So You Have Had A Security Incident, Now What Do You Do?
Most businesses today do not have a full-time in-house security operations center. Most do not have a full-time chief information security officer or an IT team that is experienced in responding to computer attack.
But the bad news is that all businesses need to be ready to respond to a successful attack.
This post is designed to provide an approach to attack which can optimize response, including response by businesses without large security operations.
It captures lessons learned from the experienced team at Crucial Point and the continued updates from the Threat Brief reports.
The Most Important Point To Keep In Mind When Responding To An Incident
The most important point to remember when you discover a cyber-attack of any sort is to realize others have been through this and that there is a tremendous body of knowledge on what to do. Take a deep breath and think and treat this as a process of continuing discovery and action.
This Will Be Dynamic Process.
Remember OODA. : Observe, Orient, Decide, Act
The decisions you make and actions you take will generate more observations and require you to think, sometimes in new ways. This is a process you will go through continuously in incident response
Observe: Assess what you know about the situation including what you don’t know and how you will get more information to fill gaps.
Orient: Think about your approach and how to assess the situation. Think about who the adversary is and what they may do next. Think about business impacts of the current situation. Do you need different approaches?
Decide: Your decisions will need to be rapid.
Act: Executing decisions will change the situation and start the OODA process over. Decide and execute quick. Consider actions like:
1) Who to notify inside your company
2) Who among your most trusted partners to discuss this with
3) How to communicate securely
4) When to get external consulting help for incident response forensics, data recovery, security assessment
5) What technical measures can be put in place to stop data exfil
6) What can be done to monitor and defeat the adversary
7) How to ensure all stakeholders are informed and coordinating action