Incident response - 5 actions and 9 clues to help you weather the worst storms

Posted on 04 October 2017

Cybersecurity is a combat sport. The adversary is mobile and constantly improving. The best defenses do not always succeed in thwarting all attacks. The last wave of ransomware reminded us of how severe the damage could be in the event of a cyberattack. And just like combat sports, learning to fall - or in this case recover - without getting hurt too badly must be mastered. You have to acquire new skills to get back up quickly and efficiently. Here are 5 key actions that should help professionals master these skills:

Take a step back

The discovery of an attack or intrusion into your information system will inevitably raise tensions … and the temptation to react swiftly with radical measures will materialize. Senior management may apply strong pressure to react quickly. How can one keep a cool head?

These 3 basic rules should help you:

  1. A black-out is not the solution: if you turn off all of your computers and servers, you will not be able to access and copy the memory on these machines, which will deprive you of valuable clues. It is best to leave the machines on, at least until they have been analyzed.
  2. Disconnection is usually a better solution, this should limit the attack to the machines that have been impacted.
  3. Discretion and caution: an attacker may be watching you so that they can adjust their strategy. Do not let him “play” with you.

Involve the right people

This seems obvious, but in practice, much less so. The challenge is to bring together those who are indispensable and to remove those who are less useful. The crisis management team must combine technical expertise with knowledge of their business. The use of external “experts” to manage the crisis can be risky, because they do not necessarily know your business or industry. The goal must be very clear: find solutions, do not look for someone to blame. Ideally, a crisis unit should be identified prior to any attack.

Evaluating the impact of an attack

This step is often overlooked, but it is essential if the right resources are to be deployed to manage the incident. A precise inventory of the assets that have been affected must be made, detailing all of the types of information stored therein. It is also necessary to distinguish between the different types of impact which may occur:

  • Operational impact (e.g. which system has been breached?)
  • Reputational impact (e.g. who is aware of the leak (media, general public …?)
  • Legal impact (e.g. has personal data been leaked?)
  • Commercial impact?

Each type of impact will require a different response …

Communicate clearly and honestly

Communication is essential for effective incident response, especially if the incident becomes public. Communications about the incident should be clear and honest, especially if it involves a leak of customer data. Make it clear that you are in control and that you have a plan. Do not go into technical details, but focus on lessons learned and try to restore customer confidence. Timing is also important. Do not communicate until you have validated the inventory … Nor should you wait too long to communicate, which may give the impression that you have lost control of the situation. In short, timing is key.

Preparing for the worst

The above actions can be accomplished more efficiently and calmly with a little preparation. An incident management policy should be defined by the Chief Information Security Officer (CISO). The roles and responsibilities of each actor should also be defined for each crisis management stage.

Strange. Did you say strange?

Before you can respond to an incident, you must first detect it. Clues to an attack are sometimes hidden in a mass of data and innocuous events. These clues need to be identified quickly to make a precise diagnosis. Unusual events occur quite regularly, and usually without any immediate consequences. However, these events should not be completely overlooked, as they may be preliminary maneuvers to a major attack.

Here are 9 scenarios that should catch your attention:

  1. You receive an antivirus alert;
  2. The home page of your browser has been modified, or your browser takes you to pages you did not want to visit;
  3. You find new applications, programs, or accounts on your computer without having created them;
  4. Your computer becomes unstable and “crashes” occur regularly. You find desktop icons from unknown applications;
  5. A program asks you to make changes to your system, but it is not a program you remember installing;
  6. Your password does not work when you try to start your computer or connect to an online service;
  7. Your friends ask why you have “spammed” them but you have not sent them anything;
  8. Your mobile phone or tablet generates premium SMS charges that you have not made;
  9. Your smartphone suddenly consumes a large amount of data and / or its battery empties very quickly.