Responding to a cybersecurity incident

Have you ever wondered what a full-scale cyberattack response looks like from the inside? We often see the aftermath of an attack from the outside. We see the media storm, the apologies, and the reparations. But unless you’ve experienced a cyberattack, you might not have had a chance to see what happens behind the scenes.

Every cybersecurity incident is different. So every incident needs a different response. However, responses do have some commonalities, and go through some or all of the phases outlined below. To respond well, every organisation needs to be able to access well-trained staff and an adaptable incident response plan.

Phase 1: Detection

Before an organisation can respond to an incident, it must be aware that the incident is occurring. It might seem obvious – but a disturbing number of cyberattacks go undetected and unreported. Common ways that cybersecurity incidents are detected include: a staff member receives an email that asks for sensitive information; people are locked out of their accounts; website functionality is broken or behaving oddly; logs show an unusual amount of activity; or automated intrusion detection or endpoint protection software detect suspicious activity on a drive, network traffic, web protocols, or between applications.

A staff member, customer, or automated software:

  • Recognises suspicious activity on the system.
  • Issues an alert to the security response team.

Phase 2: Assessment

The organisation needs to respond to the raised alert. To do this effectively, the security team requires more information. For a start: is there a legitimate threat or is it a false alarm?  What exactly is the threat? How bad is it? Has any damage been done, or is it an evolving situation? The security team spends some time gathering information, analyses its findings, and then comes up with an action plan. The security response team:

  • Looks at the alert to confirm that there is a threat.
  • Uses the incident response plan to decide exact actions and divide responsibilities to minimise the risk to essential parts of the system.
  • Collects and records information and evidence about the threat, including any data they can gather on the attackers or the threat vector.
  • Classifies the level of the threat facing the organisation.
  • Assesses if the threat has infiltrated the system and, if so, how far.

Phase 3: Reaction

Once the threat is assessed and the threat level classified, the security response team moves on to reacting to the threat. This phase is highly tailored to the specific threat. However, there are a few common threads. The security team needs to check that it has everything it needs to respond efficiently. It will try to minimise the chances of the threat spreading – both within the system and externally. Lastly, it will send updates to anyone who needs to stay apprised of the situation. This phase is usually fast-paced, like an emergency room response; the focus stays on fixing major issues as quickly as possible.

The security response team:

  • Isolates any unaffected, critical parts of the system to protect them from the threat and minimise further damage.
  • Limits any opportunities that the threat will have to spread in the system, or to other systems.
  • Assesses the resources needed for responding to the threat, and if necessary, obtains any resources not currently available.
  • Runs damage minimisation and triage repair.
  • Regularly communicates progress with management and any other stakeholders.
  • Organises an alert to anyone who has a right to be informed of the incident. For example, if a cyber attack has accessed customer data, the marketing team might need to let affected customers know.
  • Continues to collect evidence where possible.

Phase 4: Clean-up

When the reaction phase is complete, the response is still ongoing. In this clean-up phase, the organisation needs to take a step back from its initial first-aid style response. The security team or outside contractors assess the full extent of the intrusion and any damage that occurred. The team fixes that damage, carefully and methodically.  It passes any evidence collected on to law enforcement for investigation. Where possible, it shores up any weak defences found. The clean-up phase can last a lot longer than the reaction phase. In complicated scenarios, this phase can take weeks or months.

The security response team:

  • Develops a recovery plan.
  • Runs a full assessment of the intrusion attempt.
  • Repairs any damage caused by the intrusion.
  • Fixes or minimises any security issues that made the attack possible.
  • Forwards any useful evidence to law enforcement.

Phase 5: Lessons learned

The fifth phase of a cybersecurity intrusion response offers a powerful tool for improving incident responses. As we’ve seen recently, no organisation has perfect cybersecurity. Every incident comes with an opportunity to learn. By the end of this phase, the security response team will be able to make recommendations for improvement. These may be small changes, such as updating parts of the security response plan or making the resources easier to access. They might include larger changes, like updates to security systems or implementing new cyber security awareness training for employees. But the recommended changes will improve future security and responses.

The security response team:

  • Puts together a report detailing the security incident, the response, and the effects.
  • Runs a post-mortem, marking what was done and specifying what could have been done better.
  • Documents any lessons learned.
  • Updates its incident response plan.

Improve your detection rate with cybersecurity awareness training

While your automated detection systems rely on software updates, your staff learn to detect cybersecurity incidents with highly effective and engaging cybersecurity awareness training. If you’d like to empower your staff in becoming your most valuable first line of defence, talk to PhishNet today.