Knowing what to do when an incident occurs and which plans to put in place.
No organisation can claim to be 100% breach-proof. The size of the average attack surface and determination of today’s threat actors means that it is a case of “when” not “if” the perimeter is breached: but that doesn’t mean it’s game over for the victim.
By planning and rigorously testing incident response processes, it’s possible to detect and contain an attack before it has time to cause any lasting financial or reputational damage. The trick is knowing what to do when danger strikes.
Call in the Experts
When critical systems fail and security alarms sound, the first step is to disconnect the network connection as quickly as possible – to prevent the attack from spreading further. If this can’t be done digitally, systems should be physically disconnected by unplugging cables.
However, shutting down servers is not recommended, as this may result in the loss of important data needed by forensic experts later on.
Now is the time to call in a professional Incident Response (IR) team to investigate and contain, monitor the network, and securely restore systems. Often, the best option is to reach out to a third-party expert rather than try to manage this all in-house.
For those impacted, this can be an extremely stressful situation. When the very existence of the company may be at stake, it’s vital to keep a cool head. In high stress situations, important things that are usually taken for granted may be forgotten. Even that emergency IR plan in the drawer rarely works as expected in practice.
Keep Calm and Carry On
Professional IR teams have experience with cyber incidents and know exactly what to do: a coordinated approach is crucial at this point. IR only works when someone takes the lead, remains calm and provides clear instructions. A third-party expert who is not personally impacted by events is best suited to this.
Also ensure there is enough personnel to handle what could be a sizeable workload. An IR situation often requires a 24/7 security operation over several days, which can only be achieved through shift work.
Specialised expertise across various disciplines is also required. Besides pure IT forensics, there could be a requirement for negotiating with the cyber-criminals. Although it is often recommended not to pay a ransom, communication with extortionists – even if payment is clearly ruled out – can be important to buy time or potentially gain more information about the breach.
Finding the right IR team
Sourcing the right IR partner is vital. Don’t waste valuable time by waiting until a breach to call as IR specialists are in high demand, and they also suffer from skills shortages. So it’s vital to get a contract written up and signed in advance to guarantee assistance will be provided in case of an emergency.
Organisations should arrange an IR retainer with their chosen service provider, covering a fixed number of days, and establish binding response times through Service Level Agreements (SLAs). It’s also advisable to maintain contacts with two or three other IR providers that can be called in case the contracted partner unexpectedly becomes unavailable.
Start from the data
Professional incident responders determine what exactly happened, when it happened, and how it happened. To quickly contain a cyber incident, they need to analyse which systems are affected. The right data is crucial for this:Windows Event Logs alone are not sufficient, as they can be unreliable. Cyber-criminals often manipulate such files to remain unnoticed.
Telemetry data from security systems, monitoring activities on endpoints and in the network, is essential for the IR team. This data should be converged and correlated in a centralised XDR or SIEM platform. The more meaningful the data, the quicker and more targeted the containment of the cyber incident.
Identifying the "Patient Zero" and retracing the attackers’ path allows companies to learn from mistakes made and address any vulnerabilities to build resilience for the future. Even after IT systems are restored, it is important to monitor the IT environment 24/7 in case the attacker is still hiding and moving laterally through the network.
Prepare the entire company
To escape a serious cyber incident unscathed, careful preparation is crucial. A detailed emergency plan is an essential part of any cyber defence strategy. This plan should not only include the emergency number of the IR service provider and instructions for the IT department, but involve all stakeholders in the company. IR is not purely an IT matter.
Who reports a cyber incident to the relevant supervisory authority? Who informs affected customers and business partners? Who handles crisis communication? All these tasks need to be coordinated following a breach.
Include the legal, PR and marketing departments, the organisation’s data protection officer, and senior management in any IR planning. An emergency plan establishes clear responsibilities and defines procedures. It means everyone knows immediately what tasks to take on in a worst-case scenario. Business Continuity plans can also be helpful.
Review, update and test
Many companies already have an emergency IR plan in place, but it may fall short. For example, how does one determine which backup system is not compromised? How long would it take to restore the offline backup stored on tapes in the cabinet? Is it even cost-effective?
Companies should consider various scenarios in their IR plan and define alternative actions: “If A does not apply, we do B”. This also includes setting up a channel outside the company's IT environment for communication, in case the email system fails or attackers intercept messages. A secure messenger service like Signal is recommended.
Companies should make their IR plan readily available at all times and preferably store it offline so that it cannot be encrypted in a cyber-attack. It should also include a network plan providing an overview of the IT environment. This plan should be updated at regular intervals. This way, there is at least a rough plan in case digital asset management is not available during a cyber incident.
Emergency planning is not something written once and then stored in a drawer. It must be regularly reviewed and adjusted if requirements change. To test whether it works in practice, red teaming or purple teaming exercises can be useful to simulate live attacks.
Meeting compliance requirements
Effective IR planning strengthens a company's resilience to survive a cyber attack with minimal impact on business-as-usual. It is no coincidence that the NIS2 directive mandates such measures for critical infrastructure providers and other entities. Article 21, paragraph 2 defines Incident Handling, Backup Management, Disaster Recovery, and Crisis Management as minimum standards.
However, even companies not falling under the NIS2 directive need to think carefully about how to spring into action if they are breached.
Written by
Lewis Duke
SecOps and Threat Intelligence Lead
Trend Micro