Skip to Main Content
Faint pattern of 1s and 0s on top of hexagons

First steps to a robust incident response plan

Faint pattern of locks, 1s and 0s on top of hexagons

In any company there can be various situations that can appear to be a cyber attack: the file server is inaccessible, the website is down, you cannot send or receive emails… All of these scenarios can simply be due to misconfigured systems or in other cases, it may actually be due to an incident taking place.

Until recently, there was a belief among SMEs that cyberattacks were not something that would affect them. Why would a cybercriminal want to attack such a small company if the sea is full of much bigger fish? Any organisation, whether small, medium or large, with a high or low technological dependency, must be prepared to deal with a security incident. 

Initial Incident Assessment 

If you suspect that an incident is taking place, or from time to time, it is recommended to:

  • Review the organisation’s systems responsible for identifying unauthorised access such as IDS/IPS, firewalls, logs, netflows, EDR, etc.
  • Contact the department or staff responsible for managing the organisation’s network and systems to check if maintenance is being carried out.
  • Broadly identify the type of incident and its severity. For example, a ransomware attack is not the same as a denial of service against the organisation’s website.
  • Record and document all the information collected, this will be of great help in future phases.

By following these recommendations, it will be known with a high success rate if a security incident is taking place or if it is simply a false positive. If it is not possible to discern whether it is one situation or another, it is preferable to act as if it were an incident. 

Incident Communication 

Communication will be a critical part of the response process. It is important that only those people or departments that can be of help in solving it are aware of what happened. A company’s reputation is priceless, and a data leak right now could have far more negative consequences than the incident itself. For this reason, only the personnel designated to respond should be aware of what happened. A person in charge must also be appointed who will be in charge of coordinating the response. This coordinator will be in charge of carrying out the appropriate communications with external personnel such as suppliers, technical support, vendors, other companies or entities affected, government notification, etc. 

Damage containment and risk minimisation 

Acting quickly and efficiently can greatly reduce the effects of an incident. Time is a differentiating factor, since a low-level incident, if it continues over time, could become a much more serious problem. Each attack has a different nature, although the following priorities should be present in all types of attack:

  • Protect any type of valuable information for the company such as personal information of customers, suppliers or the business plan. If information has been classified, you can choose to protect information marked with a certain level of criticality.
  • Protect the organisation’s equipment and systems, while minimising the time they are detained. It may be the case that stopping the processes and services of the organisation is detrimental to it, but in the long run it is more likely that it is worse not to stop the affected systems.

In addition to these priorities, it is necessary to contain the damage that could be caused to the organisation as soon as possible. For this, the following aspects must be taken into account:

  • Since the vast majority of scenarios require disconnecting all the devices affected from the network or several of them, the impact that it can have must be taken into account, especially when there are service level agreements which you need to align with.
  • Determine the vector used by the attacker to compromise the organisation’s security and take steps to protect that entry channel so that the organisation is not attacked through that route again.
  • Back up the machine in its current state before taking any corrective actions because  this will be very useful to determine what the attacker has done in the affected devices. You also probably have to change the access credentials of all users involved. 

These are just the first steps, in the coming weeks you will learn how to respond to and recover from an incident. Also to assess the damage and take the necessary measures so that it does not happen again. 

If you have any type of curiosity about how Mondas carries out this type of service, please do not hesitate to contact us and send us your doubts, which we will try to resolve and guide you in the best possible way.