The Do’s and Don’ts of an Effective Incident Response Procedures
The most important step any organization can take is to have a properly trained and implemented incident response procedure in place to recover from information security incidents. The second most important step an organization can take is to know how to properly triage the environment when an incident occurs. Time is of the essence, so having a simplified list of do’s and don’ts at the ready is helpful in these situations.
When an Incident Strikes:
DON’T Be Pushed Into a Knee-Jerk Reaction
This includes shutting down systems, as this may cost you important forensic information that can help you piece together how the incident occurred. Avoid logging in using domain administrative credentials. Often, after an information security incident occurs, the cause of the threat remains, waiting for someone to log in using a password that will give them access to the entire network.
DON’T Immediately Assume that the Incident will Put all of your Data at Risk
It’s a race to determine the data in scope for the incident. Breaches can affect different classifications of data within your organization. As part of your incident response procedures, the data in scope should be identified and categorized by importance so the appropriate degree of response required is applied by internal and external parties. Legal counsel should also be notified from the start of an incident so they may apply the proper attorney-client privileges to the data collected and processed. Bringing legal counsel in late during an incident can lead to missteps during an investigation, late reporting based on contracts and statutes, and more data being discoverable than one might desire.
DON’T Use or Install Antivirus or Other Non-Forensic Software
After an incident occurs, it’s essential to collect and safeguard all systems and data. This means you should avoid installing or running any non-forensic software that may potentially overwrite essential information necessary to sort out what happened and how it took place.
DO Limit the Internal Team Privy to the Incident
Loose lips sink ships… too many people involved in a breach increase the chance the event will be leaked to media, clients, and partners. When your team is trying to discover how an incident took place and who the perpetrators are, it’s important to only discuss the incident with the individuals involved in investigating it. This doesn’t mean that your organization should try to hide the incident or sweep it under the rug. When it’s time to discuss the incident with the public, make sure to use a professional communications expert with legal counsel who can present the right image of your organization as one that takes such incidents seriously.
DO Protect and Collect Data
After an incident occurs, your Incident Response Team (IRT) will need to identify and analyze any data associated with the accounts, systems, modus operandi, malicious actor, or toolkit used to penetrate your business network. It’s essential all data is safeguarded so that none of it is tampered with or inadvertently destroyed. The IRT will collect volatile data using forensic tools, look for external intelligence to help identify the nature of the threat, as well as collect logs that help reveal important information that will help them piece the events together.
DO Take the Time to Plan Before an Incident Occurs
The best reaction to information security threats is to be proactive. This includes developing your incident response procedures ahead of time. The plan needs to involve all relevant departments and third parties associated with your organization and must be repeatable and measurable. It also means getting leadership on board to arm your organization with the training and tools they need to initiate the plan and keep it functioning effectively.