The need to develop an Incident management framework is vital for each organization in maintaining and strengthening its Information Security posture. Aside from an organization drafting policies and procedures to guide in Incident Management, there is a need for the organization to prepare and test these processes concerning the surrounding threats. A key threat to most organization is ransomware attack which not only attacks your systems by denying access to data but also exposure to further exploitation of vulnerabilities.

Incident Management

The figure above outlines the major phases in Incident Management, these phases can be broken down further into smaller tasks that can aid the creation of playbooks and S.O.C Processes. Playbooks generally are technically unique, repeatable, and specific processes that guide Security Analysts towards incident identification and response. These playbooks are created for specific incidents such as ransomware attacks, Denial of Service Attacks, phishing attacks, the man in the middle attacks etc. For a ransomware attack, the playbook should be proactive rather than reactive.

A proactive approach ensures the playbook has captured all necessary preparation measures towards addressing an incident before it occurs. In a reactive approach, the playbook captures the identification and response towards an incident. The tools used in a reactive approach are the traditional antivirus tools (rule based) as opposed to the proactive approach which incorporates modern antimalware and Security Information and Event Management solutions. A ransomware playbook has 5 major steps to be followed for successful incident response and resolution. The diagram below has outlined the key major steps in developing a ransomware playbook:

incident management steps

From the sample diagram, the critical steps in a ransomware playbook can be further broken down into various tasks that are assigned to specific individuals in a Security Operations Centre. Each personnel has a role to play in facilitating successive proactive incident management. The steps above serve as a guideline of what needs to be captured in the Ransomware playbook. However, the organization needs to fine-tune its playbook following the team structure and technology currently implemented.

In conclusion, performance measurement of Incident management is vital in ensuring the needs of the organizations are met. In addition, the SOC Team needs to be regularly testing its processes through simulation of such incidents. The simulations aid in ensuring the organization has a capability and competence in malware analysis and response to ransomware attacks.