Question

Define the key steps involved in Cyber Attack Incident Response?

Answer 1

1.  Assemble your team – It’s critical to have the right people with the right skills, along with associated tribal knowledge. Appoint a team leader who will have overall responsibility for responding to the incident. This person should have a direct line of communication with management so that important decisions—such as taking key systems offline if necessary—can be made quickly.

2. Detect and ascertain the source. The IR team you’ve assembled should first work to identify the cause of the breach, and then ensure that it’s contained.

Security teams will become aware that an incident is occurring or has occurred from a very wide variety of indicators, including:

• Users, system administrators, network administrators, security staff, and others from within your organization reporting signs of a security incident
• SIEMs or other security products generating alerts based on analysis of log data
• File integrity checking software, using hashing algorithms to detect when important files have been altered
• Anti-malware programs
• Logs (including audit-related data), which should be systematically reviewed to look at anomalous and suspicious activity with:
  • Users
  • External storage
  • Real-time memory
  • Network devices
  • Operating systems
  • Cloud services
  • Applications

3. Contain and recover – A security incident is analogous to a forest fire. Once you’ve detected an incident and its source, you need to contain the damage. This may involve disabling network access for computers known to be infected by viruses or other malware (so they can be quarantined) and installing security patches to resolve malware issues or network vulnerabilities. You may also need to reset passwords for users with accounts that were breached, or block accounts of insiders that may have caused the incident. Additionally, your team should back up all affected systems to preserve their current state for later forensics.

4. Assess the damage and severity – Until the smoke clears it can be difficult to grasp the severity of an incident and the extent of damage it has caused. For example, did it result from an external attack on servers that could shut down critical business components such as an e-commerce or reservation systems? Or, for example, did a web application layer intrusion perform a SQL Injection attack to execute malicious SQL statements on a web application’s database or potentially use a web server as a pathway to steal data from or control critical backend systems? If critical systems are involved, escalate the incident and activate your CSIRT or response team immediately.

5. Begin the notification process – A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized person. Privacy laws such as GDPR and California’s CCPA require public notification in the event of such a data breach. Notify affected parties so they can protect themselves from identity theft or other fallout from the disclosure of confidential personal or financial data. See Exabeam’s blog on how to create a breach notification letter in advance of a security incident.

6. Start now to prevent the same type of incident in the future – Once a security incident has been stabilized, examine lessons learned to prevent recurrences of similar incidents. This might include patching server vulnerabilities, training employees on how to avoid phishing scams, or rolling out technologies to better monitor insider threats. Fixing security flaws or vulnerabilities found during your post-incident activities is a given.