If your company has really been hacked or hit by a ransomware, the first thing that you, as the leader of your organisation, have to do is:

• Don’t Panic!

• Stay cool, calm, and collected.

• Don’t Panic!

Today, we’ll share the steps for how to respond to a cyber attack. During a cybersecurity incident, as a C-Level executive of your organisation, staying calm and steering your ship as the captain of your team is very crucial. Don’t let your emotions get to you and start the finger pointing drama.

“How not to panic during a cyber attack?” You say. Time’s ticking but don’t sweat it, we’ve got your “Mission: Possible” Incident Response Plan checklist here, that’s sleeker than a Bond car, broken down into five steps:

1. Prepare

2. Detect

3. Contain

4. Eradicate

5. Recover

Step 1: Prepare

To make sure your team responds quickly and works well together during a cybersecurity breach, start by getting everyone organized. Clearly define each person's role, so everyone knows what to do. Practice by conducting regular cyber drill exercises responding to cyber incidents regularly, so your team becomes better at handling real situations and working together. Make sure your team has the right cybersecurity tools and resources, just like having the right equipment for sports. Invest in effective security solutions. Lastly, keep training your team to improve their skills. This way, your organization will be well-prepared to handle cybersecurity challenges when they happen.

Common Mistakes

One common mistake is assuming that everyone remembers their positions without practice. It's like expecting your team to play without training – regular cyber drills are crucial to stay at the top of your game. In addition, in the corporate world, we often create detailed cyber incident response plans but tend to overlook the emotional element that comes into play during incidents. Humans can easily panic under stressful situations, and people may react unexpectedly when they are in a state of panic. To solve this problem, it is very important to prepare your team not just in terms of technical skills but also in managing their emotions.

Step 2: Detect

Early threat detection holds immense importance, acting as the first line of defence, to prevent problems from escalating that could cause more detrimental damages. To ensure rapid and effective threat detection, it's highly advisable to establish a Security Operations Centre (SOC) within your organization. A SOC serves as the central hub for monitoring and responding to security incidents, that runs 24 hours a day, 7 days a week. Furthermore, investing in robust Security Information and Event Management (SIEM) like Open XDR or AI-based Endpoint Detection & Response tools are critical. These advanced tools provide the capability to collect and analyse data from various sources across your network, allowing for real-time alerts when suspicious activities occur.

Incorporating a SOC and top-notch SIEM tools into your cyber attack detection strategy ensures that potential threats are identified promptly, enabling your organization to take proactive measures and swiftly respond to any security issues that may arise.

Common Mistakes

One common pitfall is sending your guides into the wilderness without the necessary tools. Just as nature guides need binoculars, your IR team requires the right tools to effectively spot and analyse issues. Investing in advanced monitoring systems and detection software can enhance their capabilities. Another mistake that you may wish to avoid is connecting the compromised machine directly to the corporate network to perform live analysis, thereby potentially allowing the attacker to move laterally within your system, risking a broader cybersecurity breach across your organization.

Step 3: Contain

For instance, if a cybersecurity threat is detected, a SOAR platform can automate the deployment of network segmentation strategies. This action isolates compromised systems onto a separate network segment, minimizing the attack surface and preventing the threat from moving laterally within your network. This automation simplifies the containment process, allowing your team to respond with speed and precision, much like firefighters working to prevent a blaze from spreading out of control. Integrating SOAR into your cyber incident containment strategy significantly enhances your incident response capabilities, ensuring that threats are swiftly and effectively brought under control.

Common Mistakes

A significant mistake is hesitating and allowing the fire to grow uncontrollably. Also, we tend to make mistakes of overwriting system logs or other important data in the rush to contain the incident, which could result in making subsequent investigation more difficult. Timely and sharp intervention, like firefighters tackling the flames immediately, is important to keep the situation from getting worse. Train your team to respond swiftly and decisively in order to minimize the impact of incidents; also being vigilant at all times is equally important.

Step 4: Eradicate

The critical actions undertaken during the "Eradicate" phase includes patching or updating affected systems to close vulnerabilities, removing malware or unauthorized access from compromised systems, changing passwords to prevent further unauthorized access, and conducting a post-mortem analysis. This post-incident analysis is similar to a medical post-treatment assessment, allowing your organization to learn from the incident and implement stronger cybersecurity measures in the future.

By addressing the root causes of the incident and taking these proactive measures, the "Eradicate" phase not only ensures the cyber breach is addressed and solved effectively; but also promotes the long-term cybersecurity health and resilience of your organisation.

Common Mistakes

A notable error is solely treating the symptoms instead of addressing the underlying illness. Just as doctors dig deep to find the true diagnosis, your team must focus on identifying and resolving the root issue. Another misstep we often witness is the failure of the company to update and patch all similar systems in the environment, leaving them exposed to risk of the same type of attack that just occurred. You would need to conduct comprehensive post-incident analysis and implement necessary changes to prevent similar cybersecurity incidents in the future.

Step 5: Recover

Thorough testing and validation procedures are comparable to an artisan's assessment of their work for authenticity. At this phase, your team should carry out thorough system tests to ensure they function correctly and are free from vulnerabilities. Effective communications and keeping key stakeholders informed of the incident, recovery progress, and any necessary changes or precautions to prevent future occurrences is essential.

Lastly, the "Lessons Learned" process is similar to an artist refining their technique over time. Your organisation conducts a post-incident analysis to comprehend the root causes of the incident, assess the effectiveness of your response, and identify areas for improvement. This continuous learning process strengthens your overall cybersecurity resilience and allows your organization to enhance its cybersecurity practices continually.

The "Recover" phase is not just about bouncing back from a cybersecurity incident; it's about emerging stronger, more resilient, and better prepared for future challenges. Just as a classic car is restored to its former glory, your organization can move forward with renewed strength and confidence, ready to face whatever lies ahead.

Common Mistakes

We also often see companies failing to monitor systems closely for signs of malicious activity after restoration, assuming that the threat has been completely eradicated. This can allow the attacker to regain access. Continuously remaining vigilant and never let your team’s guard down is one the important mindset change that your team would need to embrace.

To regain the trust of your stakeholders, you would need to instil clear communication, like informing people when their vintage car is ready to hit the road again. Also not to forget to provide regular updates to all relevant parties and address any concerns they may have.

Conclusion

A well-structured incident response plan is like a reliable recipe for your favourite dish. It's all about working together, keeping things straightforward, and adding a touch of human care. By following these five steps—Prepare, Detect, Contain, Eradicate, and Recover—you can break down complex business problems into manageable pieces on your way to success.

People tend to get proud of oneself and take things for granted. But when it comes to incident response, it's always better to be well-prepared, just as the saying goes, "Better Safe Than Sorry." So, stay ready, stay safe, and ensure your organization is always prepared to handle any cybersecurity challenge that comes your way.

About AKATI Sekurity

AKATI Sekurity is a Managed Security Service Provider (MSSP) and consulting firm specialising in cybersecurity and digital forensics. With our extensive experience and capabilities in security consulting, business applications and training, we are able to customize our services to suit the needs of each client. Basically, we simplify their need for security and efficiency in daily business processes. At AKATI Sekurity, our vision is to be the premier trusted security advisor to organisations across the globe, hence creating value for our customers, shareholders and communities.

For enquiries : hello@akati.com