LINEARSTACK
March 23, 2023

Incident Response Best Practices

Common mistakes to avoid when responding to a cyber incident

Incident Response Dos and Don'ts

The inevitability of threats creeping into enterprise environments has made cyberattack preparedness one of the most important parts of a well-rounded cyber security program today. In an earlier post, we talked about why Incident Response (IR) planning is critical for every organisation and how businesses can go about creating an effective plan.    

A concrete IR plan facilitates systematic and stress-free incident handling, minimises the disruption caused by an attack, and reduces investigation and recovery time. Additionally, with response steps laid out clearly in a plan, businesses can address the legal issues arising out of an incident with more clarity and confidence.  

Our focus in this post is on IR best practices and some of the common mistakes you can avoid when responding to an incident, assuming you have an IR plan in place. We encourage you to use the following list as a starting point to create your own set of IR dos and don'ts based on incidents you may have faced in the past and the table-top exercises you go through as a team.

Teamwork, preparedness and attitude
  • Communicate clearly and follow the pre-decided, documented response steps, as a team.
  • Avoid ad-hoc reactions and do not panic. Try to remain calm no matter the nature of the threat.
  • Focus on resolving the incident rather than assigning blame. Effective response can only happen if each team member is calm, alert and capable of quick, rational thinking. Creating pressure and stress will impact the team's ability to perform at an optimum level.
Internal and external communication
  • Use secure communication channels to maintain ongoing information exchange with teammates and collaborate in real time. Most modern detection and response tools include effective collaboration features like virtual war-rooms, chat and shared dashboards.  
  • Follow the IR plan to determine how much information to share and with whom. Only those who need to know about the incident (both within and outside the organisation) must be informed about it.
  • Make a well thought-through decision on breach notification based on your IR plan and legal obligations. Notifying stakeholders and affected parties too early or too late can both be counterproductive.  
External incident response support
  • Get external help as early in the response process as possible. While the degree of outside support needed will vary depending on the scale and severity of the incident and your internal capabilities, it is usually a good practice to involve incident response experts for more thorough investigation and response after malicious activity is detected. Most organisations do not have the security expertise needed to contain advanced threats in-house.  
  • Cyber security service providers like LinearStack have the specialised skillset, experience and technical capabilities necessary to neutralise sophisticated threats quickly, close security holes and root out the malware or source of breach. Make sure your IR plan has a list of the security service providers you can contact when an attack hits.  
Investigation dos and don’ts
  • Collect all the logs that will help you piece together the incident lifecycle both at the network and endpoint levels.  
  • Use digital forensics tools to collect data that may serve as evidence and can be used for investigation. These tools are designed to connect to and draw evidence from infected devices without affecting timestamps related to the attack.  
  • Be careful not to use software other than forensic investigation-related programs on impacted devices. This may overwrite the attack timeline and damage evidence.
  • Look for the root cause of the incident to know where the attack originated and close the security gaps that enabled access and further spread of the infection/malware.  
  • Do not use admin-level privileged accounts and credentials when an attack is ongoing - malicious actors often lurk in the environment waiting for you to do just this to steal access credentials or get elevated access
  • Unless necessary, try not to shut down affected systems. Doing this may damage important forensic leads and timeline data that will be critical to investigation.
  • Use both internal and external threat intelligence to dig deeper into the infection and the malware and techniques used. Investigate all IoCs further using intelligence feeds.  
Completeness of response
  • Don't be in a hurry to mark the incident as closed. Move step-by-step to make sure you have plugged all security holes, removed malware and shut down attacker access completely. Remember that completeness of response is more important than speed, if the latter comes at the cost of shoddy, incomplete investigation.
  • If you are handling a ransomware attack, look for and cut off attacker presence and movement within the network before looking for decryption keys to recover data.  Focus on neutralising and stopping the spread of malware first. Just like DDoS attacks are sometimes used as a distraction tactic to divert IR teams’ attention away from a ransomware attack, ransomware attacks can also be used as a disguise for higher-impact attack campaigns.  
  • Pay attention to all signs of malicious activity. While critical threats that have the potential to cause the greatest damage must be resolved quickly, do not wait too long before investigating more subtle signs of malicious behaviour that could point to a bigger attack.  
  • Follow your own and publicly available checklists compiled by security agencies to ensure you have gone through all containment, eradication and recovery steps.  
Post-incident analysis and review
  • Document all steps of the response process. Treat the post-incident learning and review phase as equal in importance to containment and response. Combine the automated reporting functionality of the tools you are using with human analysis for maximum benefit and to effectively pre-empt and fight similar attacks in future.  

How LinearStack can help

LinearStack’s incident response experts have decades of combined experience in managing advanced threats and neutralising incidents before they disrupt business operations. If you think you are seeing signs of a cyber-attack, contact us at 0800 008 795 or info@linearstack.co.nz. We move quickly after a request for support is received and can contain an incident in seconds and minutes after AI-assisted investigation.  

Read more about our Incident Response service here: https://www.linearstack.co.nz/professional-services/incident-response-threat-management

Blogs

Start Reading

Our latest blogs and news are here for you

DoS DDoS Attacks and Countermeasures

DDoS attacks on SMBs cost an average of $120,000 to restore services following the attack.
Read More

Cyber Security Awareness Training

Why every organisation must have a security awareness program and how to choose a solution that works for you
Read More

Defence-in-depth - An Illustration

How multi-layered defence protects organizations against cyber threats
Read More
Are you experiencing a security issue? Call us now.