In a world driven by computers, cyberattacks have naturally become a bigger threat than ever. Because it is very difficult to guard against such a pervasive and dynamic threat, data breaches and other such incidents have become quite common. Although it is not always possible to prevent them, these incidents can be a lot less damaging with a well-made incident response plan.
What Is Incident Response?
Incident response is just a term that encompasses all the things a person might do in a crisis. When a cyberattack or other data breach occurs, an incident response plan should be initiated. In many cases, businesses will have a CIRT (Computer Emergency Response Team) who are specially designated for this purpose.
That was the broad definition, but you need to know more than that. So, let’s get into the specifics of the matter by looking at this incident handler’s handbook. IT provides a comprehensive five-step framework for an incident response plan. By using these basic concepts, anyone should be able to craft a set of guidelines and practices that suits their needs.
This is considered to be the most important part of any incident response plan. A cyber-attacker or other intruder will be counting on their ability to catch you unaware. If that should happen, it is important that your CIRT gets on the ball immediately, and that can only come from organized and careful preparation.
One thing you definitely need is a comprehensive and well-understood set of policies. Without rules to the contrary, many people will assume that they can do as they wish, which isn’t so good for security. Your rules must include measures to reduce the attack surface (like avoidance of unsecured email services) and guidelines for proper conduct (like avoidance of porn/spam sites).
Small technical problems happen every day, but only a disaster requires a dedicated incident response. As such, your organization needs to have policies in place that define the nature of an emergency. Basically, you need some people that can quickly and accurately identify a data breach. They might need to check log files, error reports, firewall data, etc. They will need to document any evidence that is found and determine the overall scale of the problem.
It is essential that your team does not move past this phase until the threat has been positively identified. Until that happens, you really don’t know what kind of threat you are facing. It is also important for them to check the physical integrity of all storage media. While digital theft is far more common, analog theft is certainly not an impossibility.
Once a threat has been positively detected, the first thing to do is to isolate it from the rest of the system. This might be compared to the act of quarantining a sick person, as the whole idea is to keep the problem from spreading further. This might require your IT team to take certain parts of the network offline, or maybe even the entire network. These are examples of short-term containment, as they are not meant to be permanent.
The next step is to back up the entire system. This is normally done by cloning, or by creating a disk image file. A disk image is basically a condensed file that includes everything on the hard drive. This will be very handy when attempting to prosecute a cyber-attacker. This is necessary because most of the evidence will have to be purged from the system in order to eliminate the threat.
Once the problem has been identified and quarantined, it is time to remove it from existence. This will normally involve the removal of all files associated with the malware, but sometimes you have to go further. If the essential aspects of a system have been compromised, you can use a disk image to restore a computer or network to its original state. This will, by default, remove any malware that might have been installed.
Before re-imaging, it might be a good idea to wipe the affected systems entirely. Some people insist that “nothing is ever actually deleted from a computer”, but this statement is only half true. When you delete a file, it does remain, but it has been given a “mask” that will make the computer think it is blank. Once the data has been overwritten with more data, it is fully and truly gone. Thus, the eradication phase might involve a total deletion and over-write of the affected machines.
The purpose of this phase is to restore operating capacity. No matter how your data breach is handled, it is sure to disrupt your normal flow of operations. During this phase, it is important to take your time and be careful that all problems are removed. A small oversight here can result in the re-infection of the entire system.
Testing and monitoring are very important here. A technician might look at a system and say “it’s clean,” but that simply isn’t good enough. It isn’t enough to merely think that everything is ok: You need to know that everything is ok. That’s why a previously-compromised system must be subjected to all kinds of tests. The best way to do this is through a process called penetration testing: Basically, your IT team will attempt to hack or exploit the system so that they can see if it’s possible to do so.
6. Lessons Learned
This phase is probably the simplest one, but it is likewise very important. You should always try to learn from every incident, using it to improve your security. We have mentioned the importance of documenting your incidents, and this isn’t just for purposes of prosecution. This is also done so that your management and IT team can evaluate the situation and make recommendations for improvement.
Computer security may be a highly technical endeavor, but it doesn’t have to be a headache. When all your preparations are in place, they function like an autoimmune response, which galvanizes all the defenses into action. By following these six steps, and adapting them for your use, you should be able to make yourself and your organization as prepared as possible. If you would like to thank us for that, you can start by filling out the contact form.