It comes as no surprise to anyone who follows industry news that reports of cybercrime are increasing. While no security leader ever gets ‘used’ to being breached, the first time it happens is especially daunting.
This is a guide put together for new security leaders, based on discussions with our Incident Response team and CISOs from various backgrounds who have dealt with breaches more than once.
It’s worth saying that there is no one-size-fits-all answer to the question: ‘What should I do when a cybersecurity incident happens?’ The truth is there are no golden rules or magical solutions as every breach will be unique.
Breaches may vary in terms of what attack vectors were used in addition to the type of technologies utilized by a company. There are, however, simple-to-follow guidelines to set you on the right path to recovery.
Watch Darrell Switzer talk on Four Things His Clients Wished They’d Done Before Getting Breached.
Step 1: Remain Calm
Staying calm may be easier said than done when you get that sinking feeling that your company has been hacked. It’s not just the hack, it’s how it could potentially impact your business, the brand, and the bottom line. It’s all about staying calm. And not doing the following things that make it hard for an incident responder to investigate a case properly.
Things to avoid include:
- Deleting valuable data (preservation of artifacts is key!)
- Resetting any passwords or disabling any accounts without a plan
- Attempting to contact the threat actor
- Attempting to fix the problem or patch a system without a plan
Step 2: Determine the Scope of the Breach
Response to a breach is better after an initial analysis of the full incident. Ask yourself the following:
- ‘Have I identified what was comprised?’
- ‘How did it happen?’
- ‘When did this occur and over what time period?’
- ‘What actions did the threat actor perform?’
Answers to these questions will help the responders decide how best to proceed in containing and eliminating the attack.
Step 3: Make a First-Steps Response Plan and Act
When it comes to addressing a cyber-attack, we all know time is of the essence. It is crucial to act swiftly but also, to be guided by the process. The information you extract or gain about the incident should be enough to help you plan your first steps. By no means does this plan need to be fully comprehensive with assigned roles and timelines but it should include a clear step-by-step process for the preliminary stages of the response.
Obviously, the most important thing to say here is incident preparedness. Cyber playbooks and planning can – and should – be done well in advance of the breach. In the first months as a new security leader, you should organize red teaming and purple teaming exercises, cyber crisis simulation, and incident response readiness plans and playbooks.
One of the major threats you will have to face at some point in time is ransomware. This threat is worth spending focused time on. There are plenty of resources out there – you may find the guides below, which we compiled with a wide range of incident response practitioners, useful:
Download ‘What to Do in the First 24 hours’ of a ransomware attack for advice on immediate response.
Download the Ransomware Response Playbook, a detailed guide to planning and preparing for a ransomware attack, with technology, people, and processes considered in full.
Step 4: Containment
With any security incident, a key step is to ‘stop the spread’. Several factors need to be considered, for example:
- Does the company have an Endpoint Detection and Response (EDR) system that could be used to contain the asset remotely or does this need to be done physically by pulling the network from the asset?
- If the asset must be physically contained, can you locate it based on the information available?
- Are you dealing in the first instance with a user’s workstation or a server?
- A workstation is easier to take offline with the impact limited to a single user. If we’re talking about a server, the impact widens.
- What services are impacted if this server were taken offline?
- This is worth careful consideration. If the organization affected is a manufacturing plant, any downtime would lead to material financial losses.
If threat actors have already been in the network for many months, it could be unwise to begin containment. This can alert the threat actors to the fact that they have been discovered and can trigger them to launch their end game – e.g., destruction of data, ransomware deployment, etc.
You’ll gain much more if you observe their behavior and discover how much of the network they have infiltrated. Then, you can make a plan on how to effectively contain the breach all at once and minimize damage.
Step 5: Find an Expert
Breaches can cause significant financial damage. How the incident is handled can further impact the depth of that damage. Regardless of your company’s security posture and maturity, it’s always worth reaching out to respected experts, a tried-and-tested cyber emergency response team, whose experience and know-how could save time and money.
Managed Detection and Response providers have the benefit of exposure to a broader spectrum of technologies and environments as well as threat intelligence than a single-focus incident response firm. A good provider will be well placed to respond to an incident in any environment and work effectively in every unique situation.
Step 6: Reporting the Breach
Business leaders must handle the reporting stage on any incident with caution as there are financial and reputation implications, ranging from public perception to fines and penalties. It is imperative that all aspects and angles of the breach are discussed. You’ll need to cover all topics, including:
- Technical details of what was achieved by the threat actors
- Possible ramifications of those actions
You must consult Public Relations and Legal teams to devise a proper course of action and messaging for media, shareholders, and staff.
Depending on the impact of the incident, there will be questions from various stakeholders and scrutiny of how the company handled the incident, so you need to get this right.
It goes without saying that it’s best to avoid denial of facts, which may later come to light later on and lead to a backlash. Note that if you are in a highly regulated space, such as finance, public utilities, or education, you’ll likely have compulsory reporting processes to the government or other regulatory bodies, which you need to adhere to.
Step 7: Recovery
The recovery process depends on the scale of the incident.
For minor incidents, recovery could simply include:
- Removing malicious artifacts from the system
- Patching a vulnerability and updating all software to their latest releases
- Deploying an endpoint detection and response (EDR) agent
Larger incidents may need you to redeploy infrastructure or build a clean environment from scratch, which will have considerable time and financial implications.
Regardless of the situation, it is best to prioritize what requires the least amount of time to implement while securing the environment against further attack. This process includes putting in place targets that will help you achieve other goals to strengthen the overall security posture of the business.
Step 8: Post-Mortem
Regardless of whether you were able to stop the attack before deep damage was done, or whether you were only able to contain and eliminate the threat after data exfiltration took place, the post-mortem is a key step that will help ensure you build resilience.
You need to ask some simple questions:
- What were the root causes of the incident?
- How could the incident have been prevented?
- What changes can be made to minimize the risk of a similar incident occurring in the future?
And regardless of the scenario, preparation for the future is key. In an incident, an attacker reveals the holes in the security of the business, and this is the perfect opportunity to address them and work towards increased cyber resilience.
Schedule compromise assessments and penetration tests as well. These will show any future active threats in your environment and enable you to stay ahead of the curve.
Think about getting in touch with your Incident Response service provider to ensure they are providing you training in the form of threat simulations, playbooks, and scenario planning.
As said earlier on, preparation is key.
No-one judges a CISO on being unable to stop an incident, but they will look closely at how you respond to it. And good preparation will help ensure you’re not left scrambling to get a robust response plan together.
- “I’m a New Security Leader and My Business Has Been Breached. What Next?” An Eight-Step Guide to Managing a Cyber-Attack for the First Time. - February 7, 2023
- Our top cybersecurity predictions for 2023 - January 10, 2023
- 15 Practical Tips for More Effective Cybersecurity Incident Response - November 2, 2022