How to Create an Incident Response Plan

Published On: December 16th, 2024|Categories: Blog|Tags: , , , , |3.7 min read|

It’s been a crazy year for the automotive industry. Over the summer, a ransomware incident affected thousands of dealers nationwide. In the aftermath of that incident, we noticed a dramatic spike in cyber-attacks targeting dealerships. If those threats weren’t enough, dealers in certain parts of the country were also affected by hurricanes Helene and Milton. Dealers found ways to be resourceful, but their business was disrupted while they improvised. This brings us to an important question:

 

Do you have an Incident Response Plan?

If you’re without one at the time of reading this, don’t panic. We’re going to walk you through the process of putting a plan together, so when disaster strikes, you’ll be ready. The SANS Institute, a trusted resource for cybersecurity training, certifications, and research, lays out six phases to an incident response plan. Based on that framework, we’ll walk you through what to do before, during, and after a cyber attack occurs.

Preparation

Start by writing down your current policies and documenting what’s supposed to happen when an incident occurs within your organization. Consider including items such as:

  • Is multifactor authentication required on all devices?
  • How often are employees required to complete security awareness training?
  • What happens if someone clicks on a phishing test email?

Next, take time to decide which individuals are part of the incident response team and define clear roles for everyone involved.

Identification

This is where your incident response team has to decide what to do about any suspicious activity. A good Endpoint Detection and Response (EDR) tool will help you identify potential threats and provide alerts, but that’s only half the battle. You also need someone to monitor those alerts – an expert who can discern the difference between a true threat and a false positive. Once you’ve made that determination, it’s time to spring into action.

Containment

Containment is all about isolating any devices that were affected by the attack as quickly as possible and minimizing the damage. Essentially, you’re trying to prevent the infection from spreading any further. This could involve disconnecting devices from a network, quarantining a segment of your network, or running on backup systems while you address the issue. You’ll want to carefully document everything you did during this step and take the time to collect evidence so you can analyze exactly what happened.

Eradication

Eliminate the threat with extreme prejudice. Now that you’ve identified the problem and ensured that it can’t do more harm, you need to remove all malicious code or malware from your devices. If you’re satisfied that your system has been completely sanitized, conduct a thorough scan to make sure there aren’t any lingering traces of the infection. You’ll also want to address any vulnerabilities that allowed the incident to occur in the first place.

Recovery

The goal in this step is to get back to business as usual by restoring things to their pre-incident state. Before declaring “all systems go,” make sure you have everything updated, backed up, and patched up to prevent another similar attack.

Lessons Learned

Any landing you can walk away from is a good landing. But the last step in any incident response plan is figuring out what went wrong and diagnosing what could be improved. Instruct your team to take thorough notes during each phase of the process. Having the ability to review those will make this last step a lot easier. Sit down with the team and discuss the incident, how it was handled, and what could be done differently the next time.

 

Crafting an incident response plan is an important part of building a cybersecurity culture at your dealership. Employees should know who to contact if they encounter something suspicious and feel empowered to share information that can make the team stronger. After every incident, revisit your response plan to see if there are opportunities to improve upon it. You don’t have to wait for disaster to strike either – tabletop exercises are an excellent way to test your policies and discover potential gaps.

Given the increase in attacks we’ve observed within the automotive industry, it’s a matter of when you’ll be faced with an incident, not if. Having a plan in place could be the difference between 15 minutes of discomfort and 15 days of disruption.

Share:

Let’s Talk

Together in your 20-minute free consultation, we’ll:

  • Discuss your current IT posture and goals
  • Review tactics you could implement today to improve your overall results
  • Discuss how Proton Dealership IT may be able to help or point you to valuable tools and resources

In order to effectively review your dealership and IT challenges prior to the call, please tell us a bit about you first.