Even with cybersecurity measures, your business can still experience loss. (For an example of what I’m talking about, read what happened to our client here.)
Are you wondering how to respond to a security breach?
In this blog, I’ll explain the process of addressing a cybersecurity issue.
Caveat: Incident response always depends on the compromise. Addressing a ransomware attack on your network will look different from handling an email breach.
Step #1: Retrieve the incident response plan.
Did a ransom note just appear on your computer screen—or did an employee just confess that he or she fell for a phishing email?
No matter the situation, please contact your IT company right away.
Hopefully, your provider has helped you create an incident response plan—a roadmap for how to respond to a security breach. Retrieving that plan is one of the first actions your managed service provider should take. (If you need help developing an incident response plan, then we encourage you to contact us.)
Step #2: Shut down and protect IT assets.
Next, your IT provider should shut down all your systems and turn off all your machines.
At Proactive IT, we’d begin with your servers because they house your data, starting with your backup server. Then, we’d shut down all systems and computers and take everything offline.
We’d also want to block inbound and outbound firewall traffic to halt communication between the hacker and the internet.
Step #3: Investigate the incident.
The next step in responding to a security breach is determining what happened.
Your IT company needs to find ground zero—where the infection started. If you’re one of our clients, our security toolbox will probably help us determine what was compromised first. However, it’s possible that we’ll need to evaluate one system at a time.
After identifying ground zero, we want to know…
- How far the infection spread. It’s important to see what other systems were damaged.
- The time of infection. This helps us restore your systems back to a time before the infection.
We’d also want to look for signs of exfiltration. Even if the hackers don’t communicate that they’ve stolen your data, it’s a good idea to check your firewall logs for suspicious outbound activity.
Step #4: Clean up your network.
If your business has undergone a large compromise, this step can be significant.
Even if we can clean a virus from a system, we’ll need to rebuild your systems from scratch. Depending on how long the hackers had access, they could have conducted other malicious activity that places your network at risk.
Using uncompromised backups, we’d wipe clean and reload your servers—and then your systems and workstations.
Step #5: Create a root cause analysis (RCA).
At this stage, we’d create an RCA, which stands for root cause analysis. This details…
- What happened.
- Why it happened.
- How to prevent it from happening again.
For example, your RCA may reveal that data exfiltration (the what) occurred because a team member fell for a phishing link (the why). Your RCA may further recommend employee training and SIEM technology to lessen the risk of exfiltration in the future (prevention).
Does your IT company know how to respond to a security breach?
Please keep in mind these activities aren’t the only ones involved in how to respond to a security breach. For example, your business may employ a PR firm or communicate with the FBI.
There are many moving parts. And your IT company should have a firm grasp of their role in addressing a compromise.
Ask your IT provider how they would handle an incident.
If they can’t articulate the steps they’d take, it’s possible your vendor doesn’t have the cybersecurity maturity needed for today’s threat landscape.
Have questions about your incident response plan? You can contact us at firstname.lastname@example.org or 704-464-3075 extension 3.
About Brad Link
Brad serves as our Senior Network Engineer and technical team lead. He designs and implements numerous IT solutions, and our clients benefit from his expertise in networking, cybersecurity, Microsoft products, and more. While you might find him conducting virtual CIO work or product research, he spends a good chunk of his day answering everyone’s questions about everything.