19. Basic Incident Response: What to Do When You�re Breached

Many companies are experiencing security breaches and while preventing them entirely is a noble pursuit, it’s essential to have a plan in place for when the inevitable does occur. This lesson aims to provide a guide for organisations to create a comprehensive basic incident response plan for when they are breached. It’s important to understand that every violation is unique and may require tailored solutions, but having a generic process is vital to ensuring efficient, effective responses to cyber threats. Let’s commence this journey together.

The Incident Response Lifecycle

The incident response process can be broken down into six distinct phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. These stages form a cyclical process known as the incident response lifecycle.

1. Preparation – Developing a Plan

This phase involves setting up a formal incident response plan that outlines procedures to detect, report, and effectively address security incidents. It includes developing and implementing security policies and procedures, identifying potential threats, and establishing a qualified incident response team. Preparative tasks might also include investing in adequate tools, security measures, and setting up a secure communication channel for use during a breach.

2. Identification – Recognising the Incident

This phase is about identifying abnormal behaviour within the system that indicates a security incident. It involves deploying intrusion detection systems, regularly auditing user and system activities, and monitoring security news and alerts. This phase concludes when the incident response team confirms the breach and escalates it according to the incident response plan.

3. Containment – Limiting the Impact

A quick containment process reduces damage and resource losses. Methods of containment could include disabling network access for affected systems or isolating compromised network segments. Determining whether to keep a compromised system operational or to disconnect it immediately depends on the specifics of the incident and the risk and impact assessment from the breach.

4. Eradication – Removing the Threat

After containing the incident, the focus shifts to finding and eliminating root causes of the breach. This phase could involve removing viruses, altering compromised passwords, or patching software vulnerabilities. The aim is to address the issue that led to the breach and any effects that resulted from it.

5. Recovery – Restoring Systems Integrity

The recovery phase involves restoring affected systems and devices back to their operational status. It’s crucial to monitor systems closely during this period to ensure no signs of the attacker re-emerge. The duration of this phase can vary depending on the systems involved and the severity of the breach.

6. Lessons Learned – Post-Incident Review

A post-incident review allows teams to document what happened, why, how it was controlled, and what can be done to prevent similar incidents in the future. It’s essential for continuous improvement and prepares the team for future breaches.

Key Incident Response Best Practices

Developing an incident response plan is only half the battle. Ensuring your incident response personnel adhere to established practices can significantly improve the effectiveness of your response. Here are some critical best practices to consider:

• Conduct Regular Training and Simulations: An effective incident response team does not form overnight. Training, simulations, and routine security drills help prepare your team for real-life situations.
• Communicate Effectively: Good communication ensures that your team and stakeholders understand the what, why, and how of an incident. Effective communication includes succinct messaging, adhering to communication protocols, and maintaining a steady flow of updates.
• Always Be Ready For Legal Implications: Any breach can potentially carry legal consequences. Always ensure all actions taken are well documented and can stand the scrutiny of a legal inquiry.

Incident Handler’s Handbook presents an indepth guide to incident handling, while National Cyber Security Centre offers a practical guide on how to manage incidents.

In conclusion, the inability to prevent a cybersecurity breach doesn’t equal failure. Still, not being prepared to respond and mitigate one is. As cybersecurity professionals, we must always be steered by the maxim, “It’s not about if but when a breach will occur”.