Effective strategies for managing cyber incidents

If you haven't experienced a ransomware attack yet, it's probably just a matter of time. The worst is that you will not get any alerts. One minute the team is working hard to wrap up the day, the next, your SaaS apps stop working, network access disappears, and every member of the security team's phones start ringing. That's when you cancel all your evening plans and make coffee, because getting the systems back up and running will likely be a night's work. This reaction is natural, as every second of systems downtime can paralyze business operations. But it's just when teams start to rush that mistakes are made.

The most common mistakes and the importance of balancing

From my experience, I see two critical mistakes repeating themselves. First of all, they miss three key protocols that are critical to follow when responding to an incident: containment, forensics, and recovery. Second, they take an isolated containment approach, as if containment, forensics, and recovery were all independent entities. The point is not that this approach is wrong. All of these response activities are valid and essential. What is missing is the balance between these three primary functions. Contrary to what it may seem, combining the three will speed up the process and help ensure a smoother resolution.

Containment, recovery and forensic analysis: an essential interaction

Containment, for anyone who has never conducted a forensic investigation, aims to find indicators of compromise (IOC), which are essentially evidence of malicious activity. These can show up as unrecognized files on your system or unusual traffic, and drive containment measures to prevent further damage. One potential action could be for the forensics team to implement an endpoint detection and response (EDR) solution that can determine what was affected. Then, the team shares its findings with the containment team, who get to work. Likewise, input from the containment team is needed to recover affected systems. In recovery, the collection of all forensic data is performed by the recovery team and must be completed before any system recovery efforts are undertaken.

The collaboration between the teams and the success of the operation

Collaboration between teams, an ongoing process where each area is equally balanced, is critical to complete incident resolution. If one group prevails over the others, the process starts to break down, which can have a detrimental effect on the company's business. Instead, linking teams that may have previously been disjointed allows for a more complete and effective response. Thus, containment, recovery and forensics are not independent entities, but integral parts of a single system, each requiring attention and adequate resources to ensure effective incident management.