header image

Podcast | Optimising Your Cyber Incident Response Plan

Lenoy Barkai 29 March 2021
29 March 2021    Lenoy Barkai


In our latest report, we demystify the drivers of insecurity among cyber security professionals, in so doing, mapping a path to cyber confidence.

Download Report

With attacks against SolarWinds and Microsoft Exchange Server, it is clear that the volume, scale, and complexity of cyber threats show no indication of slowing. This also means organisations need to keep pace with the latest threats, threat actors, and best defences available when a virus or ransomware group decide to strike.



In this S-RM Insider podcast, we bring together three specialists in the field of cyber incident response, to explain how a typical cyber-attack unfolds, and the tools and tactics needed to optimise your cyber incident response plan. On the panel are:


Joseph Tarraf

Joseph Tarraf, Associate Director, S-RM’s Cyber Incident Response team

Magnus Josias

Magnus Josias, Co-Founder and COO of Krizo

Greg Foss

Greg Foss, Senior Cyber Security Strategist, VMware Carbon Black



The panel discuss how a typical cyber incident unfolds and how to approach them from the start. Cyber incidents are by nature “chaos impersonated,” says Joe Tarraf, with the first 24 hours setting the tempo for the entire response.

Some organisations are better prepared than others, with many looking to incident response specialists to manage and solve their crisis from start to finish, including relations with external counsel, law enforcement, and ransomware negotiations.


“[Some] organisations are simply not equipped to handle a response, especially when it’s a complex response like a ransomware case. They might not have recovery plans, they might not have incident response plans, they might not have the in-house security teams and the response teams to handle the incidents.” – Joe Tarraf


Prepared or not, organisations can and do make mistakes, and some of those are more common than others, says the panel. Sometimes that is trying to immediately delete malware, which can make reinfection more likely, because crucial clues left by a threat actor are missed. Mistakes can also be made around ransomware negotiations, particularly if the threat actor is on a sanctions list.




To mitigate against these sorts of mistakes, the panel turn to resources on the market, looking at how endpoint detection and response tools can act as ‘hunting platforms,’ giving responders full visibility and a competitive edge over threats.


“When you look at a virus, you detect a malicious file, but that’s not where it stops. What we really want to know is how did it get there, what actions did it perform, were they using it to grab passwords, were they using it to move laterally.” – Greg Foss



The panel also look at the best tools for communicating in a crisis, to facilitate the right information sharing to the right people at the right time, and ensure an audit trail for later on: Whatever tool you’re using, make sure it creates a tamper-proof audit trail for post incident review, insurance claims or legal issues,” says Magnus Josias.


“Responses should be seen as a learning opportunity. The ‘post-mortem’ process should result in becoming a more resilient organisation. Use lessons learnt to update your plans and playbooks, stream procedures, and capture bottlenecks.” – Magnus Josias

The panel conclude in agreeing that every incident is an opportunity to improve an organisation’s incident response readiness; building a strong network of external contacts and briefing leadership on response playbooks are two of the main ways businesses can prepare for the next virus or ransomware attack.

S-RM is a global risk consultancy providing intelligence, resilience and response solutions to clients worldwide. To discuss this article or other industry developments, please reach out to one of our experts.

Lenoy Barkai
Lenoy barkai Director, Cyber Security Email Lenoy

Intelligent Business 2022 Strategic Intelligence Report

The evolution of strategic intelligence in the corporate world. Read S-RM's latest report.

Download Report