Seconds matter when you’re detecting threats, and they’re even more vital when a threat becomes a successful cyberattack.
Whether you’ve just been breached or are simply looking for information to prepare for the worst, it’s helpful to know where to start. Follow these 7 steps to streamline your Incident Response experience and prevent future breaches.
1. Stay Calm & Lock it Down
The first objective when you discover signs of a breach is to lock down your systems as quickly as possible to prevent additional data loss or further damage to your network. If you can, isolate the affected machine(s) so the attacker can no longer move laterally within your network or communicate between your systems and the “outside”.
DO NOT DESTROY EVIDENCE. Many organizations act quickly in response to an attack, and that’s great, but often times that quick action involves immediately restoring from backups or resetting machines—essentially erasing evidence that would be needed for thorough investigation. Always approach security incidents as if a full Incident Response process will be required: it’s better to be overly-cautious when preserving evidence. Following the six phases of Incident Response, there will be a clear point in the process where systems can be reset or restored.
Additionally, in Ransomware incidents, do not rush into paying a ransom in exchange for access to your data. There’s never a guarantee that the bad guy…
- will return your data after receiving the funds
- hasn’t installed additional malware or “backdoor” access to continue the breach.
Opt for calling experts first, before making any major decisions regarding restoring, resetting, or paying ransoms.
2. Call Your Cyber-911
Of course, it depends on your situation. In most cases, one of your first calls—if not the very first—should be to cybersecurity experts who can engage in the official investigation and containment of the cyber threat. They can help you determine the scope of the incident and whether other forms of breach notification are necessary. Depending on what has been exposed or stolen, you may need to contact law enforcement, lawyers, or your cyber insurance provider, and your expert Incident Response team can provide guidance on based on the investigation’s findings.
3. Identify & Investigate
Working with Incident Response experts, identify the details behind the cyber incident including what it consisted of, the current status of the attack, and where to go next. Experts will further investigate the incident to uncover the path of attack, trace back the attacker’s entry point into the network, and verify the extent of the breach including whether data has been stolen or attacker “backdoors” have been implanted. A thorough investigation is the first step in ensuring the same attacker won’t breach you twice.
4. Mitigate Vulnerabilities
Often times, the investigation will uncover the security “holes” that allowed the attacker to get in and successfully execute the attack. Anything from open firewall ports, to employee mistakes, to outdated software or insecure code can be a vulnerability that leads to an attack—sometimes, it can be a combination of these things and more. After you learn what went wrong, it’s time to increase security by fixing those holes. This can include deploying additional or improved security solutions, altering hardware or software configurations, and changing account privileges.
5. Notify Accordingly
Depending on whether personally identifiable information (PII) has been exposed or if assets have been stolen, you may need to contact local authorities and consumer reporting agencies. The Federal Trade Commission offers helpful resources regarding data breach response and notification for businesses and their impacted customers. Additionally, many states are introducing breach notification laws that impact any businesses which hold the PII of their residents, such as the SHIELD Act in New York, which may require you to notify individual states’ authorities regarding the breach as well. Determine your legal requirements based on local, state, national, and international laws.
If PII has been exposed, you will also be required to notify the affected customers or clients whose data was breached. Be sure to consult your IR team to ensure your notification efforts balance timeliness without impacting the incident investigation and recovery.
6. Recover & Resume Business
When the investigation is complete, the attacker’s access is removed, and vulnerabilities are fixed, it’s time to return your machines to production and begin the recovery process. Finally, you can return to “business as usual.”
If you’re responding to a ransomware incident, you can rebuild machines or restore from backup after your IR team has indicated that it is safe or possible to do so.
7. Take note of lessons learned
We’ve noticed that this IR phase often goes overlooked, but it’s important to dedicate a little time to reviewing the breach experience and learn from what went well—and what may have gone wrong. This includes what led to the incident and the actions that followed.
Review your IR process for next time (hopefully there isn’t a next time!), hold cybersecurity training with employees across all departments, and review cybersecurity investments with decision makers. Prepare for the worst, but also prepare your business adequately so that there won’t be a next time.
If you’re reading this proactively, considering steps for your organization’s Incident Response Plan, or simply learning more about cyber incident response before you need it, check out our Cybersecurity Report Card to get an accurate picture of your cybersecurity today:
And if you’re skimming these articles because you think (or know) you’ve been the victim of a cyberattack, reach out to us and we can help determine if our experts are the right fit to investigate and help mitigate your breach. Infogressive can help!