Be prepared for cyber-attacks is as crucial for any type of business as for any building is critical to have an evacuation plan: it doesn’t matter how protected you are – it’s better to play it safe to not stay in the burning building or not to lose the business. Various incidents in different companies may develop in different ways. To deal with breach effectively, every business needs to find a vendor of incident response services to prepare a carefully documented and easily executable personal incident response plan to allow an organization to eradicate malware, ransomware, or similar quickly. Conditionally, dealing with a data breach, as dealing with other accidents, might be divided into three groups: preparing, rescuing, and restoring.

Preparing as a basic step of dealing with a data breach

It is unnecessary to sit and wait, to be afraid of what might happen. But it’s possible to avoid known attacks and protect the company from known patterns of hackers.

Cybersecurity as a way of thinking

We recommend starting not from complicated and costly methods of protection but to start from the way of thinking inside the company. Threats from inside the organization account for about 43 percent of data breaches. People who have access to the data or other corporate assets can incidentally provoke an attack, being a weak link in a company’s cybersecurity program. Sharing files over unprotected networks, following the malicious links sent from unknown email addresses they open up corporate networks to attack.

Checking the defense

Penetration service might be called a first practical step to formulating an incident response plan of a company.

In this case, it’s useful for companies to choose a black box penetration testing to get a simulation of an external attack provided by professional, ethical hackers who will simulate the beehive and use methods of real hackers. It allows to see the main gaps in the company’s cybersecurity and understand how hackers may get an access to the property of the company.

Checking the ability to identify the incident

The next step that ensures the reliability of the incident response plan is checking, setting-up, or implementing a security monitoring process.

The qualitative security monitoring process allows to find out the threats before they become breaches.

People from the security operation service (SOC) will be managing the SIEM (security information and event management), analyzing the alerts and information about the actions inside the network of the company.

Using this service, it is possible to eliminate the threat at its beginning, identifying such beacons of a potential threat as:

  • Suspicious activity in privileged users` accounts\ unplanned new privileged users` accounts created;
  • Increased outbound network traffic;
  • Unplanned registry or system file changes;
  • New login locations
  • High requests for files or database
  • Signs of DDoS (Distributed Denial of Service) activity

After the threat was identified, the main task of the cybersecurity team is to deal with it as fast as possible and not to allow malefactors to reach the other assets through the infected one. The company needs to inform involved parties. That information will help clients and partners to stay alert and not end as a supply-chain attack. The containment, eradication, and recovery phase is where the majority of the work takes place to actually solve the incident.

Containment of the attack

A quick threat localization is critical to mitigating the impact of an incident. This step is needed to limit the damage or stop other security systems from getting compromised. At this stage, it is important to identify all affected assets, resources, and their connections to ensure that when containment measures are removed, the incident does not come back or propagate further through the organization.

We recommend to have short-term, long-term containment strategies ready and to have a redundant system back-up to use benefits of all of them when it’s needed:

  • A short-term containment strategy is a localization itself. Focusing on limiting the damage, this approach couldn’t be a long-term solution. It helps to stop the infection before it gets worse.
  • A long-term containment strategy allows to temporarily fix the affected systems to keep the business continuity at the time of an accident.
  • A back-up containment plan will help not to lose compromised data forever and to restore normal operations. Also, the forensic software will capture the affected systems as they were during the incident and which will help preserve evidence or to be used for observing how the systems were compromised for the future studying of the cybersecurity team and formulating learned lessons.
Eradication of the cause of the incident

In order for an organization to recover from the breach, the cause of it must be determined. After localization and containment of the problem, the compromise itself must be eradicated. The elements of the incident from where it exists must be removed throughout the organization, eliminating such components of the incident as malware, breached accounts, etc. The cybersecurity team also identifies and mitigates vulnerabilities at this stage.


Recovery plan

The system checking will show if they’re still infected elements. The constant monitoring will allow being sure that there are no signs of malicious activity inside the system. SOC team stays watchful because sometimes hackers might steal data to use it when victims may be less likely on alert.

The restore phase must also consider validating that systems are back to being fully operational and protected. The good decision is to have a penetration service for checking the system in hard testing.

Preventing future incidents

This is a stage of debriefing. As a reflection after the incident, we recommend to undertake the following actions:

  1. Lessons learned. Documenting conclusions and the process of the incident with the help of back-ups.
  2. Actions taken. It might be essential to prepare reports of breach dealing for clients or partners to show that the organization is recovered and their data is protected.
  3. IR plan. The organization will need an updated incident response plan, formed considering the experience of the beach.