Why Every Organization Needs an Incident Response Plan
According to the IBM Cost of a Data Breach Report 2024, the average time to identify a breach is 207 days, with a mean time to contain of 73 days. Without a documented incident response plan aligned with [NIST SP 800-61 Rev. 3](https://csrc.nist.gov/pubs/sp/800/61/r3/final), your organization will waste critical time during an active incident, increasing damage and recovery costs.
The NIST Incident Response Lifecycle
This framework follows [NIST SP 800-61 Rev. 3: Computer Security Incident Handling Guide](https://csrc.nist.gov/pubs/sp/800/61/r3/final), the authoritative standard for incident response published by the National Institute of Standards and Technology.
1. Preparation
Build Your Incident Response Team:
- Incident Commander (CISO or Security Manager)
- Technical Lead (Senior Security Engineer)
- Communications Lead (PR/Legal)
- Business Stakeholder Representatives
Essential Tools and Access:
- SIEM platform (Microsoft Sentinel, Splunk)
- EDR consoles (CrowdStrike, Defender)
- Forensic analysis tools (EnCase, FTK)
- Secure communication channels (Signal, encrypted email)
- Pre-configured jump box for investigation
Documentation:
- Contact lists with 24/7 availability
- Escalation procedures
- Communication templates
- Legal and regulatory requirements checklist
2. Detection and Analysis
Detection Sources:
- SIEM alerts and correlation rules
- EDR behavioral analysis
- User reports of suspicious activity
- Threat intelligence feeds
- Third-party notifications (FBI, CISA)
Initial Triage Questions:
- What type of incident? (Malware, phishing, data breach, DDoS)
- What assets are affected?
- What is the potential impact?
- Is the incident still ongoing?
- What is the severity level?
Severity Classification:
Critical (P1): Active ransomware, data exfiltration, system-wide outage
- Response time: Immediate (< 15 minutes)
- Full IRT activation
- Executive notification
High (P2): Malware on multiple systems, suspected breach
- Response time: < 1 hour
- IRT activation
- Department head notification
Medium (P3): Isolated malware, suspicious activity
- Response time: < 4 hours
- Security team investigation
- Manager notification
Low (P4): Policy violations, false positives
- Response time: < 24 hours
- Standard ticket queue
- User notification
3. Containment, Eradication, and Recovery
Short-term Containment:
- Isolate affected systems (network disconnection)
- Disable compromised accounts
- Block malicious IPs/domains at firewall
- Preserve evidence (memory dumps, disk images)
Eradication:
- Remove malware and backdoors
- Patch vulnerabilities exploited
- Reset passwords for compromised accounts
- Rebuild compromised systems from clean backups
Recovery:
- Restore systems from verified clean backups
- Monitor for reinfection
- Phased restoration (critical systems first)
- Enhanced monitoring during recovery period
4. Post-Incident Activity
Post-Incident Review (Conduct within 7 days):
- What happened? (Timeline of events)
- What worked well?
- What could be improved?
- What new controls are needed?
- Update incident response plan
Documentation:
- Complete incident report
- Evidence preservation for legal proceedings
- Lessons learned document
- Cost analysis (downtime, recovery, reputation)
Ransomware-Specific Response Procedures
Detection Phase
Ransomware Indicators:
- Mass file encryption (.encrypted, .locked extensions)
- Ransom notes (README.txt, HOW_TO_DECRYPT.txt)
- Unusual CPU/disk activity
- Disabled security tools
- Shadow copy deletion
Immediate Actions (First 15 Minutes)
1. DO NOT shut down affected systems yet - volatile memory contains evidence
2. Capture memory dump if trained personnel available
3. Document everything - screenshots, notes, timestamps
4. Identify "Patient Zero" - where did it start?
5. Isolate network segments - prevent lateral spread
Investigation Phase
Key Questions:
- What ransomware family? (Use ID Ransomware tool)
- How did it enter? (Phishing email, RDP brute force, vulnerability)
- Has data been exfiltrated? (Double extortion)
- Are backups intact and offline?
- What is the ransom demand?
Decision: To Pay or Not to Pay
Factors to Consider:
- Data criticality and backup availability
- Downtime impact and revenue loss
- Legal and regulatory implications
- Insurance coverage
- Likelihood of successful decryption
[FBI IC3 and CISA Joint Advisory](https://www.cisa.gov/stopransomware) Recommendation: Do not pay ransom
- No guarantee of decryption (Coveware reports 20% of victims who pay still don't recover data)
- Funds criminal organizations
- You become a repeat target
- Report ransomware incidents to [FBI IC3](https://www.ic3.gov/) and [CISA](https://www.cisa.gov/report)
Compliance and Notification Requirements
HIPAA Breach Notification ([45 CFR §164.408](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html))
Regulatory Authority: U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
Trigger: Unauthorized access to ePHI affecting 500+ individuals
Deadlines:
- Individual notification: 60 days from discovery
- HHS OCR notification: 60 days from discovery
- Media notification: 60 days (if 500+ in same state or jurisdiction)
Report breaches: [HHS Breach Portal](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
GDPR Breach Notification ([Article 33 & 34](https://gdpr-info.eu/art-33-gdpr/))
Regulatory Authority: EU Data Protection Authorities
Trigger: Personal data breach likely to result in risk to data subjects
Deadlines:
- Supervisory authority: 72 hours from becoming aware of breach
- Data subjects: Without undue delay (if high risk to rights and freedoms)
Note: Breaches must be documented even if not reportable to authorities
State Data Breach Laws
Varies by state, but common requirements:
- Notification to affected individuals
- Notification to state attorney general
- Notification to consumer reporting agencies (if 1,000+ residents)
Building Your Incident Response Playbooks
Complete Ransomware Response Playbook
Phase 1: Initial Detection (0-15 Minutes)
Detection Triggers:
- SIEM correlation rule: Mass file modification (>1,000 files in <10 minutes)
- EDR alert: Suspicious process execution (e.g., `vssadmin.exe delete shadows /all`)
- User report: Files inaccessible, desktop background changed to ransom note
- Security tool alert: Defender/CrowdStrike quarantine action on ransomware signature
Immediate Response Actions:
1. Alert Incident Commander - Page on-call security lead via PagerDuty/Opsgenie
2. Open incident ticket - Create P1 incident in ServiceNow/Jira with timestamp
3. Activate IR bridge - Dial emergency conference line, notify IR team members
4. Document everything - Capture screenshots of ransom notes, error messages, affected systems
5. Identify Patient Zero - Check SIEM for first encrypted file/affected system
Phase 2: Containment (15-60 Minutes)
Network Isolation:
# PowerShell command to disable network adapters (run on affected system if accessible)
Get-NetAdapter | Where-Object {$_.Status -eq "Up"} | Disable-NetAdapter -Confirm:$false
# Alternative: Disable at switch/firewall level
# Preserve system powered on for forensic acquisitionContainment Checklist:
- [ ] Isolate affected systems (disable network adapter or VLAN quarantine)
- [ ] Disable affected user accounts in Active Directory
- [ ] Block C2 domains/IPs at firewall (check threat intel for IOCs)
- [ ] Disable VPN access for compromised accounts
- [ ] Take offline backups offline (disconnect NAS/backup appliances from network)
- [ ] Disable RDP/SMB file shares network-wide (temporary)
- [ ] Enable enhanced logging on all endpoints
- [ ] Notify email admin to watch for phishing follow-ups
Evidence Preservation:
# Capture volatile memory (if FTK Imager or similar available)
# FTK Imager: File > Capture Memory > Save to external USB drive
# Capture running processes
Get-Process | Export-Csv -Path "C:\IR\processes_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"
# Capture network connections
Get-NetTCPConnection | Export-Csv -Path "C:\IR\netstat_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv"
# DO NOT shut down system until memory capturedPhase 3: Investigation (1-4 Hours)
Ransomware Identification:
1. Upload ransom note to [ID Ransomware](https://id-ransomware.malwarehunterteam.com/)
2. Check encrypted file extension (.lockbit3, .royal, .alphv, .blackcat)
3. Review EDR telemetry for process tree, parent process, command-line arguments
4. Search SIEM logs for initial compromise vector:
// Microsoft Sentinel KQL: Search for common ransomware entry points
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID in (4625, 4624) // Failed/successful logins
| where AccountType == "User"
| summarize FailedAttempts = countif(EventID == 4625),
SuccessfulLogins = countif(EventID == 4624) by Account, IpAddress
| where FailedAttempts > 10 and SuccessfulLogins > 0
| project Account, IpAddress, FailedAttempts, SuccessfulLoginsKey Investigation Questions:
- Entry vector: Phishing email? RDP brute force? Vulnerability exploitation? Stolen VPN credentials?
- Dwell time: How long was attacker in network before deploying ransomware?
- Lateral movement: What other systems were accessed? Check domain controller logs for suspicious logins
- Data exfiltration: Double extortion? Check firewall logs for large outbound transfers
- Backup status: Are backups intact? Were Volume Shadow Copies deleted?
- Scope: How many systems affected? Which departments/business units?
Forensic Analysis:
# Extract Windows Event Logs for analysis
wevtutil epl Security "C:\IR\Security_$(hostname).evtx"
wevtutil epl System "C:\IR\System_$(hostname).evtx"
wevtutil epl "Windows PowerShell" "C:\IR\PowerShell_$(hostname).evtx"
# Check for suspicious scheduled tasks (common persistence)
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft\*"} |
Export-Csv -Path "C:\IR\scheduled_tasks.csv"
# Check for new user accounts (backdoor)
Get-LocalUser | Where-Object {$_.Enabled -eq $true} |
Select Name, SID, Enabled, LastLogonPhase 4: Eradication (4-12 Hours)
Malware Removal:
1. EDR remediation: Use CrowdStrike/Defender to quarantine/remove malware on all affected systems
2. Scan entire environment: Deploy full antivirus scan across all endpoints
3. Remove persistence mechanisms:
- Delete malicious scheduled tasks
- Remove registry run keys: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
- Check WMI event consumers: `Get-WmiObject -Namespace root\subscription -Class __EventFilter`
4. Patch vulnerabilities: Apply critical patches if vulnerability exploitation confirmed
5. Remove backdoors: Delete unauthorized user accounts, disable compromised service accounts
Credential Reset (CRITICAL - Do NOT skip):
# Force password reset for all privileged accounts
Get-ADUser -Filter {AdminCount -eq 1} |
Set-ADUser -ChangePasswordAtLogon $true
# Reset krbtgt account password (domain-wide Kerberos Golden Ticket mitigation)
# Use Microsoft's New-KrbtgtKeys.ps1 script
# https://github.com/microsoft/New-KrbtgtKeys.ps1
# Revoke all active Kerberos tickets
klist purge -li 0x3e7
# Rotate service account passwords
# Disable accounts not actively usedPhase 5: Recovery (12-72 Hours)
Backup Restoration Plan:
1. Verify backup integrity:
# Test restore small sample first
# Scan restored files with updated antivirus definitions
# Verify no encryption/corruption present2. Prioritize system restoration order:
- Tier 1 (0-24h): Domain controllers, email servers, file servers, critical business apps
- Tier 2 (24-48h): ERP systems, databases, development environments
- Tier 3 (48-72h): End-user workstations, non-critical systems
3. Rebuild compromised systems from clean images (do NOT restore from backup if malware present)
4. Enhanced monitoring during recovery:
// Microsoft Sentinel: Monitor for reinfection attempts
union SecurityEvent, DeviceProcessEvents, DeviceFileEvents
| where TimeGenerated > ago(7d)
| where FileName has_any ("ransomware_indicators.txt") // Add known IOCs
or ProcessCommandLine has_any ("vssadmin", "wbadmin", "bcdedit")
| project TimeGenerated, DeviceName, FileName, ProcessCommandLine, AccountNamePhase 6: Post-Incident & Reporting (72 Hours - 7 Days)
Ransom Payment Decision Matrix:
| Factor | Pay Ransom | Do NOT Pay |
| --------------------------- | ---------------------------------------- | ---------------------------------------- |
| Backup Status | No viable backups | Clean, tested backups available |
| Business Impact | Revenue loss >$X million/day | Acceptable downtime (<48 hours) |
| Data Exfiltration | Sensitive data posted on leak site | No exfiltration confirmed |
| Ransom Amount | <10% of restoration cost | >Cyberinsurance coverage limit |
| Decryption Success Rate | >80% success rate (per Coveware data) | <50% success rate for ransomware variant |
| Legal/Regulatory | Legal counsel approves | Sanctioned threat actor (OFAC violation) |
| Cybersecurity Insurance | Covered by policy | Not covered or exceeds deductible |
| FBI/CISA Recommendation | N/A - they always recommend "Do NOT Pay" | Report to [IC3.gov](https://ic3.gov) |
Important: Payment to sanctioned entities (e.g., Russian-linked groups) may violate [OFAC regulations](https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20201001). Consult legal counsel before payment.
Regulatory Notification Requirements:
HIPAA (Healthcare):
Breach Determination:
- Was ePHI accessed/acquired/disclosed without authorization? YES → Breach
- Does "Low Probability of Compromise" exception apply? Assess using 4-factor analysis (45 CFR §164.402)
If Breach Confirmed (500+ individuals):
- Notify individuals: 60 days
- Notify HHS OCR: 60 days via https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
- Notify media: 60 days (if 500+ in same state/jurisdiction)
- Annual report: <500 individuals → report within 60 days of following calendar yearGDPR (EU Personal Data):
Breach Notification to Supervisory Authority:
- Deadline: 72 hours from awareness of breach
- Portal: Varies by member state (e.g., ICO UK: https://ico.org.uk/for-organisations/report-a-breach/)
- Required information:
1. Nature of breach (categories and approximate number of data subjects)
2. Name/contact of DPO or other contact point
3. Likely consequences of breach
4. Measures taken/proposed to address breach
Notification to Data Subjects (if high risk):
- Deadline: Without undue delay
- Method: Direct communication (email, letter)
- Exception: If "appropriate technical and organizational protection measures" applied (e.g., encryption)State Breach Laws (varies by state):
Check [National Conference of State Legislatures (NCSL) Database](https://www.ncsl.org/technology-and-communication/security-breach-notification-laws) for specific state requirements.
Communication Templates:
Template 1: Internal Executive Notification (Within 1 Hour)
SUBJECT: URGENT - Cybersecurity Incident Response Activated (P1)
EXECUTIVE SUMMARY:
At [TIME] on [DATE], we detected a ransomware incident affecting [X] systems in [DEPARTMENT/LOCATION].
The Incident Response Team has been activated and containment measures are underway.
CURRENT STATUS:
- Affected Systems: [NUMBER] servers, [NUMBER] workstations
- Business Impact: [SYSTEMS/SERVICES] unavailable
- Containment: Affected systems isolated, spread contained
- Data Impact: Under investigation - preliminary assessment suggests [NO DATA EXFILTRATION / POTENTIAL DATA LOSS]
IMMEDIATE ACTIONS TAKEN:
1. Isolated affected systems from network
2. Disabled compromised user accounts
3. Engaged cybersecurity insurance carrier
4. Preserved forensic evidence
NEXT STEPS (Next 4 Hours):
1. Complete forensic investigation (entry vector, scope)
2. Assess backup integrity and recovery timeline
3. Determine regulatory notification requirements
4. Prepare external communications (if required)
ANTICIPATED TIMELINE:
- Full investigation complete: [X] hours
- System restoration: [X] days
- Return to normal operations: [X] days
DECISION REQUIRED:
- [IF APPLICABLE: Approve engagement of external incident response firm ($X estimated cost)]
- [IF APPLICABLE: Approve notification to law enforcement (FBI, Secret Service)]
Next update: [TIME]
Incident Commander: [NAME]
Contact: [PHONE] | [EMAIL]
IR Bridge Line: [CONFERENCE NUMBER]Template 2: Customer/Client Notification (Breach - Per GDPR/State Laws)
SUBJECT: Important Security Notice - [COMPANY NAME]
Dear [CLIENT NAME],
We are writing to inform you of a cybersecurity incident that may have affected your personal information.
WHAT HAPPENED:
On [DATE], we identified unauthorized access to our systems involving [DESCRIBE SYSTEMS]. Upon discovery,
we immediately activated our incident response procedures, engaged cybersecurity experts, and notified law enforcement.
WHAT INFORMATION WAS INVOLVED:
Based on our investigation, the following types of information may have been accessed:
- [Names]
- [Email addresses]
- [Phone numbers]
- [DATE OF BIRTH / SSN / FINANCIAL DATA - as applicable]
WHAT WE ARE DOING:
- Secured affected systems and conducted forensic investigation
- Implemented additional security measures [DESCRIBE]
- Notified law enforcement and regulatory authorities as required
- Offering [12/24] months of complimentary credit monitoring and identity theft protection services through [PROVIDER]
WHAT YOU CAN DO:
- Enroll in complimentary credit monitoring: [LINK] | Enrollment code: [CODE] | Expires: [DATE]
- Place fraud alert with credit bureaus (Equifax, Experian, TransUnion)
- Monitor financial accounts for suspicious activity
- Be cautious of phishing emails claiming to be from [COMPANY] requesting personal information
FOR MORE INFORMATION:
We have established a dedicated helpline: [PHONE NUMBER] | Hours: [HOURS]
Additional information: [WEBSITE LINK]
We sincerely apologize for this incident and any inconvenience. Protecting your information is our highest priority,
and we are committed to preventing incidents like this in the future.
Sincerely,
[NAME]
[TITLE]
[COMPANY NAME]Template 3: Media Statement (Proactive Disclosure)
[COMPANY NAME] Statement on Cybersecurity Incident
[CITY, STATE] - [DATE] - [COMPANY NAME] identified a cybersecurity incident on [DATE] involving unauthorized
access to certain systems. Upon discovery, we immediately activated our incident response plan, engaged leading
cybersecurity experts, and notified law enforcement.
Our investigation is ongoing, but we have contained the incident and have no evidence of [ongoing unauthorized
access / misuse of customer data]. The security of customer information is our top priority, and we have
implemented enhanced monitoring and security measures.
[IF APPLICABLE: We are proactively notifying potentially affected individuals and offering complimentary credit
monitoring and identity theft protection services.]
We are cooperating fully with law enforcement and regulatory authorities. Additional information will be provided
on our website [URL] as it becomes available.
Media Contact: [NAME] | [PHONE] | [EMAIL]
Customer Inquiries: [PHONE NUMBER] | [HOURS]Template 4: Employee Communication (Internal)
SUBJECT: Important Security Incident Update - Action Required
Team,
I want to update you on a cybersecurity incident we experienced on [DATE] and what it means for you.
WHAT HAPPENED:
We detected [ransomware/unauthorized access] affecting [SYSTEMS]. Our IT and security teams immediately took action
to contain the incident. [AFFECTED SYSTEMS] may be unavailable for [TIME PERIOD] while we restore services.
WHAT WE NEED FROM YOU:
1. **Change your password immediately** for [SYSTEMS] when prompted
2. **Do NOT open email attachments** from unknown senders or unexpected emails from colleagues
3. **Report suspicious activity** to security@company.com or call [PHONE]
4. **Do NOT discuss this incident on social media** - refer media inquiries to [CONTACT]
WHAT TO EXPECT:
- Some systems may be slower than usual during recovery
- Additional security measures (e.g., MFA) may be required
- IT will provide regular updates via email and [COMMUNICATION CHANNEL]
We take this incident very seriously. We are working around the clock to restore services and prevent future incidents.
Thank you for your patience and cooperation.
[NAME]
[TITLE]Template 5: Law Enforcement Notification (FBI IC3)
Report ransomware incidents to FBI Internet Crime Complaint Center: https://www.ic3.gov/
Required Information:
- Your contact information (name, title, email, phone)
- Company name, address, industry
- Date/time of incident discovery
- Incident description (ransomware family, entry vector)
- Ransom demand amount and payment method (Bitcoin wallet address)
- List of affected systems and data
- Whether ransom was paid
- Any threat actor communications (ransom notes, emails)
CISA Cyber Incident Reporting: https://www.cisa.gov/report
Secret Service (for financial crimes/BEC): Contact local field office
Complete Business Email Compromise (BEC) Playbook
Phase 1: Detection (0-30 Minutes)
Detection Triggers:
- Finance department reports suspicious wire transfer request
- Email admin notices unusual email rules (forwarding, deletion)
- User reports account acting strangely (sent emails not in Sent folder)
- Microsoft Defender for Office 365 alert: Unusual email forwarding rule created
Immediate Response Actions:
1. DO NOT approve wire transfer - If pending, immediately contact bank to recall/freeze
2. Disable compromised email account - Revoke all active sessions
3. Preserve evidence - Export mailbox (eDiscovery hold), audit logs, authentication logs
4. Check for email forwarding rules - Inbox rules, transport rules
5. Identify other compromised accounts - Check for similar activity patterns
Phase 2: Investigation (30 Minutes - 2 Hours)
Email Audit Log Review (Microsoft 365):
# Connect to Exchange Online
Connect-ExchangeOnline
# Search for suspicious email rules
Get-InboxRule -Mailbox user@company.com |
Where-Object {$_.ForwardTo -ne $null -or $_.RedirectTo -ne $null} |
Select Name, Enabled, ForwardTo, RedirectTo, Priority
# Check for mailbox forwarding settings
Get-Mailbox user@company.com | Select ForwardingAddress, ForwardingSMTPAddress
# Review recent email activity
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
-RecordType ExchangeItem -Operations Send,SendAs,SendOnBehalf `
-UserIds user@company.com |
Select CreationDate, Operations, UserIds, ClientIPAuthentication Log Review:
# Azure AD Sign-In Logs (look for suspicious locations/IPs)
Get-AzureADAuditSignInLogs -Filter "userPrincipalName eq 'user@company.com'" |
Where-Object {$_.CreatedDateTime -gt (Get-Date).AddDays(-30)} |
Select CreatedDateTime, IPAddress, Location, DeviceDetail, StatusKey Investigation Questions:
- How was account compromised? Phishing? Credential stuffing? Malware keylogger?
- When did compromise occur? First suspicious login date
- What actions were taken? Email rules? Sent emails? Data access?
- Were other accounts accessed? Lateral movement to other mailboxes?
- Were any payments sent? Contact bank immediately if funds transferred
Phase 3: Containment & Eradication (2-6 Hours)
Account Remediation:
# Revoke all active sessions (forces re-authentication)
Revoke-AzureADUserAllRefreshToken -ObjectId user@company.com
# Reset password
Set-AzureADUserPassword -ObjectId user@company.com -Password (ConvertTo-SecureString "TempP@ssw0rd!" -AsPlainText -Force) -ForceChangePasswordNextLogin $true
# Remove email forwarding rules
Get-InboxRule -Mailbox user@company.com | Where-Object {$_.ForwardTo -ne $null} | Remove-InboxRule
# Disable mailbox forwarding
Set-Mailbox user@company.com -ForwardingAddress $null -ForwardingSMTPAddress $null
# Enable MFA (if not already enabled)
Set-MsolUser -UserPrincipalName user@company.com -StrongAuthenticationRequirements @($mfa)Organization-Wide Controls:
1. Enable MFA for all users (especially executive/finance teams)
2. Implement email authentication (SPF, DKIM, DMARC)
3. Configure external email warning banners
4. Restrict auto-forwarding to external domains
# Block auto-forwarding to external domains (Microsoft 365)
Set-RemoteDomain Default -AutoForwardEnabled $falsePhase 4: Recovery & Notification (6-24 Hours)
Financial Recovery:
1. Contact bank immediately - Request wire transfer recall (success rate decreases significantly after 24 hours)
2. File police report - Required for insurance claim
3. Report to FBI IC3 - Include transaction details, recipient bank info
4. Notify cyberinsurance carrier - File claim for financial loss
FBI IC3 BEC Reporting: https://www.ic3.gov/ → Select "File a Complaint" → Choose "Business Email Compromise"
Communication:
- Notify executive team and board (financial loss disclosure)
- Update finance team on enhanced verification procedures
- Train employees on BEC tactics (spoofing, social engineering)
Phase 5: Post-Incident Hardening
Enhanced Email Security Controls:
1. Payment verification procedures:
- All wire transfer requests >$X require verbal confirmation using known phone number (not email)
- Separate approval required for banking info changes
- Implement "dual authorization" for payments >$Y
2. Technical controls:
- Enable Microsoft Defender for Office 365 (anti-phishing, anti-spoofing)
- Configure alerts for suspicious inbox rules, email forwarding
- Implement Conditional Access policies (block legacy auth, require MFA for admin accounts)
- Enable mailbox auditing for all users
3. User training:
- Quarterly phishing simulations focusing on executive impersonation
- Finance team-specific training on BEC tactics
- "How to verify requests" quick reference guide
Complete Data Exfiltration Playbook
Phase 1: Detection (0-30 Minutes)
Detection Triggers:
- DLP alert: Sensitive file uploaded to personal OneDrive/Dropbox
- Microsoft Defender for Cloud Apps alert: Mass download (>500 files in 1 hour)
- SIEM correlation rule: Unusual data access pattern
- Manager reports employee resigned, accessed sensitive files before departure
- UEBA alert: User accessed files outside normal pattern
Immediate Response Actions:
1. Revoke user access - Disable account, revoke active sessions
2. Block external destinations - Block IP/domain at firewall if ongoing
3. Preserve evidence - DLP logs, file access logs, network traffic logs
4. Identify data scope - What files were accessed/exfiltrated?
5. Determine intent - Malicious (insider threat)? Accidental (work from home)?
Phase 2: Investigation (30 Minutes - 4 Hours)
File Access Log Review:
# SharePoint/OneDrive file access (Microsoft 365)
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
-Operations FileAccessed,FileDownloaded,FileSyncDownloadedFull `
-UserIds user@company.com |
Select CreationDate, Operations, ObjectId, ClientIP, ItemType |
Export-Csv -Path "C:\IR\FileAccess_user.csv"
# Windows file server access (Event ID 5145 - Network share access)
Get-WinEvent -FilterHashtable @{
LogName='Security'
ID=5145
StartTime=(Get-Date).AddDays(-7)
} | Where-Object {$_.Properties[1].Value -eq 'user@company.com'} |
Select TimeCreated, @{N='ShareName';E={$_.Properties[5].Value}}, @{N='RelativePath';E={$_.Properties[6].Value}}Network Traffic Analysis:
// Azure Sentinel: Large outbound file transfers
CommonSecurityLog
| where TimeGenerated > ago(7d)
| where DeviceAction == "allowed"
| where Direction == "outbound"
| where SentBytes > 100000000 // 100 MB
| summarize TotalBytes = sum(SentBytes), TransferCount = count() by SourceUserName, DestinationIP, DestinationPort
| where TotalBytes > 1000000000 // 1 GB total
| project SourceUserName, DestinationIP, TotalGB = TotalBytes / 1073741824, TransferCountDLP Alert Triage:
| Alert Type | Risk Level | Immediate Action |
| ---------------------------- | ---------- | ---------------------------------------- |
| Personal email (Gmail, etc) | HIGH | Block email, revoke access, investigate |
| Cloud storage (Dropbox, etc) | HIGH | Block domain, revoke access, investigate |
| USB drive | MEDIUM | Disable USB ports, retrieve device |
| Print sensitive document | LOW | Review justification, manager approval |
| Internal SharePoint site | LOW | Verify legitimate business need |
Key Investigation Questions:
- Who: User identity, role, department, tenure
- What: What files/data accessed? Classification level (Public, Internal, Confidential, Restricted)?
- When: Time of access, single event or pattern over time?
- Where: Internal network or remote? Geographic location anomaly?
- Why: Legitimate business need? Impending resignation? Disgruntled employee?
- How: Method of exfiltration (email, USB, cloud storage, screenshot/camera)?
Phase 3: Containment (1-2 Hours)
User Account Actions:
# Disable account (do NOT delete - preserves evidence)
Disable-ADAccount -Identity user@company.com
# Revoke all active sessions (Azure AD)
Revoke-AzureADUserAllRefreshToken -ObjectId user@company.com
# Remove from sensitive groups (if insider threat suspected)
Remove-ADGroupMember -Identity "Sensitive_Data_Access" -Members user@company.comNetwork-Level Blocks:
# Block personal cloud storage domains (firewall/proxy)
# Common domains: dropbox.com, drive.google.com, onedrive.live.com, box.com, wetransfer.com
# Configure web filtering policy or firewall rules
# Disable USB storage (Group Policy for all users)
# Computer Configuration > Administrative Templates > System > Removable Storage Access
# "All Removable Storage classes: Deny all access" = EnabledPhase 4: Damage Assessment & Notification (2-24 Hours)
Data Classification Review:
Determine if exfiltrated data triggers regulatory notification:
| Data Type | Regulation | Notification Required? |
| ---------------------------- | ------------------------ | ----------------------- |
| Patient health records (PHI) | HIPAA | Yes (500+ individuals) |
| EU resident personal data | GDPR | Yes (if high risk) |
| PII with SSN/Financial data | State laws | Yes (varies by state) |
| Trade secrets | Defend Trade Secrets Act | No (civil matter) |
| Customer lists (no PII) | None | No (business risk only) |
| Internal policies/procedures | None | No |
Legal & HR Coordination:
- If employee: Notify HR, legal counsel (potential termination, civil action)
- If contractor: Notify vendor management, review contract terms
- If external attacker: Notify law enforcement, consider civil/criminal action
Notification Templates: Use templates from Ransomware Playbook section above for customer/regulatory notifications
Phase 5: Post-Incident Hardening
Technical Controls:
1. Enhanced DLP policies:
# Microsoft Purview DLP policy example: Block upload to personal cloud storage
$SensitiveInfoTypes = @(
@{Name="Credit Card Number"},
@{Name="U.S. Social Security Number (SSN)"},
@{Name="U.S. Bank Account Number"}
)
New-DlpCompliancePolicy -Name "Block Upload to Personal Cloud Storage" `
-ExchangeLocation All -SharePointLocation All -OneDriveLocation All `
-Mode Enforce
New-DlpComplianceRule -Name "Block Sensitive Info to Personal Cloud" `
-Policy "Block Upload to Personal Cloud Storage" `
-ContentContainsSensitiveInformation $SensitiveInfoTypes `
-BlockAccess $true -NotifyUser Owner2. Conditional Access policies:
- Require MFA for all users accessing sensitive SharePoint sites
- Block download on unmanaged devices
- Restrict access from specific countries (if no business need)
3. File classification:
- Implement Azure Information Protection (AIP) sensitivity labels
- Require user to classify documents upon creation
- Auto-classification rules for known sensitive patterns
4. Monitoring enhancements:
- UEBA baseline for "normal" data access patterns per user/role
- Alert on bulk file access (>100 files in <1 hour)
- Alert on file access outside business hours (evenings/weekends)
Process Controls:
- Pre-termination checklist: Revoke access before notifying employee of termination
- Access reviews: Quarterly review of sensitive data access (who has access, is it still needed?)
- Privileged access management (PAM): Just-in-time access for sensitive systems
- Data minimization: Archive/delete data no longer needed for business purposes
Testing Your Incident Response Plan
Tabletop Exercise Scenarios (Quarterly)
Purpose: Walk through incident response procedures in a low-pressure environment to identify gaps, clarify roles, and improve coordination. No technical systems involved.
Duration: 90-120 minutes
Participants:
- Incident Commander (CISO/Security Manager)
- Technical Lead (Security Engineer)
- IT Operations Manager
- Legal Counsel
- Communications/PR Lead
- HR Representative
- Finance/Accounting Manager
- Executive Sponsor (CIO/CTO)
---
Tabletop Scenario 1: Ransomware Attack on File Servers
Facilitator Guide:
Setup (5 minutes):
"Welcome to today's tabletop exercise. We will simulate a ransomware incident affecting our file servers. This is a no-fault exercise—the goal is to identify gaps in our procedures and clarify roles. I will present the scenario in phases, and we'll discuss how we would respond. Please stay in character for your role."
Phase 1: Initial Detection (10 minutes)
Inject: "It's Monday, 9:15 AM. The help desk receives 5 calls from users reporting they cannot access files on the shared drive. Files have extensions like `.encrypted` and there's a text file on desktops titled `HOW_TO_DECRYPT.txt`. IT confirms the file server shows high CPU usage and mass file modification."
Discussion Points:
- Who do you notify first? (Incident Commander, IT Manager, CISO)
- What is your immediate action? (Do NOT shut down server, isolate network, preserve evidence)
- What information do you need to gather? (Affected systems, ransom note contents, user reports)
- What priority level is this incident? (P1 - Critical)
- Who activates the IR team? (On-call security lead via PagerDuty)
Expected Gaps/Issues:
- Confusion about who has authority to isolate systems
- Lack of pre-configured conference bridge for IR team
- No defined "Patient Zero" identification process
Phase 2: Investigation (15 minutes)
Inject: "Your security team identifies the ransomware as LockBit 3.0. Initial analysis suggests entry via a phishing email opened by a user in Accounting 3 days ago. The email contained a malicious Excel macro. EDR shows the attacker moved laterally to the file server using compromised domain credentials. Approximately 250 GB of files are encrypted. Volume Shadow Copies have been deleted. The ransom note demands $500,000 in Bitcoin within 72 hours or files will be permanently deleted and data leaked on the dark web."
Discussion Points:
- How do you determine if data was exfiltrated? (Check firewall logs for large outbound transfers, analyze attacker activity)
- What is your backup status? (When was last backup? Is it intact and offline?)
- Do you contact law enforcement? (Yes - FBI IC3, local FBI field office)
- Do you notify cyberinsurance? (Yes - within timeframe specified in policy, typically 24-48 hours)
- How do you communicate with affected users? (Email template, internal portal, manager briefings)
Expected Gaps/Issues:
- Backup testing procedures unclear ("we think backups work")
- No documented process for determining data exfiltration
- Confusion about when to notify customers/regulators
- No pre-established relationship with forensic firm
Phase 3: Decision Point - Ransom Payment (20 minutes)
Inject: "Your IT team confirms backups are intact but last backup was 4 days ago—you'll lose 4 days of work. Estimated recovery time is 48-72 hours. Finance calculates the business impact at $250,000/day in lost productivity. Your cyber insurance policy covers up to $1M for ransomware, including ransom payment (after $100K deductible). Legal counsel notes that LockBit 3.0 is a Russian-linked group—payment may violate OFAC sanctions. The FBI recommends NOT paying."
Discussion Points:
- Do you pay the ransom? Why or why not? (Consider: backup availability, OFAC sanctions, FBI guidance, decryption success rate)
- Who makes the final decision? (CEO/Board with input from CISO, legal, insurance)
- If you pay, how do you facilitate Bitcoin payment? (Crypto exchange, insurance carrier assistance)
- What if the attacker doesn't provide decryption key after payment? (Common occurrence—no recourse)
- What is your communication strategy to employees? (Transparency about incident, "we're working on restoration")
Expected Gaps/Issues:
- No defined decision-making authority for ransom payment
- Lack of understanding of OFAC sanctions risk
- No established Bitcoin payment process
- Confusion about insurance coverage terms
Phase 4: Recovery & Notification (15 minutes)
Inject: "You decide NOT to pay the ransom and proceed with backup restoration. IT estimates 24 hours to restore Tier 1 systems, 48 hours for full recovery. On Day 3, the ransomware group posts a sample of your data on their leak site, including 50 patient health records with names, dates of birth, and diagnoses. You confirm your organization is a HIPAA-covered entity."
Discussion Points:
- What regulatory notifications are required? (HIPAA breach notification - 60 days to notify individuals, HHS, media if 500+)
- Who drafts the breach notification letter? (Legal counsel, Privacy Officer, PR/Communications)
- What credit monitoring do you offer affected individuals? (12-24 months, identity theft protection)
- How do you communicate with media? (Prepared statement, designate spokesperson)
- What do you tell customers/partners? (Proactive disclosure, impact assessment, remediation steps)
Expected Gaps/Issues:
- No breach notification letter template available
- Confusion about 72-hour GDPR deadline vs 60-day HIPAA deadline
- No established vendor for credit monitoring services
- No designated media spokesperson or PR firm on retainer
Phase 5: Post-Incident Review (10 minutes)
Discussion Points:
- What went well in our response? (Team coordination, decision-making)
- What gaps did we identify? (Communication templates, backup testing, OFAC awareness)
- What technical controls should we implement? (MFA, email filtering, EDR, offline backups)
- What process improvements are needed? (Backup verification, phishing training, access reviews)
- Who is responsible for action items, and what are the deadlines? (Assign owners, 30/60/90-day milestones)
Facilitator Wrap-Up (5 minutes):
"Thank you for participating in today's exercise. We identified several strengths and opportunities for improvement. I'll compile a report with action items and owners by end of week. Our next tabletop exercise will be in Q3. Questions or feedback on today's session?"
Post-Exercise Deliverables:
- After-Action Report (AAR) with findings and recommendations
- Action item tracker with owners and deadlines
- Updated incident response plan with lessons learned
- Training plan for gaps identified (e.g., OFAC sanctions, backup testing)
---
Tabletop Scenario 2: Business Email Compromise (BEC) Targeting Finance
Facilitator Guide:
Phase 1: Initial Detection (10 minutes)
Inject: "It's Friday, 4:45 PM. Your Accounts Payable Manager, Jennifer, receives an email that appears to be from your CEO, requesting an urgent wire transfer of $450,000 to a 'vendor' for a confidential acquisition. The email says the Board has approved this, and speed is critical to close the deal before Monday. Jennifer notices the email is slightly odd—the CEO usually calls for large payments, and the sender's email is `ceo@companyname.com` instead of the usual `ceo@company.com` (extra 'name'). She forwards it to you, the CFO, asking if it's legitimate."
Discussion Points:
- What is your immediate action? (Do NOT approve payment, verify with CEO via known phone number)
- How do you verify legitimacy? (Call CEO directly using phone number from company directory, NOT from email)
- Is this a security incident? (Yes - attempted BEC, activate IR team)
- What information do you gather? (Email headers, sender IP, any other suspicious emails)
- Who do you notify? (Security team, IT, Legal)
Expected Gaps/Issues:
- Unclear payment verification procedures (who approves wire transfers?)
- Finance team not trained to recognize BEC tactics
- No "out-of-band verification" policy documented
Phase 2: Escalation & Investigation (15 minutes)
Inject: "You call the CEO—he did NOT send this email and knows nothing about an acquisition. Your security team analyzes the email headers and determines it was sent from an external IP in Nigeria. However, further investigation reveals that an email forwarding rule was created in Jennifer's mailbox 2 weeks ago, forwarding all emails with 'payment,' 'wire,' or 'invoice' to an external Gmail address. Her account shows logins from Romania and Nigeria over the past 14 days. Jennifer does NOT recognize these logins and has NOT traveled internationally."
Discussion Points:
- How was Jennifer's account compromised? (Phishing, credential stuffing, weak password)
- What actions do you take immediately? (Disable account, revoke sessions, reset password, remove forwarding rule)
- What other accounts may be compromised? (Check for similar forwarding rules org-wide)
- What data may have been accessed? (2 weeks of email forwarding—sensitive financial emails)
- Do you notify law enforcement? (Yes - FBI IC3 for BEC attempt)
Expected Gaps/Issues:
- No monitoring for suspicious email forwarding rules
- Lack of MFA enforcement for privileged accounts (Finance, Executive)
- Delayed detection (2-week dwell time)
- No alert for logins from unusual geographic locations
Phase 3: Impact Assessment (15 minutes)
Inject: "Your IT team reviews email audit logs and discovers that over the past 2 weeks, the attacker accessed 450 emails containing vendor invoices, banking information, customer contracts, and M&A discussions (confidential acquisition plans). Some emails contained PII for customers in the EU (names, email addresses, phone numbers). The attacker did NOT successfully steal any funds—Jennifer caught the BEC attempt before approving payment."
Discussion Points:
- What is the business impact? (Confidential M&A information exposed, vendor banking details compromised)
- What regulatory notifications are required? (GDPR breach notification for EU personal data - 72 hours to supervisory authority)
- What do you tell customers/vendors? (Proactive disclosure if their information was accessed)
- How do you prevent this in the future? (MFA, email authentication, payment verification procedures)
- What is the estimated cost? (Forensic investigation, breach notification, reputation damage)
Expected Gaps/Issues:
- Confusion about GDPR applicability and 72-hour deadline
- No established process for notifying vendors of compromised banking details
- Unclear on whether to disclose confidential M&A information exposure to parties involved
Phase 4: Remediation & Hardening (10 minutes)
Discussion Points:
- What immediate remediations are required? (MFA for all users, remove forwarding rules, password resets)
- What payment verification procedures should be implemented? (Verbal confirmation for wire transfers >$X)
- What technical controls prevent future BEC? (Anti-spoofing, external email warnings, disable auto-forwarding)
- How do you train employees? (Phishing simulations, BEC-specific training for Finance team)
- How do you monitor for similar compromises? (SIEM alerts for email rule creation, unusual logins)
Facilitator Wrap-Up:
Document action items with owners. Schedule follow-up exercise in 3-6 months to test new procedures.
---
Tabletop Scenario 3: Insider Threat - Data Exfiltration
Facilitator Guide:
Phase 1: Initial Detection (10 minutes)
Inject: "It's Tuesday, 10:30 AM. Your Data Loss Prevention (DLP) system triggers an alert: 'High-risk file upload detected.' A senior software engineer, Michael, uploaded 1,200 files (3.5 GB) from the internal source code repository to a personal Dropbox account at 9:47 AM. DLP has blocked the upload. Michael has been with the company for 4 years and has no disciplinary history. His manager, Sarah, mentions that Michael gave his 2-week resignation notice yesterday and is joining a competitor."
Discussion Points:
- What is your immediate action? (Do NOT confront Michael yet, preserve evidence, disable account)
- Is this a security incident or HR issue? (Both - activate IR team AND involve HR/Legal immediately)
- What data was accessed? (Source code - intellectual property, trade secrets)
- What is the business impact? (Potential theft of proprietary technology)
- Who makes decisions about employee access? (HR + Legal + IT Security)
Expected Gaps/Issues:
- Lack of "pre-termination checklist" (revoke access BEFORE notifying employee)
- DLP policy blocked upload but didn't alert fast enough
- No process for handling suspected insider threats (balance security vs employee rights)
Phase 2: Investigation (15 minutes)
Inject: "Your security team reviews Michael's file access logs over the past 30 days. He accessed the source code repository daily (normal for his role) but 3 days ago, he downloaded the ENTIRE repository to his laptop (unusual—typically developers only access specific projects). He also accessed customer contracts, pricing spreadsheets, and strategic planning documents (NOT normal for his role). His laptop shows evidence of file transfers to an external USB drive 2 days ago. Michael's manager confirms he is joining a direct competitor and will be working on a 'similar' product."
Discussion Points:
- What additional evidence do you gather? (Email for communications with competitor, calendar for meetings)
- Do you involve law enforcement? (Potentially - trade secret theft is a federal crime under Economic Espionage Act)
- What civil remedies are available? (Cease and desist letter, lawsuit for breach of employment agreement, injunction)
- Do you confront Michael? (Yes, but with HR + Legal present, preserve rights)
- How do you secure the USB drive? (Legal counsel sends preservation letter, request return of company property)
Expected Gaps/Issues:
- Lack of "off-boarding" procedures that revoke access before resignation notice
- No monitoring for access to files outside employee's role (UEBA)
- Employment agreement may lack strong trade secret protection clauses
Phase 3: Legal & HR Coordination (15 minutes)
Inject: "HR and Legal meet with Michael. He admits he copied files for 'personal portfolio purposes' and claims he didn't realize he wasn't allowed to. He returns his laptop and USB drive. Legal counsel reviews his employment agreement—it includes a non-compete clause (12 months), confidentiality agreement, and assignment of inventions clause. You operate in California, where non-compete clauses are generally unenforceable except for trade secret protection."
Discussion Points:
- What are your legal options? (Civil lawsuit for trade secret misappropriation, preliminary injunction against competitor)
- Do you allow Michael to work his 2-week notice? (NO - immediate termination, revoke all access)
- How do you communicate this internally? (Minimize details to protect Michael's privacy, 'separation of employment')
- What do you tell the competitor? (Legal demand letter, preservation notice)
- What if Michael already shared files with competitor? (Harder to remediate—seek damages, injunction on use)
Expected Gaps/Issues:
- Unclear on trade secret protections in employee agreements
- No established relationship with employment law attorney
- Lack of understanding of state-specific non-compete rules
Phase 4: Remediation & Prevention (10 minutes)
Discussion Points:
- What technical controls prevent future insider threats? (DLP on endpoints, USB restrictions, file access monitoring)
- What process improvements are needed? (Off-boarding checklist, pre-termination access revocation)
- How do you identify other potential insider threats? (Access reviews, UEBA anomaly detection)
- What training is required? (Manager training on recognizing insider threat indicators)
- How do you balance security with employee trust? (Transparency about monitoring, privacy policies)
Facilitator Wrap-Up:
Insider threat is one of the hardest scenarios—balancing security, legal rights, and employee relations. Document lessons learned and action items.
---
Tabletop Scenario 4: Supply Chain Compromise (Advanced)
Phase 1: Notification from Vendor (10 minutes)
Inject: "It's Wednesday, 2:00 PM. You receive an email from your third-party SaaS HR platform provider (used for payroll, benefits, employee data). They're notifying you of a security incident: an unauthorized actor gained access to their production environment via compromised credentials and may have accessed customer data, including employee PII (names, SSNs, bank account numbers, addresses). The breach occurred between June 1-15, and they just discovered it on June 30. They're conducting forensic investigation and will provide more details in 7-10 days. They recommend monitoring for suspicious activity and notifying affected employees."
Discussion Points:
- Is this YOUR data breach or the vendor's? (Both - you're the HIPAA/GDPR data controller, they're the processor)
- What immediate actions do you take? (Activate IR team, notify Legal, review vendor contract for indemnification)
- What regulatory notifications may be required? (State breach laws, potentially HIPAA if employee health data, GDPR if EU employees)
- How do you assess the vendor's response? (Is it sufficient? Should you conduct your own forensic investigation?)
- What communication do you send to employees? (Proactive notification, credit monitoring offer)
Expected Gaps/Issues:
- No incident response provisions in vendor contract
- Lack of vendor security assessment before onboarding
- Unclear on notification requirements when third-party is involved
Phase 2: Impact Assessment (15 minutes)
Inject: "7 days later, the vendor provides updated information: the breach affected 120,000 customer records across all their clients. Your organization had 1,200 employee records accessed, including names, SSNs, bank account numbers, and W-2 tax forms. The vendor confirms they have cyber liability insurance and will cover notification costs and credit monitoring. However, your Legal team notes that under your state's breach notification law, YOU are responsible for notifying affected individuals within 30 days of discovery—the clock started on June 30."
Discussion Points:
- What is your notification timeline? (30 days from June 30 = deadline July 30—it's now July 7, you have 23 days)
- What do you offer affected employees? (2 years credit monitoring + identity theft insurance)
- What if employees suffer identity theft? (Vendor insurance may cover costs, but YOUR reputation is damaged)
- How do you communicate externally? (Media statement, FAQ on website)
- What contractual remedies do you have against vendor? (Indemnification, service credits, termination for cause)
Expected Gaps/Issues:
- Credit monitoring vendor not pre-selected (takes 1-2 weeks to negotiate contract)
- Breach notification letter template not tailored for employee audience
- Call center not prepared for high volume of employee inquiries
Phase 3: Vendor Risk Management Review (15 minutes)
Discussion Points:
- What went wrong in your vendor selection process? (Did you review SOC 2 report? Conduct security assessment?)
- What should be in your vendor contracts going forward? (Security exhibit, audit rights, breach notification timeline, indemnification)
- How do you assess vendor risk for existing vendors? (Annual questionnaire, SOC 2 review, penetration test results)
- What vendors have access to similar sensitive data? (Benefits providers, IT support, cloud hosting)
- Should you switch vendors? (Weigh business disruption vs risk of staying)
Facilitator Wrap-Up:
Supply chain risk is increasing. Ensure vendor contracts have security requirements and you regularly assess vendor security posture.
---
Post-Incident Report Template
Incident Report #: IR-2025-001
Incident Type: Ransomware
Severity: Critical (P1)
Date Discovered: January 5, 2025, 9:15 AM EST
Date Contained: January 6, 2025, 11:30 AM EST
Date Resolved: January 10, 2025, 3:00 PM EST
Prepared By: [Incident Commander Name], CISO
Date Prepared: January 15, 2025
---
Executive Summary
On January 5, 2025, at approximately 9:15 AM, [Company Name] detected a ransomware incident affecting [NUMBER] file servers and [NUMBER] workstations across [LOCATIONS]. The incident response team was immediately activated, and containment measures were successfully implemented within 26 hours. No ransom was paid. All systems were restored from backups by January 10, 2025. Total business impact is estimated at $[AMOUNT] in lost productivity and recovery costs. No customer data was exfiltrated, and no regulatory notifications were required.
---
1. Incident Timeline
| Date/Time | Event | Action Taken |
| ---------------- | ---------------------------------------------------------- | -------------------------------- |
| Jan 5, 9:15 AM | Help desk receives reports of file encryption | IT Manager notified |
| Jan 5, 9:30 AM | IT confirms ransomware on file server (LockBit 3.0) | Incident Commander activated |
| Jan 5, 9:45 AM | IR team convened on bridge line | P1 incident declared |
| Jan 5, 10:00 AM | Affected systems isolated from network | Spread contained |
| Jan 5, 11:00 AM | Ransom note analyzed: $500K demand, 72-hour deadline | Forensic investigation initiated |
| Jan 5, 2:00 PM | Patient Zero identified: phishing email to Accounting user | User account disabled |
| Jan 5, 4:00 PM | Backups confirmed intact, offline copies unaffected | Decision made: Do NOT pay ransom |
| Jan 5, 6:00 PM | Executive team and Board notified | Communication plan approved |
| Jan 6, 8:00 AM | FBI IC3 notification submitted | Law enforcement engaged |
| Jan 6, 11:30 AM | Malware eradicated, systems rebuilt from clean images | Containment achieved |
| Jan 6, 3:00 PM | Restoration from backups begins (Tier 1 systems) | Critical systems prioritized |
| Jan 8, 5:00 PM | Tier 1 & 2 systems restored and operational | Business operations resumed |
| Jan 10, 3:00 PM | All systems restored, enhanced monitoring active | Incident resolved |
| Jan 15, 10:00 AM | Post-incident review conducted with IR team | Lessons learned documented |
Total Incident Duration: 5 days, 5 hours, 45 minutes
Time to Containment: 1 day, 2 hours, 15 minutes
Time to Recovery: 5 days, 5 hours, 45 minutes
---
2. Incident Description
What Happened:
On January 5, 2025, [Company Name] experienced a ransomware attack using the LockBit 3.0 variant. The ransomware encrypted approximately 250 GB of files on the primary file server and 12 user workstations. A ransom note demanded $500,000 in Bitcoin within 72 hours, threatening permanent data deletion and public leak of data.
Root Cause:
A phishing email was delivered to an Accounting department employee on January 2, 2025. The email spoofed a vendor invoice and contained a malicious Excel attachment. The user enabled macros, which executed malicious code that downloaded the ransomware payload. The malware established persistence, escalated privileges using a known Windows vulnerability (CVE-2024-XXXX), and moved laterally to the file server using compromised domain credentials. Volume Shadow Copies were deleted to prevent system restore.
Entry Vector: Phishing email with malicious Excel macro
Vulnerabilities Exploited: CVE-2024-XXXX (Windows privilege escalation), weak domain password policy
Attacker Tactics (MITRE ATT&CK):
- Initial Access: T1566.001 (Phishing: Spearphishing Attachment)
- Execution: T1204.002 (User Execution: Malicious File)
- Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
- Defense Evasion: T1070.001 (Indicator Removal on Host: Clear Windows Event Logs)
- Credential Access: T1003.001 (OS Credential Dumping: LSASS Memory)
- Lateral Movement: T1021.002 (Remote Services: SMB/Windows Admin Shares)
- Impact: T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery)
---
3. Impact Assessment
Business Impact:
- Systems Affected: 1 file server, 12 workstations, 1 domain controller (reconnaissance only, not encrypted)
- Users Affected: 45 employees unable to access shared files
- Downtime: 5 days for full restoration (critical systems restored in 48 hours)
- Data Loss: 4 days of work (last backup was 4 days prior to incident)
- Revenue Impact: $250,000 in lost productivity (estimated)
- Recovery Costs: $150,000 (forensic investigation, IT labor, backup restoration)
- Total Financial Impact: $400,000
Data Impact:
- Data Encrypted: 250 GB of internal files (financial reports, HR documents, project files)
- Data Exfiltration: No evidence of data exfiltration found in forensic analysis
- Regulatory Impact: No customer PII/PHI affected → No breach notification required under HIPAA or state laws
---
4. Response Actions Taken
Containment:
- Isolated affected systems from network within 45 minutes of detection
- Disabled compromised user accounts and reset all domain passwords
- Blocked C2 domains and IP addresses at firewall
- Disabled RDP and SMB file sharing network-wide (temporary)
- Took offline backups offline to prevent encryption
Eradication:
- Removed malware using EDR platform (CrowdStrike Falcon)
- Rebuilt affected systems from clean OS images
- Applied Windows patches (including CVE-2024-XXXX)
- Removed unauthorized scheduled tasks and registry keys
- Reset krbtgt account password (Kerberos Golden Ticket mitigation)
Recovery:
- Restored file server from backup dated January 1, 2025
- Restored user workstations from clean images
- Phased restoration: Critical systems first (file server, domain controller), then user workstations
- Enhanced monitoring during recovery period (24/7 SOC watch for reinfection)
- Verified backups clean and malware-free before restoring
Notification:
- Internal: Executive team, Board of Directors, all employees (communication via email and all-hands meeting)
- External: FBI Internet Crime Complaint Center (IC3) - reported incident and ransom demand
- Regulators: None required (no customer data affected)
- Insurance: Cyber liability insurance carrier notified within 24 hours, claim filed
---
5. Root Cause Analysis
How Did This Happen?
Immediate Cause: User enabled macros in malicious Excel attachment from phishing email
Contributing Factors:
1. Lack of email filtering: Phishing email bypassed Office 365 default filtering (no advanced threat protection enabled)
2. No macro restrictions: Microsoft Office macros enabled by default (should be disabled or warn user)
3. Insufficient user training: Employee did not recognize phishing indicators (spoofed sender, urgent request, suspicious attachment)
4. Unpatched systems: Windows privilege escalation vulnerability (CVE-2024-XXXX) not patched within SLA
5. Weak password policy: Domain passwords did not meet NIST SP 800-63B recommendations (no complexity requirements, 90-day expiration)
6. No MFA: Multi-factor authentication not enforced for domain accounts (allowed attacker to use stolen credentials)
7. Inadequate network segmentation: File server on same network segment as user workstations (no micro-segmentation)
8. Backup gaps: Backups older than 4 days (business lost 4 days of work)
---
6. Lessons Learned
What Went Well:
- ✅ Incident response team activated quickly (within 30 minutes of detection)
- ✅ Clear command structure and decision-making authority
- ✅ Effective communication with executive team and employees
- ✅ Backups were intact and offline (prevented encryption)
- ✅ Forensic evidence preserved for investigation
- ✅ No ransom paid—decision aligned with FBI/CISA guidance
- ✅ Systems restored within business-acceptable timeframe
What Could Be Improved:
- ❌ Detection delay: Ransomware deployed 3 days after phishing email (long dwell time)
- ❌ Email filtering did not block phishing email
- ❌ User training gaps—employee enabled macros despite warning
- ❌ Patching SLA not met (CVE-2024-XXXX patch available 45 days prior, not applied)
- ❌ Backup frequency insufficient (4-day data loss)
- ❌ No EDR on file server (only endpoints)
- ❌ No network segmentation between user workstations and servers
- ❌ Incident response plan not recently tested (last tabletop exercise 18 months ago)
---
7. Recommendations & Action Items
| Priority | Recommendation | Owner | Target Date | Status |
| -------- | ---------------------------------------------- | ---------------- | ----------- | ----------- |
| HIGH | Enable Microsoft Defender for Office 365 (P2) | IT Manager | Jan 20 | In Progress |
| HIGH | Disable Office macros via Group Policy | IT Manager | Jan 15 | Complete |
| HIGH | Enforce MFA for all domain accounts | Security Lead | Jan 31 | In Progress |
| HIGH | Implement daily backups (vs weekly) | IT Manager | Jan 25 | In Progress |
| HIGH | Deploy EDR to all servers (not just endpoints) | Security Lead | Feb 15 | Not Started |
| MEDIUM | Conduct phishing simulation training | Security Lead | Feb 1 | Scheduled |
| MEDIUM | Implement network segmentation (VLANs) | Network Engineer | Mar 1 | Not Started |
| MEDIUM | Update password policy (NIST SP 800-63B) | Security Lead | Jan 31 | In Progress |
| MEDIUM | Patch Windows vulnerability CVE-2024-XXXX | IT Manager | Jan 10 | Complete |
| LOW | Conduct quarterly tabletop exercises | Security Lead | Ongoing | Scheduled |
| LOW | Review incident response plan (annual) | Security Lead | Apr 1 | Not Started |
---
8. Compliance & Legal
Regulatory Notifications: None required (no customer PII/PHI affected)
Law Enforcement: FBI IC3 notification submitted January 6, 2025 (Case #IC3-XXXXXXX). FBI provided IOCs and confirmed LockBit 3.0 attribution. No further action required from FBI at this time.
Insurance Claim: Cyber liability insurance claim filed January 5, 2025 (Claim #XXXXX). Estimated payout: $300,000 (covers forensic investigation, business interruption, recovery costs). Deductible: $100,000.
Legal Action: No civil or criminal action pursued against threat actor (attribution to foreign adversary, no realistic recovery of funds or prosecution).
---
9. Cost Analysis
| Category | Cost |
| ----------------------------------------- | ------------ |
| Lost Productivity | $250,000 |
| Forensic Investigation | $75,000 |
| IT Labor (Incident Response & Recovery) | $50,000 |
| Backup Storage Expansion | $15,000 |
| Security Tool Upgrades (Defender P2, EDR) | $10,000 |
| Total Cost | $400,000 |
| Less: Insurance Payout | ($300,000) |
| Net Cost to Organization | $100,000 |
---
10. Conclusion
The ransomware incident on January 5, 2025, was successfully contained and resolved without paying the ransom demand. While the incident resulted in significant business disruption and financial impact, the organization's investment in offline backups and incident response preparedness enabled effective recovery. Key lessons learned include the need for enhanced email filtering, user training, MFA enforcement, and more frequent backups. Action items have been assigned with target completion dates. The incident response plan will be updated to reflect lessons learned, and quarterly tabletop exercises will be conducted to maintain readiness.
Next Review Date: April 1, 2025 (Quarterly IR Plan Update)
Key Takeaways
- Document your incident response plan BEFORE an incident occurs
- Practice through tabletop exercises and simulations
- Know your compliance notification requirements
- Preserve evidence throughout the incident
- Conduct post-incident reviews to continuously improve
- Have legal and PR resources identified in advance
---
Authoritative Resources
NIST Publications:
- [NIST SP 800-61 Rev. 3: Computer Security Incident Handling Guide](https://csrc.nist.gov/pubs/sp/800/61/r3/final) (April 2025)
- [NIST Cybersecurity Framework (CSF) 2.0](https://www.nist.gov/cyberframework) - Respond function
- [NIST SP 800-83 Rev. 1: Guide to Malware Incident Prevention and Handling](https://csrc.nist.gov/pubs/sp/800/83/r1/final)
Government Resources:
- [CISA Cyber Incident Reporting](https://www.cisa.gov/report)
- [FBI Internet Crime Complaint Center (IC3)](https://www.ic3.gov/)
- [StopRansomware.gov](https://www.cisa.gov/stopransomware) - CISA ransomware resources
Regulatory:
- [HHS HIPAA Breach Notification Rule](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
- [GDPR Articles 33-34: Breach Notification](https://gdpr-info.eu/)
Industry Standards:
- [SANS Incident Handler's Handbook](https://www.sans.org/white-papers/33901/)
- [ISO/IEC 27035: Information Security Incident Management](https://www.iso.org/standard/78973.html)
---
_Need help building or testing your incident response plan? [Contact us](/contact) for expert guidance._