If you’ve ever wondered how to respond to an IT security incident, this article will hopefully provide all the information you need. And if you work in IT, then you should definitely keep reading. It’s a big bad world out there, and things can sometimes get ugly when we least expect it.
Before we get stuck in, it’s fair to say that there exist multiple different approaches and a wide range of organisations, frameworks and regulations, each telling you what they think you should be doing about IT security. Ironically, when it comes to standards, there is no shortage of organisations eager to offer their own particular point of view. But if we take a step back, we can see that they are all quite similar. This is because, despite the number of different standards out there (ISO 27001, ISO 22.301, Cobit, etc.), they are all really just based on common sense.
In this article, we’re going to share a simple, six-step approach. However, the first step is really all about preparation rather than response. Ultimately, if you want to respond effectively to an incident, the best way is to have a clear strategy for dealing with whatever issues the world might throw at you. This requires a significant time investment. Therefore, we recommend that, whenever you find that your workload has eased off or you have a spare hour, you take advantage of that time to design, plan, document and practise your incident response strategy.
In addition to these six steps, we also recommend creating a clear communication policy that allows you to coordinate external notifications, through social media or customer communications, as well as internal notifications regarding your progress in addressing the issue.
Around all this, you should also aim to learn from previous incidents and experiences and adopt new methods and processes where appropriate. This way, you can be sure of bolstering your company’s IT security and making your organisation more resilient against attacks and threats.
If you follow these principles and apply the steps below, you will have a greater chance of mitigating the impact of any potential incidents and be in a much stronger position in the long term.
Having reviewed many of the different models out there, we have come up with the following six-step approach:
- Step 1: Preparation
- Step 2: Identification
- Step 3: Containment
- Step 4: Eradication
- Step 5: Recovery
- Step 6: Post-incident Evaluation
Let’s take a look at each one in more detail.
Step 1: Preparation
This is the step that should be dedicated the most time and effort. In Frank Miller’s graphic novel “300”, the main character Leonidas tells his son that “He who sweats most in training, bleeds less in battle”, and the same is true in the world of IT. Any organisation that invests time in improving its systems, security, processes and employee training will have a much greater chance of surviving a security incident.
As part of this step, you should look to deliver awareness-raising sessions for all staff, as well as training for your technical teams so that they know how to work in certain conditions and how to respond when an incident occurs.
This step is also where you should define your company’s security policy. This means developing and documenting procedures so that there are clear instructions for how to respond to each of the various risks that you have identified. You should also clearly set out roles and responsibilities so that people know exactly what is expected of them in an emergency situation. This last point is particularly relevant for those people who will be required to directly address an IT security incident.
Once you have trained your staff, established your processes and designated your roles and responsibilities, you need the make sure that you have all the tools and resources required to detect, analyse and mitigate all possible types of security incident. This may include monitoring software, log managers, log analysis tools, investing in equipment and forensic tools and even hiring specialist consultants.
Finally, you should also consider putting together a dedicated security incident response team with the necessary skills, knowledge and tools in order to respond to any incident as effectively and efficiently as possible.
Step 2: Identification
There are two elements to identifying an IT security incident: detection and evaluation.
Detection requires monitoring and detection tools, such as Intrusion Detection Systems (IDS), Intrusion Protection Systems (IPS), Security Information and Event Management (SIEM) systems and various log analysis tools.
Then, once an incident has been detected, it needs to be evaluated in order to establish the nature and scope of the incident.
It’s important to stress that you will need to progressively refine your systems so that you can purge any false positives and ensure that you’re only responding to real incidents that threaten the company.
Step 3: Containment
Once you’ve identified a potential incident, the next step is to minimise the impact. This means taking immediate measures to contain the incident and stop it spreading.
These measures may include blocking the IP address that attacks are coming from, isolating infected workstations, blocking certain access points or killing processes on a server.
Once you have contained the first wave, the next step will be to implement more extensive measures to protect your systems in the short term. In the meantime, a specialist team can be working to develop permanent solutions to prevent the incident from happening again.
Some of these measures can include account blocking, server patching or the addition of new rules to the company firewall.
Step 4: Eradication
Once the issue has been contained, it’s time to identify the root cause of the incident and eliminate it so that it cannot happen again. Then, you will be able to clean up the system, check that the issue has been resolved and begin recovering your services.
This step may involve cleaning and restoring compromised systems, recovering backups, closing vulnerabilities in applications or removing malware.
Once you have cleaned up your systems, should then carry out a full check to ensure that the root cause of the incident has been successfully eliminated.
Step 5: Recovery
The main aim at each step so far has been to restore normal operations. If everything has been done properly so far, you will now be at the point at which you’re ready to recover your services and systems to get the business back to normality.
This may mean restoring systems and services to their original state, restoring data from backups, formatting systems or even reinstalling operating systems or applications.
We also recommend carrying out a subsequent check to confirm that there are no remaining traces of the issue that it has been completely eradicated.
Step 6: Post-Incident Evaluation
So, you’ve managed to recover your systems and everything is back to normal. Congratulations! But wait, now is no time to relax. In fact, this step is one of the most important. Now that you have successfully addressed the issue, it’s time to evaluate how effective your response was and how successful each procedure was. You will also want to look at whether your policies are still appropriate and relevant and also consider how your incident response team performed.
After carrying out this evaluation, you should implement any improvements or changes to your policies, procedures and tools so that you can more effectively respond to an incident in the future.
We recommend putting a special emphasis on staff training to address any mistakes or shortcomings that have been identified.
And finally, you should definitely produce a report so that everything concerning the incident is fully documented, including how it was detected, what the response was and any lessons learnt.
Bonus Step: Communications
At this point, we’d like to take a moment to talk about communication. Now, this isn’t really a “step” because, in reality, good communication should form part of all the steps we’ve listed so far. For example, it’s a good idea to have an incident notification policy which details how to notify stakeholders, management and affected departments. You should also consider how you are going to ensure that customers and authorities are informed, if applicable.
The importance of effective communication should not be overlooked. And how you communicate should certainly not be improvised. It is highly recommended that you bring together all the relevant departments (systems, security, production, etc.) to develop a comprehensive communications strategy. Then, the execution of this strategy should be the responsibility of the marketing or communications department. They will have much more expertise and experience to ensure that messages are communicated in the most effective and appropriate way possible. Something which doesn’t always come naturally to us techies…
Conclusion
As you can see, there is certainly no one-size-fits-all approach to responding to an IT security incident. Each company and each system is unique. Not only that, there are various international and domestic regulations to take into account.
Nonetheless, in this article, we have attempted to at least provide a basic model to allow you to respond to security incidents in an effective way. But the success of this approach will require management support, planning and, most importantly time. If you have all three, you will at least be fully prepared when an incident occurs.
If you would like to learn more about security, check out some of the other articles on our blog.
- What is the Real Cost of Not Investing in Security?
- The Most Common Issues with Backups
- The 3, 2, 1 Backup Strategy
- The 5 Most Common Causes of Data Loss in SMEs
- Risk and Threat Assessment for SMEs
- Why is Disaster Recovery Planning Such a Headache?
Thanks for reading!
