Guest Column | August 8, 2022

Your Cyberattack Response Plan Is Out Of Date. Here's How To Fix It.

By Raj Dodhiawala, Remediant


It’s a mistake for MSPs to treat their response plans as a one-and-done exercise. This straightforward acronym can help your company prioritize and strategize.

As cybersecurity threats surge in frequency and sophistication, most MSPs have incident response plans in place. But not all plans are sufficient – something that quickly becomes clear when attackers succeed in breaching their defenses.

Take the recent attack on Okta, in which a hacking group gained access to the cloud software firm’s systems through a Costa Rica-based subcontractor engineer’s laptop that downloaded password-stealing malware. The fact that Okta was blindsided by this vulnerable contractor, and then sent out mixed messages over the severity and scope of the breach, are sure signs that its response plan suffered from some major holes.

It’s a mistake to treat response plans as a one-and-done exercise. Allowing them to sit unchanged for months is a major oversight; hackers are working overtime to get past those defenses. CISOs and risk officers should approach their plans as living documents that are constantly reviewed, battle-tested, and updated to ensure their flexibility and comprehensiveness.

A robust response plan has three pillars – Agility, Measurement, and Practice. Incorporating these AMP principles into your planning process will stand you in good stead for both preventing breaches and minimizing their financial and reputational costs. Here’s how to recognize if your AMP principals are up to date.


The speed at which you respond to a threat is crucial. Arguably it’s the most important element of an incident response plan. Get it right and you can stop an attack in its tracks. Get it wrong and the threat can gain unstoppable momentum.

In last year’s Colonial Pipeline ransomware breach, hackers entered with a compromised password, then set off through the oil pipeline company’s system to install ransomware. The company’s initial response to the breach was too slow, allowing the hacking group to move through the system. Colonial had to halt all pipeline operations until it paid the ransom, causing fuel shortages up and down the East Coast that subsequently impacted air travel, as well as the trucking industry.

Let’s be honest: It's almost impossible to stop ransomware once it’s begun encryption. Instead, agile incident response plans should use a combination of automation and human monitoring – an early warning system of sorts – to raise alerts when a threat has entered their network and is moving laterally. Next, companies should have a plan to isolate the targets of the hackers and cut off their access. If you can’t prevent it, speed is of the essence to detect threats quickly and cut off their routes.

Questions you should be asking: What systems and processes do you have in place to detect a breach? Once detected, how quickly can you respond? How will you restrict hackers’ ability to move laterally within your systems and access the most valuable targets?


If thieves break into your house, modern security systems allow you to record their activity and monitor their movements in real time. The same principle should apply to a good incident response plan.

Companies need mechanisms in place to constantly monitor their controls and measure the impact and scope of an attack. Effective measurement allows you to spot weaknesses in your defenses and address them quickly. If you can see that a single account compromise led to 15 others being breached, you can start investigating why that happened and take steps to address it.

Companies should take advantage of the many tools available that enable IT teams to trace the digital footprint of an intruder. Security event management systems (SIEM) allow you to collect all the logs from different environments, write rules and determine what actions were taken by different users, creating a real-time picture of the crime scene.

Strong measurement and control practices cascade down to wider benefits, such as giving you more leverage to negotiate better terms with cybersecurity insurance providers.


Another way response plans become outdated is through lack of practice. Just as organizations hold regular fire drills, it’s crucial to test your response plan’s robustness in real-world conditions.

Running red and purple team war games is an effective way of testing how your human and tech defenses hold up under different kinds of attack. The subsequent post-mortem should result in concrete steps for improving your performance based on where it fell short. Did your dashboard tracking give you current, relevant information on the threat so you could prioritize your countermeasures? Was your security compromised by having too many users with admin privileges? Do you have the capability to shut down admin access to promptly cut off the attackers’ ability to move laterally around your network or to allow you to restore systems into operation?

Thorough practice also enables you to stay agile by not falling into rote patterns in your response. A common response to a breach, for example, is to return the system to its base state by using a pre-configured golden image. But if that golden image contains credentials that have already been compromised, the effect of a reset can be to prolong and worsen the threat.

Cyber-attacks are spreading faster than most incident response plans can keep up. The best way to protect your organization is to AMP up your defenses: Be agile, measure, and protect.

About The Author

Raj Dodhiawala is President of Remediant.