Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

8 Steps Every Incident Response Plan Requires to Spot, Contain and Recover From an Attack

The popular saying “Keep Calm and Carry On” is a good mantra for any company that finds itself undergoing cyberattack, but what that pithy phrase does not mention is how one stays calm when a threat actor has locked down your system and is demanding a multimillion-dollar ransom?

This key is having an incident response plan in place and ready to be pulled off the shelf and put into action by a well-drilled team that includes people from the C-Suite to corporate communications to IT staffers. 

For the uninitiated or those with few resources, developing an incident response plan may seem daunting, and let’s be honest, it can be without a good teacher. 

However, Trustwave Security Colony can be that teacher. 

Security Colony is a powerful, industry analyst-recognized self-service resource for CISOs that gives them direct access to a variety of tools, including a guide to developing an incident response plan. 

The guide is a detailed soup-to-nuts breakdown of what goes into incident response and the critical steps to take once you’ve been attacked. 

1. The Plan

The first step is to ensure you have an incident response plan in place. This document will contain a wide range of information and pre-planned tasks and will help guide an organization through an attack.

To create an incident response plan, it is vital to determine exactly what problem the plan will solve, such as what assets need protection and what attack scenarios you might face.

Once the primary assets are understood, the plan must take into consideration the fact that an IT department or security team cannot stand on its own when responding to an attack. The plan must detail who security will collaborate with within the broader organization. In general, this should include having an executive sponsor, essentially someone with enough oversight to support the security team’s effort and insist that others get on board.

An incident response plan must have buy-in from managers across the company, who should review, contribute, and understand their roles in incident response. Build an advisory committee comprised of people from around the organization who will be involved in responding to the crisis. Include your public relations and corporate communications teams.

It also helps to reach out to local law enforcement for support. Many police departments now have dedicated cybersecurity teams that can help before and after an attack takes place. Additional outside help from a dedicated cybersecurity partner should also be an integral part of the plan, especially if your internal security skills are lacking.

2. Are We Under Attack?

Perhaps counterintuitively, one of the most challenging aspects of responding to an incident is realizing that your organization is under attack. Threat actors are adept at remaining under the radar and only letting a target know it has been victimized when it suits their purposes. 

A quick aside, organizations can get ahead of an attacker by using Trustwave SpiderLabs Advanced Continual Threat Hunt (ACTH) solution. ACTH proactively searches a client’s systems for indications that an attacker is lurking about before they pull the trigger. For more information, please click here.

Those without an early warning will have to be on the lookout for other signs. These include:

  • Strange or unexpected system activity
  • Alerts from a Network IDS or Antivirus system
  • Unscheduled system crashes or server reboots
  • Unexplained configuration changes, unusual files, unknown processes, unexpected website changes, etc.
  • Influx of phishing emails, spoofed emails, etc.
  • Unusual activity in log files, or gaps in or missing logs
  • Email system showing a large number of bounced/invalid emails
  • Large volumes of network traffic to unknown countries and networks

3. Incident Response Team: Assemble!

When the security team spots one or several of these indicators, they should activate the incident response plan. It’s vital to bring together everyone previously tagged as part of the response effort and take copious notes of what is discussed during these meetings. The team should then immediately put into place a “need to know policy” with only those working on the problem being privy to the details.

Try not to use corporate assets like email or chat programs to communicate, as these may be compromised. Instead, use devices like telephones or devices not connected to the network.

4. Assessment

Once the players are in place, including any third-party security partner, attempt to determine how much of the environment the attack has compromised. If you can’t make this determination, simply assume the worst as a starting point.

5. Containment

The one thing you don’t want to do is make or allow the situation to worsen. Hackers love to move laterally through a system, so the first move would be to disconnect any potentially compromised parts from the rest of the system. Another counterintuitive move is to avoid running antivirus or vulnerability scanning tools against the compromised system as this may contaminate the system logs making recovering and analysis more difficult.

6. Eradication

Eradication should not be confused with recovery. That is the next step in the incident response process. Eliminating the problem can be very difficult as the process depends on exactly what type of attack transpired. If a vulnerability was the cause of the attack, then patching and cleaning the system might suffice. For incidents involving malware, verifying the systems are in fact, secure and that the malware has been completely removed can be very difficult and time-consuming. For example, root kits can be challenging to detect without specialist skills and tools, and a key method hackers use to obtain persistence on digital media. Security experts generally recommend rebuilding systems entirely to prevent reinfection.

7. Recovery

The most important facet at this stage is to make sure the recovery process does not result in another security incident. If backups are available, ensure they are not compromised, or else you will simply reintroduce the problem back into your system, which is exactly what the attacker wants. There is also a legal aspect to recovery, and one must ensure the team has performed all necessary due diligence before evaluating whether to terminate the incident. Finally, conduct logging and monitoring of the affected systems and network traffic to verify that the system or environment has effectively been remediated.

8. Lessons Learned

Even though your desire might be to forget that the attack happened, the best course of action is to conduct a formal post-incident review. Check to see if the incident response plan was, in fact, effective, check if established security policies worked as expected, and that the initial risk assessment that the team conducted related to crucial corporate assets was accurate. Basically, did the bad guys go after what you expected, or were they interested in data that you did not believe to be important?

Establishing an incident response process takes time, effort, money, and skill, but it’s important to remember that it can and must be done. If your organization does not have the ability to do so, calling in a security partner might be required. 

If you are not ready for that step, a good first action is using some of the self-assessment tools supplied by Trustwave’s Security Colony. A detailed incident response plan can be found here for free, along with additional text and video resources.

Security Colony has been cited as a “major differentiator” by industry analyst firm IDC, as a powerful self-service resource for CISOs that gives them direct access to a variety of tools that will allow them to self-diagnose the problem. 

 

Latest Trustwave Blogs

DOJ Disrupts Russian Botnet Created Using Unchanged Admin Credentials

The US Justice Department conducted a court-authorized operation in January that thwarted an on-going Russian GRU botnet campaign that used unchanged publicly known default administrator passwords to...

Read More

Lessons to be Learned: Attacks on Higher Education Proliferate

Trustwave SpiderLabs is wrapping up a multi-month investigation into the threats facing the education sector, across higher education, primary and secondary schools. Trustwave will post the 2024...

Read More

Understanding Why Supply Chain Security is Often Unheeded

Many organizations downplay the critical aspect of whether their cybersecurity provider has the ability to properly vet a third-party vendor's cybersecurity posture.

Read More