Incident Response and Plan

In the post lockdown era across the world, all businesses need to be well prepared for a cyber security attack. It is now a question of when, and not if, anymore. Eventually all organisations will succumb to a possible breach and we all need to arm ourselves with the right tools, services and trainings. As per Verizon’s 2016 Data Breach Investigations Report, an incident can be defined as “a security event that compromises the integrity, confidentiality or availability of an information asset.”

So let us dive into the action plan and formulate steps that can and must be taken, pre-incident, during an incident and most importantly post-incident. Quite a few of the security breaches get repeated and the act of plugging the hole after an event, is rarely given its due diligence.

In enterprises, separate roles must be identified such as incident discovery, incident response and prevention and dedicated personnel must be identified and allocated these roles. This would put less pressure on the workload of departments that keep organizations afloat during such crises. Some organisations, however, may choose to outsource these roles entirely or partially to third party consultants.

Now let’s understand each incident stage individually in brief:

Pre-incident:

The IT teams, security teams, regular staff and even chief management should have policies in place regarding their data, apps and devices protection.

Regular mock drills should be run to confirm that staff actually adhere to these processes. Companies should audit internally and/or externally to be compliant with these processes. The audits would also help to get an organisation insured at the same time.

Incident Response Plan has basically six steps contained within it - Preparation, Identification, Containment, Eradication & Recovery. The organisation should act as a whole and a lot of pre-planning goes into protecting it.

Infopercept would prove to be a great partner and will walk you through all the steps and help in securing your organisation’s assets and reduce your stress.

During incident:

The types of incidents could vary from cyberattacks, ransomware, spear phishing, malware or a system & process failure among others. Mitigation of any type of incident requires a quick set of actions based on pre-defined processes, check lists and action scenarios previously worked upon.

If the staff are well trained and prepared for any eventuality, their first step should be to leave infected files / device as it is (and not delete them, making them available for root cause analysis) and then turning the device off, from power and network.

For IT security teams during this intensive time pressure events, tools such as EDR, XDR, SOAR, SIEM or a combination of a few or all of them, would result in quick mitigation of any destructive attack, proving to be useful. The steps could range from as simple as changing user’s password and blocking compromised access to as complex as dismantling the whole network to understand the spread and depth of attack. This would lead to finding the correlation or causation of incidents that took place during incidents within the corporate environment.

Depending upon the type of attack, if it is limited to your internal corporate network and no information was compromised, then incident response communication teams would not come in picture which in turn saves the organisation’s image in the market.

Learn about Infopercept’s Invinsense Platform to fully comprehend, how such activities can be performed during any type of incident attacks.

Post - incident:

It is never enough to just mitigate an attack and move on, but rather it is considered as best practice to document, audit and add any available information into the historical feed. This gives the organisation ammunition to prevent future attacks.

This type of retrospective inspection helps in communicating severity of loopholes within security and/or compliance policies that are in place, either within the local or the cloud tenant. And this is especially true in the growing world of multi-cloud or hybrid cloud infrastructure models becoming more and more prevalent post COVID.