Analecta Cyber Company Blog: Keep Calm and Follow Your Response Plan

2018-07-10

Keep Calm and Follow Your Response Plan

Executing your response plan graphic Keep calm and follow your response plan - Analecta LLC Banner Few environments are as stressful and frenzied as what you’ll find during a cyber incident response. All hands are on deck trying to stop an attack while attempting to keep the business operational. Where is the attacker now? What data are they after? Which systems are affected? There are hundreds of questions and rarely absolute answers. Time speeds up and yet somehow slows down at the same time. Each new finding brings new questions.

How do you know what to do to stop the damage?
  • Pull together your incident response team and the preplanned incident response plan.
  • Stick to the plan. As threats are discovered, follow the contingencies that are in the response plan.
  • Remain flexible and know when to deviate.

Sticking to the plan


When you developed your initial incident response plan, you used information from different business areas to inform priorities and incident thresholds. Start there. How severe is the incident and what does your response plan dictate?
  • Isolate: Deciding your very first action can be a critical decision point. Based on everything you know about the incident, begin making changes to the network to isolate and contain the affected systems.
  • Monitor nearby systems: After you’ve isolated the affected systems, make sure you increase logging and monitoring on the non-isolated systems to ensure you’ve contained the breach.
  • Contain and eradicate: While one part of the incident response team contains the attack, other team members should begin eradicating the active intrusion by implementing mitigations to block attacker access.
  • Recover/restore: Once the active intrusion has been neutralized, the affected hosts need to be recovered. Systems will likely be rebuilt from known good baselines or recent backups. In the event of a backup restore, be careful that the restore is not already compromised!
The response plan you’ve developed should also include details about systems that can be taken offline, which isolation strategies will work with the network design and what firewall rules are approved to isolate servers.The plan should discuss what data backups will be available for systems and the preferred recovery approach for each type of system.

Executing your response plan graphic
A data breach or attack can take a variety of forms. Knowing the network ahead of time and understanding how the traffic looks during normal operations will help the team use anomalies to identify where the attacker may be located.

Identifying when to change tactics


An active incident response is fluid in nature until the threat has been contained. Malware and malicious activity can move through the network, usually faster than the team can detect and stop the activity. This is why keeping a keen eye on the network activity monitor is a good strategy. Watch for spikes in activity as you execute the plan. The attacker may be escalating their activities or looking for other locations to hide within the network.

As the attacker changes tactics and targets, your incident response team must be able to make adjustments to the mitigation strategy. Knowing the network ahead of time and understanding how the traffic looks during normal operations will help the team use anomalies to identify where the attacker may be located.

Keep high-level objectives in mind


When incident response tactics must change, it is important to keep the company’s high-level objectives in mind. The response team needs to be able to get the attacker out and protect your business information and business capability. If you have worked your way through the plan and you are gaining less ground than the attacker, it may be time to ditch the plan.

No incident response plan will be perfect. Is there a point in the incident response process that it would be appropriate to disconnect from the internet? For some organizations, this is a solid “No” but for others it is a decision that must be weighed carefully. If your mission and objectives are well understood by all, you can be confident that the incident response team knows what is “nice to have” and what is vital to the organization.

One final note


On the off chance that the breach is significant enough where you feel you do not have enough personnel or expertise on hand to handle the incident, the plan should help identify when it is time to call in a contract incident response team. Discuss this additional resource ahead of time, and have several pre-planned scenarios worked out so you are not scrambling for resources at a time when things are crumbling around you.

Is your incident response plan ready?


Analecta can help guide your incident response and incident threshold planning with a comprehensive look at all security practices within your organization and around high-risk assets. Using a holistic approach and industry-standards, our Analecta 96-point Cyber Risk Assessment enables small and medium-sized businesses to minimize or even eliminate the risk of data breaches that cause customer loss, reputational damage and loss of revenue. Our assessment identifies the most important next steps in your firm’s cyber security program to maximize protection. Email us at info@analecta-llc.com or visit our website.

Need to start building a cyber defense plan? 


Here are some recent articles that can get you started!

Further Resources