Incident Response 101: What to expect before, during, and after a breach

Cyberattacks have become a daily occurrence, and it seems like no business is immune. The bad actors who struck during the pandemic in 2020 are becoming bolder and more greedy, often demanding millions of dollars in ransom payments. Fortunately, you are not powerless against their exploits. You can take steps now to ensure you are ready if and when you experience a breach.

The National Institute of Standards and Technology (NIST) has developed a four-step incident response (IR) process that emphasizes that IR should be cyclical, with continuous learning and improvement to enhance defenses over time. The descriptions below should de-mystify this process and start you on your journey to IR awareness.

Step 1: Preparation

They say the best defense is a good offense. When it comes to cybersecurity, the best way to protect your business is to start getting ready for a breach before it happens. Review your security policy, perform a risk assessment, identify your most sensitive assets, define critical incidents that your team should focus on, and build a Computer Security Incident Response Team (CSIRT). Be sure your CSIRT members are available 24×7 to respond to incidents on a short notice and augment them as needed with virtual or on-call staff. It is also very helpful to assign your CISO the role of team advocate or sponsor to help manage communications between the team and C-level executives and ensure the team has the budget it needs to operate effectively. (If you find this idea overwhelming, keep reading. You don’t have to do it all alone.)

You may want to consider purchasing an IR retainer from an experienced cybersecurity consulting service provider. These contracts take the pressure off your internal staff and provide an additional security blanket by giving you a choice of cybersecurity consulting service hours to use in the event of a breach.  For added value, the vendor might let you apply your unused hours to other IR and cybersecurity consulting engagements if you don’t experience a breach.  

Step 2: Detection and Analysis

When a cyberattack happens, you must move quickly to identify the type and extent of the breach. Is it ransomware, a phishing email or some other sort of malicious attack? How can you tell if it is an actual breach or just a false positive? Collect data from your IT systems, security tools, and external sources, then look for red flags such as:

• Unusual logon activity
• Unusual file changes and database manipulation
• Suspicious or unknown files
• Locked accounts and changed user credentials
• Missing funds or assets, such as intellectual property or sensitive data.

If you have been breached, your team or a third-party Blue Team will need to gauge the scope, collect evidence, and document the incident. If you are not familiar with the term “Blue Team”, it is a group of experts in analyzing information systems to identify security flaws and verify the effectiveness of your security measures. Blue team members are also responsible for in-depth defense concepts, patching, defensive technology management, and more.  These teams are a must-have for organizations who don’t have the headcount to fully staff their own CSIRT team. For the remainder of the steps, we’ll assume you are using one of these teams.   

Step 3:  Containment, Eradication, and Recovery

Containment is aimed at limiting damage from the current security incident and preventing any further damage or destruction of evidence that may be needed for prosecution. The NIST containment strategy depends on the level of damage, the need for continuous access to affected systems, and the time needed to implement a solution:

• Short-term containment—limiting damage before the incident gets worse, usually by isolating network segments, taking down the hacked production server, and routing to failover.
• System backup—taking a forensic image of the affected system(s) and then wiping and reimaging the systems. This process preserves evidence that can be used in court and for further investigation of the incident.
• Long-term containment—applying temporarily fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors the attackers left on your systems, and addressing the root cause—for example, fixing a broken authentication mechanism.

During the Eradication phase, the Blue Team will advise your team on how to perform cleanup operations to remove malicious files and other artifacts introduced by the attacks, and fully restore all affected systems.  Important steps include understanding what caused the incident to prevent future compromise and applying basic security practices, such as upgrading old software versions and disabling unused services.

After verifying that all your systems are clean and threat is removed, the Blue Team will advise you on how to initiate the Recovery process, during which you will:

• Enhance your Incident Response and Business Continuity plans to help ensure a faster and smoother recovery time
• Test and verify your systems to ensure that they are clean and fully functional as they go live
• Perform ongoing monitoring to observe operations and check for abnormal behaviors
• Do everything necessary to prevent another incident

Step 4: Post-Incident Activity

While it is never possible to document all aspects of an incident while it is underway, it is critical that you identify lessons learned for next time. Work with the Blue Team to compile all relevant information about the incident, such as when it was first detected and how it was contained and eradicated, and extract lessons that can help with future incident response activity. Critical Start helps organizations identify, classify, prioritize, assist in remediation, and mitigate software vulnerabilities.  Talk to one of our experts to learn how to prepare your organization for an incident response—before you are breached.

You might also be interested in: 
Learn how a major international manufacturer stopped a breach with CRITICALSTART IR Services.
NIST Computer Security Incident Handling Guide