, we\u2019ll discuss what you should do to prepare for a cybersecurity incident\u2014because it\u2019s not a question of if, but when<\/em> a compromise will happen.<\/p>\n When it comes to cybersecurity, it\u2019s not enough to have a set of security solutions in place. A robust incident response plan forms the bedrock of effective incident management.<\/p>\n Using the four stages above, MSPs should collaboratively create a comprehensive incident response plan with their clients that is tailored to each client\u2019s unique business environment and operations. The plan should be a living document, continually updated to address emerging threats, technological advancements, and evolving regulatory requirements. Having a physical copy of the plan available will ensure it can be accessed no matter what machines or systems might be down.<\/p>\n A successful incident response plan<\/a> should have the following:<\/p>\n In addition, you should encourage your clients to develop a communications plan<\/a> ahead of time, in case of a major incident. You can work with your clients to iron out the technical language of this plan to minimize reputational damage. This plan should include guidelines and training for customer support, including tone, language, and FAQs.<\/p>\n Part of the incident response plan should be identifying the client\u2019s most valuable assets and critical data. This step enables MSPs to allocate resources judiciously during an incident, ensuring that essential functions remain operational and that your client\u2019s most valued end customer data is covered.<\/p>\n Ideally, this step should be done well in advance of your incident response planning. This is a great operational practice that allows for proper protection and response capabilities in time of need, if it\u2019s completed beforehand.<\/p>\n You\u2019ll also need to set up effective communication channels<\/a> to execute an incident response plan successfully. MSPs must establish dedicated and reliable communication channels with clients, stakeholders, and third parties, including vendors, lawyers, insurance, and press. Clearly defining contact information and roles and responsibilities for each party involved will ensure information flows seamlessly during an incident.<\/p>\n Your backup communication channels likely will need to exist outside of your normal systems. For example, it\u2019s wise to have a method for encrypted communications that are not part of the same systems the threat actor may target, as we\u2019ve learned from past incidents that threat actors may otherwise be reading every word of your communications during an incident.<\/p>\n A well-prepared team is an MSP\u2019s strongest asset when facing cyberthreats. Regular training and education for the entire team are essential to stay ahead of evolving threat landscapes.<\/p>\n One of the best things MSPs can do is actually \u201ctabletop\u201d a security incident. This is akin to playing a game of \u201cDungeons & Dragons,\u201d with engineers and other stakeholders instead of players rolling dice.<\/p>\n To conduct a successful tabletop exercise<\/a>, first you\u2019ll have to identify and involve the key players. Then you can develop the scenario, which can involve anything as simple as a phishing scam all the way up to sophisticated cyber criminals targeting vital company data. A facilitator will walk participants through the steps in the process, with each player detailing what actions they would take. The steps would include assessing the situation, identifying security and organizational implications, developing a course of action, reviewing resources, developing recommendations, and then detailing what actions should be taken.<\/p>\n The point of the exercise is to identify holes in knowledge or process that should be rectified before a real incident occurs. Though it can be a relatively fun experience, it can also be quite stressful and helpful to do several times before a real incident occurs.<\/p>\n Finally, adequate preparation for an incident comes down to your basic security health. Have you and your clients implemented the CIS Critical Security Controls<\/a>? If you\u2019ve implemented this framework for best cybersecurity practices, both avoiding an incident and adequately responding to an incident will be much easier.<\/p>\n It\u2019s always helpful to educate your clients to get involved and be part of their own security journey. Maintaining cybersecurity is a two-way street, and your clients will need to do their part as well.<\/p>\n To fortify your clients\u2019 digital defenses, you\u2019ll also need to offer and encourage them to use cybersecurity solutions<\/a> covering categories<\/a> such as DNS filtering, malware protection, antivirus software, firewalls, and email security. And continuity solutions<\/a> should also not be ignored, offering functions such as backup and disaster recovery and archiving. Having both cybersecurity and continuity solutions<\/a> together ensures your clients are protected but can bounce back when an incident does occur.<\/p>\n Once you\u2019re adequately prepared, it\u2019s time to take a look at what exactly to do when the real thing happens.<\/p>\n The first step of incident response is detecting and identifying the threat, which could be a data breach, unauthorized access, malware infection, or any other type of cyberthreat. Identification<\/a> should answer the five W\u2019s of a security incident, such as:<\/p>\n When it comes to detection, this is where all that prep work comes in handy. If you have properly identified key assets in your plan, your strengths and weaknesses via training exercises, and who needs to be involved in incident response, this will make early detection much easier because you\u2019ll know who, what, and where to check for issues.<\/p>\n The earlier identification can be accomplished, the better, to minimize potential damage. If the threat is already at the stage of ransomware, you\u2019ll know that there\u2019s an issue with your threat detection efforts.<\/p>\n If you\u2019ve identified a ransomware attack, do not simply restore from backup or even suggest paying the ransom. You\u2019ll need a team to help in those scenarios, either from an insurance company or a private incident response organization. Rules exist, such as sanctions by the OFAC (Office of Foreign Assets Control), that can get you or your clients into criminal trouble for paying a sanctioned entity.<\/p>\n In the event of an incident, MSPs must act swiftly to isolate affected systems. This helps prevent the spread of criminal access while minimizing further damage. Any malware that is discovered should be quarantined.<\/p>\n You shouldn\u2019t close the computer down, delete all the impacted information, or destroy affected machines. This isn\u2019t recommended because you may lose key evidence in determining how, when, and why the incident occurred. It\u2019s often not enough to isolate a compromised asset. In fact, this may not be effective because the threat actor may still have access to other data and systems.<\/p>\n You should, however, disconnect any affected devices from the internet. You can also update and patch your systems, review remote access and ensure multifactor authentication is being used, change user and administrative access credentials, and strengthen passwords.<\/p>\n Once the threat is contained, it\u2019s time to eliminate it. Documenting everything from the first two steps of the process will give you the forensics you need to eradicate the threat.<\/p>\n You must be detailed about removing any malware or artifacts from the attack so that no trace remains on your clients\u2019 systems. Without being thorough about this process, you may leave your clients\u2019 systems open to future attacks.<\/p>\n If your client has a backup and disaster recovery<\/a> solution in place, you\u2019ll be able to remove the threat without losing any data. You\u2019ll need a trusted backup to restore any data and systems in place, and you\u2019ll still need to monitor for a time to ensure further attacks do not occur.<\/p>\n Oftentimes, you won\u2019t know when the threat actor compromised the system. Dwell time, or the amount of time a threat actor has access to a compromised system before the MSP detects a threat, is between 16 and 60 days. This means you\u2019ll need to use these backup and disaster recovery solutions to maintain longer backups because restoring a backup that is too recent could just give the threat actor renewed entry into the system. For best practice, maintain backups that go past 60 days, and regularly test them, as well.<\/p>\n Though you may have successfully thwarted an attempted breach or helped your client through a difficult attack, your work isn\u2019t over.<\/p>\n You\u2019ll need to conduct an investigation both during and after an incident occurs. Proper documentation is necessary at every step of the incident. Gather your incident response team members and discuss anything you\u2019ve learned from the incident, whether it\u2019s identifying previously unknown weaknesses or discovering the need to fortify existing defenses. Determine what worked well in your response plan and where there were issues.<\/p>\n Incidents should feed right back into your training mechanisms. Use real-life occurrences to inform routine testing and make continuous improvements to your plan. Even if you\u2019ve gone through the real thing, you should still conduct regular mock incidents to evaluate your evolving incident response plan.<\/p>\n At Pax8, we recognize the intricate challenges MSPs face in combating cybersecurity incidents. To start prepping, explore the Pax8 Marketplace<\/a>, where you can access a curated selection of cutting-edge cybersecurity solutions designed to enhance your clients\u2019 security posture. And you can browse all our cybersecurity training courses on Pax8 Academy<\/a> to equip your team with the knowledge and skills they need to face any cybersecurity threat.<\/p>\n It’s a lot to pull together, but we\u2019re here to help. Speak with one of our experts to get started, and you\u2019ll be on your way to skillfully navigating cybersecurity incidents in no time.<\/p>\nWhat are the four stages of incident response?<\/h2>\n
\n
How to prepare for a cybersecurity incident<\/h2>\n
Create an incident response plan<\/h3>\n
\n
Help your clients develop a communications plan<\/h3>\n
Identify critical assets<\/h3>\n
Include contact information and establish clear communication channels<\/h3>\n
Maintain ongoing training<\/h3>\n
Ensure basic cybersecurity health is maintained<\/h3>\n
Executing incident response<\/h2>\n
Identification<\/h3>\n
\n
Containment<\/h3>\n
Eradication<\/h3>\n
Recovery<\/h3>\n
After the incident<\/h2>\n
Learn from the incident<\/h3>\n
Regularly test and enhance your plan<\/h3>\n
Seek help from a trusted partner<\/h2>\n