The Best & Worst Practices of Incident Response

March 1, 2018 by

Mahwish Khan

Introduction

Incident response is often an impromptu security area — organizations don't think about it until an incident occurs. Your response to an incident will be the deciding factor as to whether or not your network will continue to operate as a part of your business. As I am sure you are aware, security breaches never occur when a company is ready for them; they happen at the most inopportune times. To make sure that your company is prepared when a security breach does happen, here are some dos and don'ts of incident response.

Five Things You Need to Do When Responding to a Security Incident

1. Discreet Communication

When handling an incident, communication is important; however, it needs to be done discreetly. It is important to remember the attacker might still have access to your systems. Therefore, you should avoid communicating over:

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Get Started

• Instant messenger
• Email
• Speaker phones

Where possible, all communication should take place face to face.

2. Reset Credentials

Make sure that all passwords that have been compromised during the incident are reset. Remember that it is most likely that an attacker will strike more than once.

3. Coordinate System Shutdown

If a compromised server is not shut down, it alerts the attacker that something is taking place within the environment they are attempting to infiltrate. This will lead them to install another set of tools and malware which then creates additional problems.

4. Stay Calm

It is important that you remain calm during incident response so you can follow protocol, and handle it effectively.

5. Report the Attack

This should be common sense, but many cyberattacks go unreported. Regardless of whether your organization has their own incident response team or not, it is essential that law enforcement is contacted so that they can attempt to catch the perpetrator.

Five Things You Need to Avoid When Responding to a Security Incident

1. Communicating Too Quickly or Too Slowly

If the security incident has an effect on your customers or partners, it's essential to have a full understanding about the breach. This will help you come up with an effective strategy. Understandably, upper management wants to put their partners and customers at ease. However, putting out a message and then having to retract it with conflicting information won't look good and will cause additional worry.

Companies are often so overwhelmed after a breach has taken place that they fail to communicate effectively with relevant stakeholders. When communication is too slow, you are in danger of losing stakeholder trust in your ability to handle security incidents in a timely manner.

The same threats are also present when information is provided too quickly. If a company communicates too early, they run the risk of providing inaccurate, inconsistent or incomplete information, which can cause confusion and lead people to lose trust in the company.

2. Not Apologizing

There is no such thing as a company that is completely safe from security breaches. Although companies and customers are aware that cyber attacks are always going to be an issue, companies are still not customer focused enough when it comes to making a formal apology to their customers for putting them at risk. A data breach is unexpected, worrisome and traumatic for customers, and not acknowledging this and avoiding an apology can have terrible consequences.

3. Failure to Have a Breach Response Plan

A breach response plan is a strategy to limit the risk of unauthorized access to systems and data. A properly outlined breach response plan plays a critical role in reducing the negative impact that a security breach can have. It also enhances the organization's ability to navigate through a crisis with relative ease.

4. Not Getting Timely Legal Advice

There are severe legal implications associated with data breaches — you want to avoid these as much as possible. It is critical that you get the right legal advice early so that you can quickly recover from a security incident. What you don't want is to have to deal with a class action lawsuit because of a data breach.

5. Making the Same Mistakes Twice

Even the most sophisticated companies will have to deal with a data breach. However, one of the most important aspects of dealing with a data breach is learning from your mistakes. The incident handling process consists of six phases:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Review (lessons learned)

It is recommended that after a major security incident has taken place, an organization should hold a meeting to discuss the lessons learned. During the meeting, you will need to identify your mistakes and evaluate them. Take inventory of what exactly happened and analyze how your team has dealt with reducing the impact of a data breach. The lessons learned phase should be the most important part of your post-breach activities. By implementing this strategy, not only will you improve the performance of your team and create benchmarks for potential future breaches, but you will also provide helpful reference and training materials.

It is important to mention that during the lessons learned phase you will uncover a number of issues that need improving or changing. You might also find there are some things you will need to get rid of entirely and others that you need to implement in order to improve your level of security.

Whatever you gain from your evaluation, make sure they are taken seriously and that you hire help from capable experts to assist in better protecting your business against data breaches.

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Get Started

Conclusion

It is virtually inevitable that your organization will become a victim of some type of security breach. As companies and businesses are enhancing their levels of security, cybercriminals continue to find ways to manipulate the system. The most important thing is that you take the necessary precautions to protect yourself against a security breach and that you are fully prepared for a breach when it happens. After the breach, make sure that you conduct a lesson learned meeting and that you implement any new ideas, suggestions and recommendations to protect your company against future attacks.

Sources

• Security Think Tank: The dos and don'ts of a good incident response plan, Computer Weekly
• Responding to a Cybersecurity Incident – Dos and Don'ts, Flagship Solutions Group
• Office of Information Security, Penn State