Imagine this scenario: You’ve just discovered your network has been breached. You need to get a handle on the situation quickly but you’re still trying to figure out what happened. What are the incident response best practices you should follow?As cyber security consultants, we know the first few moments of an incident can be highly stressful and confusing. It’s our job to help you better understand the situation and limit the damage. Our goal is to guide you through all the options for investigating and recovering from the incident. Our incident response (IR) teams have specific goals in mind when they start an engagement, and we follow precise steps to achieve those goals.This blog outlines our approach to handling the first call with a customer who’s suffered a data breach or another cyber security incident. Questions, speculation, and chaos may run rampant if left unchecked. We bring order to this chaos with a methodical and proven approach.Establish rapport and credibility Understand your situation and concerns Find the best way to help Let’s dive into each of these steps.Make introductions. Your team may be stressed and they are trusting us to help, so we shouldn’t be strangers. We briefly introduce our team’s backgrounds and cyber security experience. We may be working together for several weeks, so this first meeting is a natural time to break the ice and set the foundation for a productive and trusting relationship. Come up with a game plan. Our teams are prepared to lead the first call by coming in with an agenda, solid processes, and smart questions. Before the first call, we do upfront research to better understand your situation by talking to your account representative and our team or ActiveEye analysts, as well reviewing current news and alerts related to the issue you’re facing. Get your side of the story. At this stage, even with our upfront prep, you and your team ultimately have the most information about what’s happening in your environment and the incident’s impact. We come prepared to listen. The facts and details discussed in the first call are important to the investigation and the final report, so our team will document as much as possible. What do you think happened and why do you think it happened that way? What have you done to investigate or contain the situation? Who needs to be involved in resolving the incident? What do you see as a successful conclusion? It’s important to make sure that our team leaves the first call with a comprehensive understanding of the situation. We typically focus on non-technical details during the first call, such as what’s been reported so far and from whom, your primary concerns and expectations, and the logistics of reporting and status updates. The goal is to understand both the circumstances surrounding the incident and your definition of success.We also need technical details and facts. However, it may be that the first call has a much broader audience than just your technical folks (or may exclude them all together). In these cases, we will leave the first meeting with an understanding of what we need to discuss during separate “technical calls.” These calls are our opportunity to deep dive into more technical questions.How did this happen? (Initial vector) What data or systems were affected? (Impact and scope) How can we stop it now? (Containment and eradication) How can we stop similar things going forward? (Recovery) At times, we may not have all the resources you need to resolve the incident. In those cases, we provide recommendations to trusted agencies or partners.
Related Events
You can skip this ad in 5 seconds