Organisations need to be prepared to respond to a wide variety of cyber security incidents. Your biggest concern might be the threat of criminal hackers breaking into your systems, but you also need to know what to do if, say, an employee inadvertently or maliciously leaks data or your organisation suffers a power outage.
Despite the prevalence of these threats, very few organisations have demonstrated effective response capabilities. So what exactly should you be doing?
Ed McAndrew, partner at Ballard Spahr LLP and a former assistant US attorney, and Patrick Dennis, president and CEO of Guidance Software, have answered that question with their seven-step process for mitigating and responding to disruptive incidents.
Identify key assets
An organisation might not have the resources to protect its entire enterprise. If that’s the case, it should determine what data, assets and services warrant the most protection before it creates an incident response plan (IRP).
Have a plan of action
Plans and procedures that address the steps that need to be taken after an attack can help limit the damage. They should detail:
- Who has lead responsibility for different elements of the IRP;
- How to contact critical personnel;
- What mission-critical data, networks or services should be given the greatest protection; and
- How to preserve data related to the incident.
Stay informed about threats
An organisation’s awareness of new or commonly exploited vulnerabilities can help it prioritise its security measures. McAndrew and Dennis point out that some organisations, such as Information Sharing and Analysis Centres (ISACs), share real-time threat intelligence.
Make an initial assessment of the threat
It’s critical to assess the nature and scope of an attack. It’s also important to determine whether it was a malicious act or a technological glitch. The nature of the incident will determine the organisation’s course of action.
Capture the extent of the damage
An organisation should make a forensic image of the affected computers as soon as the incident is detected. This preserves a record of the system for analysis and potentially for use as evidence at a trial.
The organisation should restrict access to these materials in order to “maintain the integrity of the copy’s authenticity, safeguard it from unidentified malicious insiders and establish a chain of custody”.
Take steps to minimise additional damage
An affected organisation should prevent the loss of further data through preventive measures, such as rerouting network traffic, filtering or blocking a distributed denial-of-service attack and isolating all or parts of the compromised network.
McAndrew and Dennis also recommend keeping detailed records of the steps that were taken to mitigate the damage as well as any costs incurred as a result of the attack.
Work with law enforcement
McAndrew and Dennis strongly recommend that organisations work with law enforcement. A pre-existing relationship with law enforcement officials prior to a breach will help develop a trusted two-way relationship. It is also essential to notify law enforcement following a breach. An organisation may be reluctant to do so, because of the disruption it could cause to business and the damage it could do to its reputation. However, notifying the appropriate authorities is often a legal requirement.
An effective response plan
Organisations that implement an IRP will be much better equipped to respond to cyber security incidents, as the plan includes each of these steps and provides information on exactly what needs to be done.
Those who want to learn more about incident response, and how you can create an effective plan, should consider enrolling on our Incident Response Management Foundation Training Course.
This one-day course covers everything you need to know to effectively detect, analyse and respond to a variety of threats. An expert practitioner will guide you through:
- The role of the incident response team;
- Formulating an IRP;
- Incident scenarios for common attack vectors; and
- The ways in which an IRP helps you comply with the EU General Data Protection Regulation (GDPR)and the Network and Information Systems (NIS) Regulations 2018.