First of all you have to identify if there is an incident and how grave it is. To determine the graveness, you have to analyze the threat, what happened and identify the affected systems and users. The following actions help with this step:
- Check log files
- Check monitoring systems
- Check the antivirus, SIEM, EDR
Isolate affected/impacted systems to prevent further damage (impact control). This is a step where you prefer to use automation.
At this stage, critical decisions have to be made that can impact the business. Decisions must be made fast but there is always a risk that something goes wrong. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly.
Find and eliminate the root cause. After an incident is contained, the components must be eliminated such as deleting malware and disabling breached user accounts. It is important to identify and mitigate all the vulnerabilities that were exploited by the attacker.
More often than not, an attacker will implement a backdoor in the system to be able to gain access at a later moment in time. It is important that these backdoors are found during the eradication process to prevent the attacker from breaching the systems again.
back into production (and monitor them closely). The main focus is to restore systems to normal operation and confirm that the systems are working normally.
- Restoring systems from clean backups
- Rebuilding systems from scratch
- Replacing compromised files with clean versions
- Installing patches
- Changing passwords
For incidents on a large scale, the eradication and recovery phase can take months.
Write down, analyze and review everything with all team members in order to improve the response to future incidents.
Why is a Security Incident Response Plan useful?
A cyber security incident entails a lot of stress. Unfortunately, today it is no longer a question of ‘if it will happen’, but of ‘when it will happen’.
Having a Security Incident Response Plan ensures that you as an organization can remain calmer, that you can act more efficiently and therefore solve the incident faster. After all, it is widely known that the faster a cyber security incident is contained, the smaller its total impact.
But the problem with plans is that they are often designed to sit on the shelf until the day when the proverbial oxygen masks fall from the ceiling. Other than that, they’re just collecting dust (except for the occasional auditor visits).
It is therefore important not to choose a passive, but an active approach when drawing up, using and maintaining your Security Incident Response Plan.
Performing a Tabletop Exercise (TTX) is useful to identify difficulties or problems in the Security Incident Response Plan and to train staff on handling an incident. The goal of a TTX is to simulate a possible incident and solve it by following your SIRP. Afterwards the response plan is updated and optimized where needed.
Let us help you develop your Security Incident Response Plan.
With Spinae we are specialized in cyber security. We are well aware that it is impossible for most companies to draw up a solid Security Incident Response Plan tailored to their organization. Spinae wants to help you with this.
for further information or an introductory meeting.