In today’s hyper-connected world, the question isn’t if your organisation will face a cyberattack, but when. Cyberattacks occur every 39 seconds, so it’s only natural that they pose a constant threat to businesses and individuals. The potential consequences of a data breach are severe, including financial loss, reputational damage, and operational disruptions.

To safeguard your assets and minimise downtime, a well-defined incident response plan is essential. This article outlines the critical steps to take when faced with a cyberattack, helping you navigate the crisis and restore normal operations.

First things first: Incident Response preparation

Having a comprehensive incident response plan in place before a crisis occurs is crucial for minimising damage and accelerating recovery efforts. Some of the key components of a solid incident response plan include:

• Well-defined security responsibilitiesDesignate who does what in the context of a security team, namely who experts report to, who acts in the remediation phase, who is responsible for qualifying the incident, who performs the post-incident review, who communicates the incident to other parties, etc.
• Knowledge of the infrastructureMake sure to know your infrastructure properly to be able to pinpoint the propagation of the incident and its source – this requires an inventory and a cartography of all the assets. For bigger networks, it could also be important to have a plan B or a fail-soft/degraded mode, to ensure service continuity (e.g.: having a list of the servers that should be restarted first, and which ones can act as replacements, etc.).
• Data backup and recoveryImplement robust data backup and recovery procedures, and make sure they work as intended.
• Cybersecurity awareness trainingEducate employees about potential threats, their role in preventing attacks, and how they should react to one.
• Communication protocolsEstablish clear communication channels for internal and external stakeholders.
• Incident Response teamDesignate a dedicated team responsible for handling security incidents, especially if we’re talking about a medium or large company. If you do not have Incident Response experts internally, get help from a Managed Security Service Provider (MSSP) like act digital.
• Incident Response playbooksIt is important to have a general playbook on how to behave according to what type of incident. Then, develop detailed procedures for those various types of incidents.

Incident Response: step by step

Now, imagine waking up to find your company’s critical data compromised, your customers’ trust shattered, and your operations fully stopped. The aftermath of a cyberattack can be daunting, but an effective response can mean the difference between catastrophe and recovery.

Below you can find the critical steps to take immediately after a breach or cyberattack of any kind:

• Detection and Identification: recognising that a cyberattack has occurred through system monitoring and detection tools.
• Containment: isolating affected systems to prevent further damage and stopping the spread of the attack.
• Degraded mode: restarting vital services in degraded mode if the incident shuts down important services.
• Eradication: removing malicious software and addressing vulnerabilities to eliminate the threat.
• Recovery: restoring systems and data to their pre-attack state and ensuring security and functionality.
• Communication: informing stakeholders, notifying affected parties, and coordinating with legal bodies.
• Documentation and Analysis: recording the incident and response efforts for future reference and learning.
• Post-Incident review: reviewing the incident, updating security policies, and training staff to improve future responses.

Let’s delve deeper into each step, in order to ensure that your organisation is fully prepared to recover in the face of cyber adversity.

Step 1: Detection and Identification

The initial and most crucial step in the Incident Response process involves identifying and validating the cyberattack. Organisations should monitor their systems for abnormal activities and swiftly detect breaches to contain the spread of damages. The key aspects to consider are:

• Continuous monitoring…
  • …of the network (with network appliances)Use IDS (Intrusion Detection Systems), NDR (Network Detection and Response), proxies and firewalls to detect unauthorised access or unusual activities within your network. 
  • …of the endpointsUse EDR (Endpoint Detection and Response) tools to monitor endpoint devices for signs of threats, investigate suspicious activities, and respond accordingly.
  • …of configuration changesMake sure that every configuration change that occurs on your infrastructure is wanted and documented by maintaining a baseline and regularly comparing the current configuration to this baseline.
  • …to correlate everything at onceAggregate and correlate all the activities across the organisation to implement real-time monitoring systems. Tools like Security Information and Event Management (SIEM) systems, or XDR technologies, provide comprehensive oversight and alert you of any anomalies. Managed SOC (Security Operations Center) can also help with monitoring. Employ UEBA (User and Entity Behaviour Analytics) tools to monitor activities and detect deviations from typical behaviour patterns. This helps identifying compromised accounts or insider threats.
• Regular security auditsConduct regular audits and vulnerability assessments to identify weaknesses before they can be exploited. These proactive measures help recognising potential entry points for attackers.
• Incident Response teamEnsure your incident response team is trained and prepared to act swiftly upon detection of any suspicious activity. This team should be equipped with clear protocols for identifying and escalating potential threats.

Step 2: Containment

Once an attack is detected, the immediate priority is to contain the breach to prevent further damage. This step involves isolating compromised elements to stop the spread and limit the impact. In addition to following the playbooks defined initially, here are key strategies and tools to effectively contain an attack:

• Network segmentationImplement network segmentation to isolate compromised systems from the rest of the network. This can be achieved through VLANs (Virtual Local Area Networks) and firewall rules to create separate network segments. 
• Endpoint isolationUse EDR tools to isolate affected endpoints from the network. These tools can remotely quarantine infected devices, preventing the spread of malware.
• Blocking of malicious behavioursUse firewalls to block malicious IP addresses that may have caused the infection. Use EDR blocklists and network appliances to block the transfer and execution of malicious packages.
• Application execution blockRestricting the execution of unauthorised applications through application blocklists can help prevent the spread of malware.
• Access controlAdjust access controls and permissions to limit the spread of the attack. This involves disabling compromised user accounts, revoking unnecessary privileges, and enforcing the principle of least privilege (PoLP) on access policies.
• Incident Response platformsUse incident response platforms to coordinate containment efforts. These platforms provide automated playbooks and workflows to quickly remediate affected systems.
• Exhaustive search for evidence of malware spreading Look for indications across the whole company that the threat may have compromised other assets.

Step 3: Degraded mode

After making sure that the threat is contained, if the incident has a big impact on the infrastructure, it is important to restart the vital services first, to make sure that the basic functionalities of the company continue working.

This requires having a plan of what to do, in which order, and to know the importance of each appliance.

Step 4: Eradication

After dealing with the threat, the next focus is to eliminate the cause of the breach. This includes thoroughly removing any malicious components from your systems and addressing the vulnerabilities that led to the attack.

This step ensures that the threat is completely neutralised and reduces the risk of reinfection. Here are the key aspects and tools for successful eradication:

• Malware removal toolsUse specialised tools to detect and remove malware from infected systems.
• Password resettingChange passwords for all compromised accounts, including system and network accounts.
• Malware action undoUndo all the changes that the malware has made, if those changes can be identified and undone. Otherwise, reverting to a previous standard state must be preferred.

Step 5: Recovery

After threats are eliminated, efforts continue to restore and certify the system. This step focuses on restoring systems to normal function after an attack, ensuring that they are secure and functioning properly.

This step is necessary to reduce processing time and reassure stakeholders. Here are the key aspects and tools for a good recovery:

• System reimagingReimage compromised systems to a clean state. This involves reinstalling the operating system and applications from trusted sources.
• Patch managementApply security patches and updates to fix vulnerabilities exploited by the attackers.
• System restorationRestore affected systems from clean backups. Use backup and recovery solutions to ensure that you can quickly restore data and systems to their pre-attack state.
• Data integrity checksVerify the integrity of restored data to ensure it has not been tampered with. 
• System validationThoroughly test systems to confirm they are operating correctly and securely.

Step 6: Communication

Effective communication all through and after the incident response process is essential to ensure transparency, maintain trust, and coordinate efforts throughout the company.

Here are key elements and equipment for managing communication during an incident:

• Incident Response planFollow the clear communication plan defined earlier, as part of your Incident Response strategy. This plan should outline who needs to be informed, what information needs to be shared, and how communication should be handled.
• Internal communication toolsUse messaging tools to facilitate real-time communication and collaboration among the Incident Response team. 
• Stakeholder updatesKeep stakeholders informed about the status of the incident, the steps being taken to address it, and any potential impact on them.
• Customer communicationInform customers about any potential impact on their data and the measures being taken to protect them. 
• Post-incident communicationAfter the incident is resolved, communicate the outcomes and any changes implemented to prevent future occurrences. 
• Training and awarenessEducate employees about the importance of communication during an incident and train them on how to use the designated communication tools effectively.
• Information sharingShare information about what happened with local CERT (Computer Emergency Response Team) and security teams of your country or industry to make sure that they do not host the same threats as those you just dealt with.

Step 7: Documentation and Analysis

Documenting and analysing the incident is important for understanding the attack, improving future defenses, and meeting compliance requirements.

Here are the key aspects and equipment for effective documentation and analysis:

• Incident documentationKeep detailed records of the incident, including timelines, actions taken, and decisions made.
• Root cause analysisConduct a thorough investigation to determine how the attack occurred. This involves reviewing and correlating logs in your SIEM, identifying entry points, the whole attack path used, and the Indicators of Compromise (IoC).
• Forensic analysisConduct a forensic analysis to understand how the malicious package works and what it is supposed to do. 
• Incident Response reportsGenerate incident response reports to summarise findings and recommendations.
• Knowledge managementStore incident documentation and lessons learned in a knowledge management system for future reference.
• Post-incident analysis meetingsConduct post-incident analysis meetings with the Incident Response team and stakeholders to review the incident and identify improvement areas.

Step 8: Post-Incident Review

The post-incident review is an essential step for evaluating the effectiveness of the response and figuring out areas for improvement.

Here are the key aspects for conducting a post-incident review:

• Debriefing sessionsConduct debriefing sessions with the Incident Response team to discuss the incident, response actions, and outcomes.
• Lessons learnedIdentify and document lessons learned from the incident. 
• Improvement plansDevelop and implement improvement plans based on the lessons learned. 
• Security enhancementsImplement additional security measures to protect against future attacks. This may include updating security configurations, enhancing monitoring, and improving access controls.
• Configuration managementEnsure system configurations are secure by following best practices and guidelines.
• Policy and procedure updatesUpdate Incident Response policies and procedures to incorporate the lessons learned and ensure continuous improvement. 
• Training and drillsConduct additional training and drills based on the incident review findings. 
• Metrics and KPIsEstablish metrics and Key Performance Indicators (KPIs) to measure the effectiveness of the Incident Response process. 
• Stakeholder feedbackGather feedback from stakeholders on the Incident Response process and outcomes.
• Continuous monitoringImprove your continuous monitoring to ensure that improvements are effective and to detect any new vulnerabilities or threats.

Conclusion

Understanding and implementing a robust Incident Response plan is important for any business facing the inevitable threat of cyberattacks. Our Alter CERT, part of InterCert France, excels in the detection and identification phase, using advanced tools to quickly identify and analyse threats. For containment, our Managed Security Services deploy rapid response measures to isolate affected systems and prevent further spread of the attack.

During the eradication phase, our specialised team works carefully to remove malicious code and secure compromised systems, using industry-leading technologies. In the recovery stage, our Managed SOC ensures that systems are restored to normal operation with minimal downtime, employing strategies to recover lost data and validate system integrity.

With act digital's Incident Response services, organisations are more equipped to address the challenges posed by cyber threats and attacks, knowing they have a trusted partner to guide them through every step of the process.