In March 2018, a ransomware attack shut down significant digital operations for the City of Atlanta municipal court and law enforcement. But emergency response and utilities were unaffected, enabling millions of constituents relying on these essentials to continue life as usual during the incident.
How did Atlanta manage to keep these critical services up and running? They reverted to traditional methods of service provision in these departments as soon as the breach was detected. It was all part of a plan they’d put in place before the incident even happened. Their main priority was keeping as much business continuity as possible throughout a cyber incident.
According to Ria Aiken, Atlanta’s director of the Office of Emergency Preparedness, “A lot of municipalities and private-sector counterparts get so caught up in the response effort that they don’t recognize that as part of that response, you should immediately be thinking about how you are going to continue operations.”
This example shows why having an incident response plan in place is so critical for state and local governments. While Atlanta’s ransomware incident still affected some of its major operations, it could have been far worse for constituents if it had shut down critical infrastructure.
A robust cyber incident response plan can mean the difference between constituents and employees losing access to life essentials or minimal disruption and faster recovery.
There’s a good chance that your team is already aware of the importance of cyber incident response planning and which steps to take to do so (if not, we recommend checking out our guide on Building Effective Incident Response Procedures).
But because state and local government IT teams must work with limited resources and staff power, putting an excellent cyber incident response plan in place might seem like a pipe dream. Fortunately, budget-strapped government agencies can leverage practical and relatively low-cost/free tools, processes, and methodologies to create a scalable cyber incident response plan. Here are a few tips for implementing key aspects of a cyber incident response plan in a smart, cost-effective way.
Backups are essential to incident response, as they make it far easier to recover in the case of a ransomware attack. But keeping a copy of your entire environment in case of emergencies can be pricey. To save time and money, focus on backing up your most essential workflows and data rather than trying to keep the entire environment backed up.
Start by inventorying organizational assets like hardware, software, networks, endpoints, and users. Then categorize each by risk level. Consider using a free asset discovery and classification tool like Jupiter One. Then, you can use this asset inventory to pinpoint which specific assets should be backed up, and which aren’t a priority.
Next, run tabletop exercises where teams practice responding to hypothetical cyber incidents. This allows them to gauge the effectiveness of response plans and see where improvements are needed. Resources like Antisyphon Training offer financially conscious tabletop exercises.
Tabletop exercises present scenarios to teams, allowing them to practice responding to hypothetical cyber situations. These types of interactive training sessions enable teams to gauge the effectiveness of their incident response plan by implementing them in real-world scenarios. Teams can see where the response plan went well and where they can improve it as they practice responding to a hypothetical event such as a DDoS attack, ransomware, or insider threat.
As you establish your incident response process, consider automation options for every stage that will enable you to do more with less.. There are a few steps for automating each area of NIST’s incident response lifecycle (and Blumira offers support in all of them!). These automation steps include:
Lastly, take the time soon after an incident to review security reports and conduct a post-mortem. These post-incident reports should dive deep into the metrics, play-by-play timeline, and other details behind the incident. It’s a critical practice that allows your team to discuss how to improve the response process and avoid missteps in the future. Time-pressed teams will benefit from writing a meeting template ahead of time—so you can get to the point faster and cover all the critical details in a timely manner.
When figuring out where to begin with these incident response recommendations, expert support for your specific situation can be a huge help. Blumira provides time-effective, straightforward tooling and SecOps support at a fraction of the cost of enterprise tools. We specialize in supporting state and local governments, such as Crescent City, California, and Ottawa County, Michigan, with advanced detection and response.
According to Fritz Ludemann, Information Systems Administrator for Crescent City, “I was looking for a tool that would help automate security and fit the profile of our organization, a small municipality. I looked at a number of products, but they didn’t have the threat mitigation and reporting tools that Blumira had at an acceptable price point.”
Learn more about how Blumira’s cloud SIEM helps government entities meet NIST’s cybersecurity framework.