Imagine this scenario: You’ve just discovered your network has been breached. You need to get a handle on the situation quickly but you’re still trying to figure out what happened. What are the incident response best practices you should follow?
As cyber security consultants, we know the first few moments of an incident can be highly stressful and confusing. It’s our job to help you better understand the situation and limit the damage. Our goal is to guide you through all the options for investigating and recovering from the incident. Our incident response (IR) teams have specific goals in mind when they start an engagement, and we follow precise steps to achieve those goals.
This blog outlines our approach to handling the first call with a customer who’s suffered a data breach or another cyber security incident. Questions, speculation, and chaos may run rampant if left unchecked. We bring order to this chaos with a methodical and proven approach.
How we approach the initial call:
- Establish rapport and credibility
- Understand your situation and concerns
- Find the best way to help
Let’s dive into each of these steps.
Establish Rapport and Credibility
Incidents are stressful and frustrating. You’re looking for answers. In these instances, it’s important that we do whatever we can to help your team stay calm, rational, and in control. This begins with establishing rapport and credibility so that we are collectively ready to handle the incident confidently and professionally. Here are some of the things we do to make sure that happens:
- Make introductions. Your team may be stressed and they are trusting us to help, so we shouldn’t be strangers. We briefly introduce our team’s backgrounds and cyber security experience. We may be working together for several weeks, so this first meeting is a natural time to break the ice and set the foundation for a productive and trusting relationship.
- Come up with a game plan. Our teams are prepared to lead the first call by coming in with an agenda, solid processes, and smart questions. Before the first call, we do upfront research to better understand your situation by talking to your account representative and our team or ActiveEye analysts, as well reviewing current news and alerts related to the issue you’re facing.
- Get your side of the story. At this stage, even with our upfront prep, you and your team ultimately have the most information about what’s happening in your environment and the incident’s impact. We come prepared to listen. The facts and details discussed in the first call are important to the investigation and the final report, so our team will document as much as possible.
Understand Your Situation and Concerns
There are no stupid questions during the first meeting, and it’s important that everyone can ask their questions at the onset. We come prepared with a list of questions that we adapt for each incident. Here are some of the key questions we always ask:
- What do you think happened and why do you think it happened that way?
- What have you done to investigate or contain the situation?
- Who needs to be involved in resolving the incident?
- What do you see as a successful conclusion?
It’s important to make sure that our team leaves the first call with a comprehensive understanding of the situation. We typically focus on non-technical details during the first call, such as what’s been reported so far and from whom, your primary concerns and expectations, and the logistics of reporting and status updates. The goal is to understand both the circumstances surrounding the incident and your definition of success.
We also need technical details and facts. However, it may be that the first call has a much broader audience than just your technical folks (or may exclude them all together). In these cases, we will leave the first meeting with an understanding of what we need to discuss during separate “technical calls.” These calls are our opportunity to deep dive into more technical questions.
Find the Best Way to Help
Once we understand your situation and goals, we determine the best course of action so you come away with the most effective solution. As we understand your situation and goals, we can determine how to apply our capabilities. Generally, our investigations focus on:
- How did this happen? (Initial vector)
- What data or systems were affected? (Impact and scope)
- How can we stop it now? (Containment and eradication)
- How can we stop similar things going forward? (Recovery)
At times, we may not have all the resources you need to resolve the incident. In those cases, we provide recommendations to trusted agencies or partners.
Summary
Whether we are working with a potential new customer or an existing customer, it’s critical that the first call is handled in a manner that leaves both sides with a clear understanding of immediate steps, and the overall investigation and response plan. Next steps after the first call may include: scheduling a technical follow-up call, running our endpoint data collector, and uploading data for analysis.
We wrap up the first call with a summary that keeps everyone on track: “Our understanding of your primary concerns are: one, two, and three. Our first task will be to answer X, so we will be sending you instructions how to send us what we need to begin. We’ll let you know if we find anything immediately actionable, otherwise we’ll have a status update tomorrow at 3:00 to share what we’ve learned. I’ll send out the invites.”
The first call is only the beginning, but this commitment to communication continues throughout the engagement. Whether we work together on this incident for two weeks or two months, we keep you in the loop with frequent status updates, findings, recommended actions, and risk assessments.
Andrew Cook is a manager for incident response services at Delta Risk. Read more Delta Risk bogs here.
