I recently wrote about how to spot the signs of a cybersecurity incident. But it’s one thing to spot the signs of a data breach, and it’s another thing to know what to do when you have a cybersecurity incident.
As critical as it is to have an incident response plan in place, that’s not enough to protect your organization. Many organizations have failed to take the right actions, even when they had processes in place. There are multiple moving parts in a data breach scenario, and that means you have ample potential points of failure.
The better prepared you are for an incident, the more likely you’ll be to mitigate disaster. If you see warning signs of a cybersecurity incident on your network environment, follow these best practices right away.
What to Do Before a Cybersecurity Incident
If you don’t already have an organization to assist in the event that you discover a red flag — get one, now. Just as you want to have a legal team before you need one, you need a digital forensics organization before you experience a cybersecurity incident. This is a team you need to have on speed dial, who’s ready to step into action at a moment’s notice.
Vet your forensics team ahead of time and make sure you find someone you’re comfortable with. You need someone you trust implicitly, who understands you and your needs — a firm that will immediately reduce your anxiety the moment they pick up the phone.
The more this digital forensics team knows you and understands your organization before an incident, the quicker and more effectively they’ll be able to snap into action when you have a potential incident.
They should know what your business does, what your network environment is like, all the locations where you’re operating, and what kinds of data you need to protect. That way, they aren’t trying to figure everything out when you’re in the midst of the sh*t.
This is where the true power of a structured, organized compliance management system (such as TCT Portal) shines. If you’ve already invested in such a system, your organization already possesses a rock solid repository of critical information.
This would normally include your network diagram, data flow diagram, firewall rules, inventory and many more elements of security / compliance documentation, which can quickly cut through the noise to deliver pointed and helpful documentation to the experts you seek assistance from in your time of need.
What to Do During a Security Incident
When an incident occurs, it’s easy to completely forget the carefully developed incident response plan you train with at least annually. When sh*t hits the fan, people tend to fly by the seat of their pants, making decisions in the moment. And that leaves plenty of room for bad choices.
Don’t shut anything down…yet
The biggest mistake I see most often is shutting down the affected machine right away. A system admin is doing regular maintenance and they see unauthorized activity on the server. They panic and immediately shut off the machine to stop the spread of damage.
While that may thwart the attacker, shutting things down could clear much of the forensic evidence from the device. The forensic investigators need that information to understand what happened and movement of the attackers. In many cases, the information they need most was in the memory of the device that was just shut down — but now it’s been wiped clean.
Speed is essential. Get your forensics team’s boots on the ground ASAP. You don’t want to be sitting around for a week before the investigation can begin while forensics is gathering basic information about your environment.
In many cases, there’s a limited time span for the logs to stay locally resident on the device. Moving fast lets you access the critical events in memory before they’re expunged.
Listen to your forensics team
Follow the advice of your digital forensics team. Usually, the forensics organization will advise you to disconnect that particular device from other devices, so that there isn’t a pervasive connection. But don’t turn it off.
That said, your forensics team knows best what you should do in each particular situation — heed their advice closely.
Develop a Culture of Incident Response
The most important key to a successful incident response is to embed it into the fabric of your organization. Every employee needs to know what to do if they see a red flag, so communication and training are critical.
Follow these best practices to develop a healthy culture of incident response.
Document your incident response process
Retain updated incident response documentation. This should include critical vendors such as your forensics provider and your legal team. Make the documentation easy to access, and make sure everyone knows where it’s located.
Train your employees
Provide periodic training throughout the year. Make this mandatory for everyone in your organization who will need to be involved in incident response. Use low and mid-range incidents throughout the year as testing grounds for exercising your incident response. Use lessons learned from these exercises to enhance your incident response plan.
Some companies operate under the belief that they should never have an incident. The fact is, incidents happen all the time — and your Assessor will cast a suspicious eye if you aren’t declaring any incidents. Get your team used to handling minor incidents, so they can hit the ground running if a major one occurs.
Communicate organizational changes periodically
As there are relevant changes and modifications within your organization, update everyone who needs to be in the know — including your digital forensics team. I recommend doing a quarterly update to your forensics and legal teams.
Foster a culture of incident response
Most importantly, encourage your employees to report anything they think could be an incident. Offer rewards for reporting incidents. If you see something, say something. We naturally want to believe the little odd glitch is easily explained, so we shrug our shoulders and move on with our day. But if you err on the side of caution, you could be the one to save your organization from a multi-million dollar disaster.
Successful Incident Response
On average, organizations don’t realize they’ve been breached for more than six months — often, because they glossed over tiny little warning signs that something was going on in the system or lack detection mechanisms. But if your company takes incident reporting seriously, you can be the exception to the rule.
Prepare ahead of time, know what to do when an incident occurs, and build it into the culture of your company.
Get more articles to help you protect your company — subscribe to the blog.
Get equipped with insider expertise
Subscribe to the TCT blog