When an incident strikes the primary goal for the wider organisation is to get back to business as usual with as little disruption as possible. The tips below should help to ensure you can investigate the incident fully, find out the extent of the breach and prevent the attackers from continuing their activities.
There’s a lot to consider, where should you even start?
- BE PREPARED
When a cyber security incident occurs, an organisation must know what it has to do in response and how it’s going to do it. It will also need to ensure that it has the necessary information, materials, skills and capabilities to do this effectively. Do you have an Incident Response Plan? Have you tested it?
- MAKE A RECORD
Keep a log of everything that happens during the course of the incident from identification through to recovery: when, where and how the breach was discovered, when the response effort started, the steps taken and why – record whatever you can. You never know what you might need and when you might need it, including evidence for potential legal proceedings.
- DON'T JUST TURN OFF YOUR PCs
Consider the impact before simply turning the machines off – your main goal is likely to be business continuity followed by restricting the potential damage. Turning the machine off might tip your hand to attackers or destroy vital data needed to inform any subsequent investigation. Disconnecting from the network might be enough.
- ENSURE YOU CAN TELL THE STORY
Ensure you know all you need to know about the incident before remediation. Although remediation can often be done in phases, you don’t want to spend time remediating only to discover the attackers still have a route in that you missed.
- PRESERVE THE EVIDENCE
Depending on the nature of the incident, you might need to engage with Law Enforcement, with Regulators, or with HR. At the very least you’ll want to have a good debrief. Preserving as much evidence as possible will make all of these things easier and make for better ‘Lessons learnt’. Does someone in your organisation know how to properly preserve evidence?
- COMMUNICATE THE INCIDENT
Keep those that need to know, in the know. Stakeholders will need to be informed, and potentially make decisions, so need to have all the relevant information. As the incident response investigation progresses, it’s important to find the balance between keeping users informed so they don’t make up their own explanations, and not revealing too much about the security team’s capability.
- LEARN FROM THE EXPERIENCE
Make sure to review how the incident was handled, where improvements could have been made and implement steps to reduce the impact of future attacks. Go back to your Incident Response Plan and refine it if necessary so that you’re better prepared for the next time.
You should accept that your organisation is more than likely to suffer a cyber-incident at some point in the future, irrelevant of the maturity of your security posture. Being prepared for this to happen and knowing how you'll respond gives you an advantage against the attackers and will ultimately reduce the disruption and cost to your business.
Should you require any assistance with your incident response planning; Context has the knowledge and experience to assist in preparing your Incident Readiness Plan and offer an Incident Response Investigation Support (IRIS) Service.
Download our Top Tips flyer here.