Cyber Security Incident Response Guide

It can be very difficult to respond to a serious cybersecurity incident. By the very nature of these attacks, they often seek out new attack vectors for which the victims are not prepared. The ever-changing nature of this threat has made it very hard to handle. At the same time, there are certain universal principles that can be applied to any situation, and this is where we will concentrate our attention today. Here is a quick and simple cybersecurity incident response guide.

The Three Phases

This guide is partially based on a set of guidelines published by the National Institute of Standards and Technology. One of the key things that we took away from this report is this three-phase approach:

  • Phase One: Detection And Analysis
  • Phase Two: Containment, Eradication, And Recovery
  • Phase Three: Post-Incident Activity

The goal of phase one is to find the threat and determine its nature. The goal of phase two is to deal with the threat and its consequences. Finally, phase three focuses on identifying the perpetrators and hardening the system against future attacks. This basic framework really is a great place to begin.

The Importance Of Preparation

Some models add a fourth phase, which is usually labeled “preparation.” We didn’t include that in our list because it doesn’t fall under the heading of “response.” Nevertheless, preparation is very important. Hackers and other criminals count on you to be unprepared and unwary, so you need to start getting things sorted right away.

One important thing is to create a log retention policy. A computer system and most of its applications will keep log files, showing most aspects of system activity. Unfortunately, a lot of organizations do not retain these records for very long (if at all!). That’s a major problem because a breach might not be detected for days, weeks, or even months after it happens. Without these logs, it becomes a lot harder for investigators to figure out what happened.

Network monitoring is also of the utmost importance. Most attacks begin with an unauthorized connection of some kind, and a network monitor (also called a “packet sniffer“) will normally capture the incident. Even if the attack cannot be prevented beforehand, those packets and their contents are extremely valuable and must also be retained. Such information is also very important for later prosecution.

Phase One: Detecting And Analyzing

This phase begins by looking for indicators of compromise. That’s a term for suspicious activity, which usually leaves telltale traces. Here are some examples of such:

  • Patches or updates that weren’t authorized by anyone
  • Changes to device settings that can’t be traced to anyone
  • Misplaced data
  • Web traffic that looks like bot activity
  • Excessively slow network/device performance
  • The appearance of new or unknown apps
  • Lots of unknown connections from extremely distant places
  • Large numbers of failed login attempts
  • Obvious phishing emails

In some cases (like ransomware attacks), the attack will be obvious from the start. That’s when you have to rely on good research to match your situation with known breaches from the past. Just remember that a single correlation isn’t good enough…you are looking for trends and patterns, not just individual incidents.

Phase Two: Containment, Eradication, And Recovery

Once the nature of the threat has been identified, the next step is to deal with its consequences. Obviously, the first priority is to find whatever security weakness allowed the attack to occur. Once this “hole in the fence” has been closed, you can deal with the problem free of further interference.

For instance, if you find that your system has received a lot of connection requests from a suspicious address, you can place that address on an exclusion list. These are set at the router level and function much like a firewall. That will effectively cut all ties between you and the suspect network.

Containment is a great strategy and can be done in a number of ways. Mainly, you must keep the infected part of the system from communicating or interacting with the non-infected parts. Once that is done, you can begin eliminating the threat itself. This is where we see a lot of divergences because the eradication strategy must fit the attack vector.

Once the attack itself has been stopped, recovery can begin. This will be much easier if you have maintained an efficient backup scheme. Sometimes, the best thing is to cut bait, delete everything, and restore the system from the most recent backup file.

Phase Three: Post-Incident Activity

Once the fire has been put out, the final step is to determine why the attack occurred and how to prevent it in the future. Also, there will be a need to analyze and correlate the data that has been collected. Once again, you are looking for patterns rather than single things. Compile all of your information into a comprehensive and well-indexed incident report.

Obviously, it is important to report your findings to the proper authorities. The FBI is probably the best place to start, as your local police probably aren’t well equipped to deal with this kind of thing. In practice, however, any arm of the DHS will probably be able to help you.


If all of this seems to be confusing, the trained experts at PCH Technologies can help. When it comes to IT consulting firms in NJ, you couldn’t ask for a better option. We offer the very best in cybersecurity response plans, small business computer support services, and whatever else you may need. If you are dealing with an expert attacker (or worse yet, a group of them), you need people of equal or greater expertise to counter that threat. If you would like to know more or employ our services, we can easily be reached at (856) 754-7500.