Step 5, Long-term: Review and update incident response playbooks to address extortion-style breach scenarios where threat actors use leak site listing and removal as negotiation leverage; ensure tabletop exercises include regulatory notification workflows and litigation-hold procedures.
Post-Incident
NIST 800-61r3 §3.4.9 (post-incident activities — conduct lessons-learned review and update incident handling procedures)
NIST 800-53 IR-3 (Incident Response Testing)
NIST 800-53 IR-7 (Incident Response Assistance)
NIST 800-53 AU-11 (Audit Record Retention)
CIS 17.9 (Conduct regular simulations)
CIS 19.4 (Update incident response and recovery plan)
Compensating Control
Create three documents: (1) Extortion playbook — define escalation path (IR team → legal → CEO/board), decision gate ('Will we engage with attacker or decline?'), communication protocols (who approves ransom discussions, how to document negotiations), and law enforcement coordination (FBI IC3, Nevada state AG cyber unit). (2) Litigation-hold procedure — define trigger for activating hold (breach confirmed), scope (all systems involved), retention period (minimum 3 years or statute of limitations, whichever longer), and custodians (IT, security, HR, finance). (3) Tabletop scenario template — write 2-3 realistic scenarios: (a) breach discovered on leak site 7 days after containment, extortion demand arrives; (b) notification deadline conflicts with legal investigation timeline; (c) media coverage triggers unexpected regulatory inquiry. Run tabletop annually with legal, IR, communications, and compliance. No tool required; use Word/Sheets for playbook, calendar for tabletop scheduling.
Preserve Evidence
Capture before updating playbooks: (1) Current incident response playbook (if exists) — identify gaps in extortion and litigation-hold procedures. (2) Documentation of how your organization previously handled ransom inquiries or extortion threats (email records, legal opinions, decision logs). (3) Copy of litigation-hold policy and any prior litigation holds your organization has activated (template, scope, duration). (4) Recording or transcript from prior tabletop exercises, with participants' feedback on gaps in procedure knowledge. (5) List of external resources: FBI IC3 contact information, state AG cyber unit, cyber insurance carrier incident hotline, law firm counsel assigned to incident response. Archive playbook versions with dates to track evolution.
