6 Steps to Successful Incident Response Plan: Preventing Reoccurring Attacks

Liam Follin

Senior Consultant

Liam is one of the senior consultants at Pentest People, with a wide range of skills and experience from Web Applications to Social Engineering he's able to give great comments and opinions on cybersecurity matters.

6 Steps to Successful Incident Response Plan

Cyber attacks are inevitable for businesses. Data can be stolen, systems can be compromised, and the reputation of the company can be damaged. If your business is hit with a cyber attack, it is important to have a plan in place for how to respond. In this blog post, we will discuss six steps for successful Incident Response Plan. By following these 6 steps, you can always be one step ahead of the game.

Step 1: Preparation

The first step in incident response is preparation. This means having a plan in place for how to respond to a cyber attack. The plan should include who should be notified, what steps need to be taken, and what resources are available. By having a plan in place, you can ensure that everyone knows what to do in the event of a successful cyber attack. It consists of bringing the Cyber Security Incident Response Team (CSIRT) into the capability of properly launching any incident response and being comfortable at working on it.

It implies:

  • Defining policies, rules and practices to guide security processes.
  • Develop incident response plans for every kind of incident that might target the company.
  • Have a precise communication plan: people to reach internally and externally, how to reach them, etc.
  • Have incident response tools ready and up to date at any time. This also means spending time to test new tools, selecting new ones and maintaining knowledge about them. Also, all tooling should be in a jump bag that would be ready and available for incident handlers as soon as there is a need to physically move to other places for incident handling.
  • Do regular training on simulated incidents, to ensure every CSIRT member and every mandatory outsider knows how to react and handle cases.

Step 2: Identification

The second step in incident response is identification. This is when an incident is discovered or reported to the Cyber Security Incident Response Team (CSIRT). In this phase, several actions are done here, in particular:

  • Identifying the incident precisely, and carefully checking it is actually a real incident and not a false detection.
  • Defining the scope of the incident and its investigation.
  • Setting up monitoring.
  • Detecting incidents by correlating and analyzing multiple data from endpoints (monitoring activity, event logs, etc.) and on the network (analyzing log files, error messages, etc.).
  • Assigning incident handlers to the incident.
  • Start to document the case.

Step 3: Containment

The third step in incident response is containment. This is when the Cyber Security Incident Response Team (CSIRT) takes action to contain the incident and prevent it from spreading as well as limiting the current damage and preventing any further damage.

The first step of containment is to isolate any networks so the hacker cant communicate anymore with the compromised network. The second step is create backups and evidence, in the case of further investigation. The final step includes fixing any affected systems such as patching any vulnerabilities and getting back online, ready to move to the next phase.

Step 4: Eradication

This step makes sure to remove any aftermath of the cyber attack and ensure it cannot happen again. As well as changing passwords, applying security fixes and patching all systems, the recommended way here to eradicate all badness from the incident is actually to fully reinstall systems that have been affected and immediately have the latest security fixes deployed to it.

Step 5: Recovery

After patching and recovering all systems, it’s crucial to get all programmes back up and running. In many cases, it might mean re-installing all systems and changing all employee’s passwords, doing whatever possible so to avoid this incident again. Careful monitoring needs to be defined and started here, for a defined period of time, to observe any abnormal behaviour.

Step 6: Lessons Learned

The final step, and one of the most important, is to document everything that happened during this incident. This will help to improve the security posture and learn from any mistakes made. It includes a full analysis of what went well and what needs to be improved for future reference.This also might help in training new members of staff who join the company. All documentation written during the incident should be completed, and answer as many questions as possible regarding the what-where-why-how-who questions. Every incident should be seen as an opportunity to improve the whole incident handling process in the company.

Conclusion

To conclude, the six steps summarise how to successfully bounce back from a cyber attack with an incident response plan in place. Here at Pentest People, we have developed our own Incident Response Service to give businesses the reassurance that their business doesn’t experience a reoccurring attack.

Video/Audio Transcript