Cyber security Incident Response: What to do when you’ve been hacked
The worst has happened – your organisation’s IT network has been hacked. What do you do next?
The moves you make following an incident are incredibly important to minimise any potential losses, restore services and maintain trust with your colleagues, clients and customers. If your organisation has a poor response,to a cybersecurity breach, it can have a serious impact on an organisation
Having a cybersecurity strategy is key.
What is cyber security incident response?
Incident response is a methodised, pre-planned way of managing the fallout from a security breach or cyberattack. Usually, the responsibility of a dedicated incident response team, the goal of incident response should be to handle any security incident that may occur in the best way possible.
When your cyber security has been threatened, it is vital that you have a predetermined incident response plan in place to help you act quickly and with the purpose to understand the nature of the threat, analyse the level of the threat, and respond swiftly and authoritatively to limit any potential damage to affected systems. If ever there was a time for absolute clarity, this is it. Everyone in your incident response team should be clear on both their individual roles and what the incident response process looks like as a whole. There must be a central point of contact, a person or persons responsible for coordinating meetings, identifying any gaps in the plan, and guiding everyone in ensuring the smooth delivery of response. Any records kept should be meticulous to help the team when tackling past, current, or future incident responses. These are all tools that can help you make good decisions in the aftermath of a cybersecurity event.
Here we take you through the basics of incident response planning, ensuring your cyber security team can put together an effective incident response plan to deal with any future security incident that may occur.
Categorisation of incident
Understanding exactly what you are dealing with is the first step in administering your incident response plan effectively, making sure you involve the correct team members from the get-go.
Any security breach that triggers a formal response from your cybersecurity specialist team should be considered critical.
Here are some common examples – you might find it helpful to include such a list or matrix within your incident response planning documents to ensure your incident response team members are able to quickly identify the nature of the threat:
- Malicious code: Malware or ransomware has infected your network and critical systems.
- Denial of Service: A sudden surge in traffic to your site, phone lines or other affected systems has triggered an error and made it impossible for your operations to continue as normal.
- Phishing: Your colleagues, clients or customers are receiving emails trying to convince them to open a malicious link or attachment.
- Unauthorised Access: An unauthorised person (internal or external) has gained access to accounts, emails or other systems.
- Insider: An employee has caused a security incident and/or compromised systems, either deliberately or by mistake.
- Data breach: Devices or documents have been lost or stolen
- Targeted attack: An attack has been deliberately targeted at the business, usually by an experienced or sophisticated attacker or group. This may encompass several of the above categories.
Understand the severity
During the initial triage period, it can be useful to think of the severity of the cyber attack or security breach in terms of the following:
- What is the impact of the security incident on business output?
- Is confidential or sensitive data at risk?
- Could existing data or affected systems have been altered in such a way that they cannot be trusted?
You might also find it helpful to create a matrix of example outcomes for your incident response plan, rated in order of severity according to what matters most to your business. Such a matrix can be invaluable in helping you quickly determine just how serious a threat you are facing when the time comes, assisting you in shaping your response.
Carrying out your cybersecurity incident response
So you’ve assembled your expert team, you have created your matrixes and developed your incident response plan – but what do you do in the first moments after the security incident occurs? While your incident response plan will help guide you through the process in detail, broadly speaking, the cycle can be broken down into four key stages: analyse, contain, fix and recover.
Analyse
This is the part of the incident response process where you make sure you have all the available information, take stock, and work out exactly what needs to be done. Each incident response team member will have their own tasks to handle, as outlined in the incident response plan – but it is of critical importance that these tasks are prioritised mindfully to allow you to effectively mitigate the security incident.
Contain
This stage may involve taking drastic action like taking core systems offline to help with damage control. Your incident response plan should consider the consequences of all actions carefully; the reality is that there may be further actions or attacks from the parties in question.
Fix
Once the threat has been contained, you can press ahead with reducing impact and helping everyone get back on track. This might mean blocking activity, isolating certain systems and resetting a barrage of accounts. This is also the stage where you might want to think about PR and social media statements to maintain transparency with customers, clients and stakeholders.
Recover
This is when you can usually return to ‘business as usual’ – albeit with extreme caution. You might need to tie up any final loose ends relating to regulation, legal issues or PR. At this point, systems are returned to ‘business as usual’. Clean systems and data are put back online, and in some cases, final actions are taken to handle regulatory, legal, or PR issues.
No matter what stage you are at in your response, all tasks and findings should be rigorously tracked by your incident response team, with priorities shifted around as needed.
Who is responsible?
Getting a solid incident response plan in place requires pulling together a multi-disciplinary team from various corners of your organisation. This is the most crucial stage of all. Each of your incident response team members must have a unique skill set that aligns with their own clearly-defined duties and goals. Working together, your incident response team can help negate threats; not just by managing a security incident when it reaches crisis point, but through effective day-to-day administration, record-keeping and maintenance. As with most things in life, prevention is better than the cure.
But who should you have on your team? A great incident response team will vary from organisation to organisation, but it could look something like this:
- An incident response manager, usually head of IT, who oversees the entire process from start to finish and communicates with the rest of the organisation.
- Security analysts who support the manager in identifying the key details of an incident.
- Threat researchers to promote internal intelligence about the nature of the threat.
- Chief Information Officer (CIO) to act as leader and further the interests of the group internally.
- External consultants to advise as needed.
- Human resources to support when employees are involved in an incident.
- Audit and risk management specialists to bang the drum for best practice and spot any potential chinks in your IT armour.
- Legal representatives and attorneys to act in your organisation’s best interests if the security incident becomes a legal matter.
- PR representative to make sure information being circulated about the security incident makes sense and is consistent.
The AirIT service is designed to have you covered from every angle, beyond a consultative level; we can also plan, implement and manage your cyber security incident response strategies. But first, we can help you get to grips with promoting best practices in cybersecurity throughout your organisation.