How will you react if you notice that your company is breached, and you are responsible for IT security? For many, the panic will hit. Bigtime. We have seen examples of IT operations literally running to the server room to turn off the electricity or taking a hard shutdown of clients. This is a humane reaction but may cause many traces of what has happened to disappear, and you risk having no proof.
As in life in general, you need to prepare and practice to avoid panic. We do fire drills, we train on driving on a slippery surface, we train our kids to cope with different challenges. And we should do the same with a breach in IT security. An incident response plan is a set of tools and procedures your team will use to identify, eliminate, recover, and learn from cyber security threats.
With an incident response plan in place, you will have a good starting point to prepare for breaches.
Step 2: Define purpose.You need to have a process defining the need for an IR process. If you want to be able to respond systematically to incidents, necessary measures are in place. Or do you want to minimize the loss of data and disruption of services? Be compliant with regulatory demands? Be more prepared for future events and improve security around systems and data? Or maybe all of the above.
SANS institute IR plan consists of 6 steps:
This is maybe the most important phase. Here you will assemble an IT team, establish a plan for procedures, roles and processes and create a communication plan. You will need to understand your risk posture and information values. In addition, you will educate and train your resources. And you will practice responding to different kinds of threats. A classic example is to test if your backup is working and if the restore is working, step it up and test the disaster recovery. When you have successfully finished the testing, document what you did so you are prepared if a real breach occurs.
Has there been an incident or not? To answer this question is the goal of this phase. You need to analyze logs, events and context to understand the situation. After that you will be able to identify the breach and its magnitude and severity. This phase is more efficient and simpler if you have logs collected in one place. A SIEM solution should be in place.
Stop the threat. The IR team needs to find the best way to stop the threat without tampering with the proof. Normally it’s all about isolating the threat so it doesn’t affect the rest of the infrastructure. This can be done by segmentation or sandboxing.
The IR team removes all traces of the breach that have been identified in earlier phases. Examples could be to close the root cause (e.g. patch the vulnerability), implement security best practices or implement a scanning to parts of the infrastructure.
The IR team will restore the affected systems. They will test and verify that the systems are clean and works as intended. If you have a SOC service, the SOC should have a special focus to observe that the affected systems now work as normal.
6. Lessons Learned
It’s time to reflect what just happened, how did we response, what went well, did we make any mistakes. Any areas where we can do better? All this needs to be documented. You need to update the plans and playbooks you made in the preparation phase, so you are better prepared for the next incident. The management will need an incident summary report.
This has been a short high-level overview of the process. A deeper dive into the process is needed. We will dive into the preparation phase to give you a more detailed view in our future blogs.
Do you want to hear more about preparing for a cyber attack? Contact us!