You will need to roll these changes back after the recovery process. Changes made during incident response are focused on disrupting the attacker and may impact the business adversely. If changes are necessary where the risk of not doing an action is higher than the risk of doing it, document the action in a change log. For example, temporarily shutting down your organization's internet access may be necessary to protect business-critical assets during an active attack. Unless you face an imminent threat of losing business-critical data-such as deletion, encryption, and exfiltration-balance the risk of not making the modification with the projected business impact. Many adversaries monitor instance count on services like VirusTotal for discovery of targeted malware. Persistent attackers will frequently return for their objective (data/systems) in a future attack. Identify the objective of the attack, if possible. Most adversaries use multiple persistence mechanisms. Try to identify the scope of the attack operation. Technical response best practicesįor the technical aspects of incident response, here are some goals to consider: This article is designed to lower the risk to your organization for a cybersecurity incident by identifying common errors to avoid and providing guidance on what actions you can rapidly take that both reduce risk and meet stakeholder needs.įor additional detailed industry guidance, see the NIST Computer Security Incident Handling Guide. Inform investigators, stakeholders, and customers based on the advice of your legal department to limit liability and avoid setting unrealistic expectations. Complex (typically beyond the comprehension of any one person).ĭuring an incident, you must strike these critical balances:īalance the need to act quickly to satisfy stakeholders with the risk of rushed decisions.Critically important (can't be shut down to work on it).Like diagnosing and treating a medical disease, cybersecurity investigation and response for a major incident requires defending a system that is both: Tap into deep expertise and experience when investigating and responding to attacks from sophisticated attackers. Avoid decisions can damage your ability to create forensic timelines, identify root cause, and learn critical lessons.ĭetermine whether they plan to involve law enforcement so you can plan your investigation and recovery procedures appropriately.īe careful when sharing information about the incident publiclyĬonfirm that anything you share with your customers and the public is based on the advice of your legal department.
Stay calm and focus on prioritizing your efforts on the most impactful actions first.Ĭonfirm that your response is designed and executed in a way that avoids loss of data, loss of business-critical functionality, and loss of evidence. Incidents are extremely disruptive and can become emotionally charged. Once your incident response plan is in place, test it regularly for the most serious types of cyberattacks to ensure that your organization can respond quickly and efficiently.Īlthough each organization's incident response process may be different based on organizational structure and capabilities and historical experience, consider the set of recommendations and best practices in this article for responding to security incidents. See the incident response planning article for a checklist of activities you should consider including in your incident response plan. Prioritize the work that needs to get done in terms of how many people should be working on the incident and their tasks.Define the purpose of the response, such as a return to service or to handle legal or public relations aspects of the attack.Address attacks that vary with the business risk and impact of the incident, which can vary from an isolated web site that is no longer available to the compromise of administrator-level credentials.The plan should detail how your organization should: The first step is to have an incident response plan in place that encompasses both internal and external processes for responding to cybersecurity incidents.
0 kommentar(er)
