What’s the best way to avoid a cyber attack turning into a full breach? Prepare in advance.
After experiencing a breach, organizations often realize they could have avoided a lot of cost, pain, and disruption if they’d had an effective incident response plan in place.
This guide will show you how to respond to a cyber security incident and give you the best chance at thwarting an adversary.
Properly planning for a potential incident is not the sole responsibility of your security team. In fact, an incident will likely impact almost every department in your organization, especially if it turns into a full-scale breach. To properly coordinate a response, you must first determine who should be involved. This often includes representation from senior management, security, IT, legal, and public relations.
Those who need to be involved in your organization’s planning exercises should be determined in advance. Additionally, establish a method of communication to ensure a quick response. Take into account the possibility that your normal channels of communication (e.g., corporate email) may be impacted by an incident.
Your organization first needs to identify its highest priority assets. Mapping out your highest priority assets will not only help you determine your protection strategy but will make it much easier to determine the scope and impact of an attack.
By identifying these in advance, your incident response team will be able to focus on the most critical assets during an attack, minimizing disruption to the business.
Incident response is like many other disciplines—practice makes perfect. While it is difficult to fully replicate the intense pressure your team will experience during a potential breach, practice exercises ensure a more tightly coordinated and effective response when a real situation occurs. It is important to run not only technical tabletop exercises, but also broader exercises that include the various business stakeholders previously identified.
Tabletop exercises should test your organizational responses to a variety of potential incident response scenarios. Each of these scenarios might also include stakeholders beyond the immediate technical team.
Common incident response scenarios include:
The best way to deal with an incident is to protect against it in the first place. Ensure your organization has the appropriate endpoint, network, server, cloud, mobile, and email protection available.
Without the proper visibility into what is happening during an attack, your organization will struggle to respond appropriately. Before an attack occurs, IT and security teams should ensure they have the ability to understand the scope and impact of an attack, including determining adversary entry points and points of persistence.
Proper visibility includes collecting log data, with a focus on endpoint and network data. Since many attacks take days or weeks to discover, it is important that you have historical data going back for days or weeks (even months) to investigate. Additionally, ensure such data is backed up so it can be accessed during an active incident.
In addition to ensuring you have the necessary visibility, your organization should invest in tools that provide necessary context during an investigation.
Some of the most common tools used for incident response include endpoint detection and response (EDR) or extended detection and response (XDR). These tools allow you to hunt across your environment to detect indicators of compromise (IOCs) and indicators of attack (IOA). Analysts use EDR tools to pinpoint which assets have been compromised, which in turn helps determine the impact and scope of an attack.
The more data that is collected—from the endpoints and beyond—the more context is available during investigation. Broader visibility allows your team to not only determine what the attackers targeted but how they gained entry into the environment and if they have the ability to access it again.
In addition to EDR tools, advanced security teams might deploy a security orchestration, automation, and response (SOAR) solution that aids in response workflows.
Attackers can leverage weak access control to infiltrate your organization’s defenses and escalate privileges. Regularly ensure that you have the proper controls in place to establish access control. This includes, but is not limited to, deploying multi-factor authentication, limiting admin privileges to as few accounts as possible (following the Principle of Least Privilege), changing default passwords, and reducing the number of access points you need to monitor.
Detecting an attack is only part of the process. Your IT and security teams need to have the ability to conduct a wide range of remedial actions to disrupt and neutralize an attacker. Response actions include:
When learning how to respond to a cyber security incident, no business can afford to ignore their staff’s role.
While no training program will ever be 100% effective against a determined adversary, education programs (e.g., phishing awareness) reduce your risk level and limit the number of alerts your team needs to respond to. Using tools to simulate phishing attacks provides a safe way for your staff to experience (and potentially fall victim to) a phish. Enroll those who fail into training.
Many organizations are not equipped to handle incidents on their own. Swift and effective response requires experienced security operators. To ensure you can properly respond, consider working with an outside resource such as a managed IT services provider.
Managed IT services providers often offer comprehensive security solutions. At Techinc, we put preventative measures in place for our clients to stop cyber security incidents from happening in the first place. In the event an incident has occurred, we can guide you through the aftermath and help you get back up and running.
Some businesses retain data forensic incident response (DFIR) services after an incident to collect evidence to support a legal or insurance claim.
When a cyber security incident strikes, time is of the essence. Knowing how to properly respond to a cyber security incident will dramatically reduce the impact of the attack on your organization. We highly recommend our set of security solutions—responding badly to a cyber security incident can break your business.
We’ve put proper security in place for businesses throughout Denver and beyond. Just take a look at our case studies for some examples! And always feel free to contact us for a free security assessment.