So You’ve Had an Incident?

So You’ve Had an Incident?

Security incidents are an unavoidable occurrence. If your security team has never observed a security incident, there is likely a hole somewhere in your monitoring and alerting process, and you’ve missed it.

That said, the initial signs of a breach or security incident are rarely black and white. The most advanced threat actors can stealthily infiltrate and persist within environments while flying under the radar of even the best security tools and analysts.  A response is predicated on the detection and notification of an incident by analysts internal to the organization, or a third party (typically government or MSSP). These notifications can come in the form of an abuse report due to a botnet taking hold in your environment, a call from law enforcement or security researcher saying that they have seen your confidential data floating around on the web, or even the threat actor/group contacting you with ransom demands to keep them from releasing confidential data to the masses.

When an organization suspects that a security incident has occurred, regardless of how it was detected, their incident response team needs to be ready. There is often a knee-jerk reaction by members of an organization to try resolving an incident immediately by taking systems offline or blocking IP addresses. These types of reactions, while understandable, can be detrimental to the response process, and can lead to an increased length and risk of the incident. Having a well-trained team of security analysts and incident response personnel is just as, if not more, important than having the latest security product in your environment.

Below are some dos and don’ts to keep in mind when laying out an incident response plan:


  • Assume the amount of money you throw at solutions or products equates to your level of protection
    • Having a good team of security analysts and incident responders is crucial to the continued success of any organization
    • Security products will do nothing to stop an incident unless they are configured properly and have trained personnel monitoring and maintaining them. It is often misconfiguration that leads to initial breach or lateral movement
  • Let the responsibility rest solely on the shoulders of your security and incident response teams
    • In an organization, it is everyone’s responsibility to help maintain a safe and secure environment including users clicking on links to malicious websites and the janitor’s access badge being stolen, allowing physical access to your environment
    • Proper security education for everyone within an organization is essential for preventing an incident, including any supply chain partners or contractors
  • Ruin valuable incident response data and information by panicking or reacting without a plan
    • Quick actions can lead to the loss of volatile data such as memory or host-based artifacts
    • Ensure all useful logs from the period of the suspected incident are preserved and not overwritten, which is common practice to save storage space within large environments
    • The attacker can very easily be tipped off that you have discovered them by immediately taking a system offline, installing or executing tools on the affected machines, performing recon to identify them, or even taking direct action against them


  • Develop a strategy and practice incident response exercises before a breach
    • Create a well-developed incident response plan is critical to the success of taking the proper actions in a methodical and repeatable fashion when needed
    • Create an incident response team comprised of leads from security, legal, and executives that will be quickly notified throughout the incident lifecycle
    • Identify the proper law enforcement contacts for various incidents that may involve disclosure or 3rd party intervention
  • Collect and preserve valuable data or forensic evidence for ongoing investigations
    • Preserve potential evidence in a forensically sound manner with proper chain of custody in that case legal action needs to be taken at the conclusion of the incident response.
  • Invest in continued training for your team and arm them with the products necessary for proper response
    • Create an environment that supports continued learning and education for your team to continue honing their skills
    • Stay informed on current threats and trends. Inform analysts and adjust security posture appropriately to avoid the need to engage your incident response team.
    • Consult your incident response team when purchasing tools for them to use during the process. Purchasing the incorrect products can lead to incorrect or inefficient response.

The basic structure and actions of an incident response plan are straightforward, however, creating an actionable, yet flexible strategy that can be applied to any type of incident, but rigid enough to create a clear flow to follow is much more difficult. Leveraging the information above and existing plans or ideas, create an incident response program that can adapt to change, and be improved by learning from successes and failures.