A cybersecurity incident can be devastating for an organization. Data can be stolen, leaked, or destroyed, and the reputation of the company can be damaged. Our Okta Data Breach Overview is very telling of how an organization’s inadequate response to an incident could be as damaging as the cyberattack itself. In this blog post, we will outline the usual steps an organization must take to recover from a cybersecurity incident. We will also discuss detection and containment of the cyberattack, remediating vulnerabilities, and reporting on the incident.
When an incident occurs, determining first its nature and scope is crucial. This will help you develop a plan to mitigate the consequences and limit the damage. To do this, you need to ask yourself some key questions:
- Is it a data theft, a ransomware attack, or else?
- What systems were affected?
- What type of data was compromised?
- How did the attacker gain access to your systems?
- Are there other systems that may be affected?
- What is the extent of the damage?
If you have answers to these questions, you can start developing a plan to contain and mitigate the security incident. This is where having prepared an incident response plan beforehand comes in handy.
Immediately contain and isolate the critical systems that were affected by the cybersecurity incident. This will help prevent the attacker from causing more damage and give you time to assess the situation. To do this, you need to do the following:
- Disconnect any infected machines from the network
- Change all passwords
- Update security software and run scans
- Restrict access to systems that may have been compromised
- Ensure your offsite backups are ready for deployment
- Notify upper management
Eradicate whatever caused the attack and start remediating the vulnerabilities and any weak security controls. This is the whole process at this point:
- Ensure all artifacts of the incident (registry keys, files, timestamps, and event logs) have been fully removed from your system.
- Repair or update your systems as required.
- Verify that all software patches are current and any needed protections strengthened.
- Ensure your offsite backups are ready for deployment.
Compile a report on the incident that includes information on what happened, how it happened, and what steps were taken to mitigate the damage. This report should be sent to upper management, the board of directors, any relevant regulatory bodies, and other stakeholders, including clients, partners, and vendors. The report should also include recommendations on how to prevent similar incidents from occurring in the future.
Once the threat is eliminated and the damage repaired, you can start to restore your systems and resume your operations. This process can take some time, depending on the extent of the damage. To do this, you need to do the following:
- Restore any lost data from backups.
- Reinstall any software that was deleted or corrupted.
- Reconfigure any settings that were changed.
- Test your systems to make sure they are working properly.
- Notify upper management, any relevant regulatory bodies, and other stakeholders that the incident has been resolved and that your systems are back up and running again.
However effective and experienced your technical staff can be, today’s highly-sophisticated automated cyberattacks are best handled with prior preparation to the above steps. If you don’t have a plan, now is the time to develop one. To do this, you need to bring together a team of people who will be responsible for dealing with the incident. This team should include IT staff, cybersecurity experts, and upper management. The team will need to determine the steps that need to be taken to address the incident and make sure that everyone knows their roles and responsibilities.
Having at your disposal an incident response plan will help your organization minimize damage, disruption, and stress. But, ultimately, the best preparation is helping prevent a cyberattack from ever happening in the first place, namely through continuous penetration testing of your networks against common threats. A ransomware readiness audit also allows you to address any vulnerabilities that could readily be exploited by a ransomware attack.
Contact us if you need help testing your network security.