Incident Response: Plan Your Cyberattack Response

Even with the best prevention measures, it will never be possible to eliminate the risk of a cyberattack. Those who anticipate a cyber incident and are well-prepared can react quickly and effectively in case of an emergency.

Regardless of the industry or size, it can happen to anyone. What should one do in such a situation?

Key Cyber-Incident Response Steps

Quickly seek professional help: When critical systems suddenly fail, and security sensors raise alarms, the likelihood is high that a serious incident has occurred: the company has been hacked. The first step is to disconnect the network connection as quickly as possible to prevent the attack from spreading further. What cannot be separated by software should be physically disconnected — if necessary, by unplugging cables.

Shutting down servers isn't recommended, as it may result in the loss of important data needed later by forensic experts. Additionally, affected parties should immediately call in a professional incident response team to investigate the incident, contain it, monitor the network and securely restore systems. It would be a mistake to believe the company can handle this on its own. Many companies underestimate the psychological component of a cyberattack.

For those affected, it's an extremely stressful situation. When suddenly the existence of the company is at stake, it's difficult to keep a cool head. Important things that are usually taken for granted may be forgotten. Even the emergency plan in the drawer rarely works as expected in practice.

Related:The Gately Report: N-able Says Business Resiliency Key to Thwarting Attacks

Thomas Keck, founder and CEO of Elabs AG, recounts: "When you are in complete chaos on day one, the pressure is so high that you risk making completely wrong decisions." The entrepreneur was once personally affected by a severe cyberattack and describes how it feels in the podcast "how-to-decrypt.txt."

Maintain composure and proceed in a coordinated manner: Professional incident responders have experience with cyber incidents and know what to do. A coordinated approach is crucial. Incident response only works when someone takes the leadership role, remains calm and provides clear instructions. An expert who isn't personally affected is best suited for this.

Additionally, enough personnel are needed to handle the tremendous workload. An incident response situation often requires a 24/7 security operation over several days, which can only be achieved through shift work. Moreover, specialized expertise in various disciplines is required. Besides pure IT forensics, it also involves negotiating with cybercriminals. Although it's often recommended not to pay ransom, communication with extortionists — even if payment is clearly ruled out — can be important to buy time or potentially gain more information.

Related:The Gately Report: Trustwave Partners Get Help Starting Cybersecurity Journeys

Ensure guaranteed assistance: How to find the right incident response service provider? The Federal Office for Information Security (BSI), the German agency in charge of managing computer and communication security for the German government, has published a list of certified providers. Wasting valuable time by starting to call through this list during a cyber incident may result in all teams being booked. IR specialists are in high demand, and they also suffer from a shortage of skilled professionals. Therefore, it's crucial to get a contractual assurance in advance that guaranteed assistance will be provided in case of an emergency. Companies should book an incident response retainer with their chosen service provider, covering a fixed number of days, and establish binding response times through service-level agreements (SLAs). Additionally, it's advisable to maintain contacts with two or three other IR providers that can be called in case the contracted partner unexpectedly becomes unavailable.

Establishing the right data foundation: Professional incident responders determine what exactly happened, when it happened and how it happened. To quickly contain a cyber incident, they need to analyze which systems are affected. The right data foundation is crucial for this. Windows Event Logs alone aren't sufficient, as they aren't very reliable. Cybercriminals often manipulate such files to remain unnoticed. Telemetry data from security systems, monitoring activities on endpoints and in the network, is essential for the IR team. These data should converge in a central XDR or SIEM platform and be correlated.

The more meaningful the data, the quicker and more targeted the containment of the cyber incident. Identifying the "Patient Zero" and retracing the attack's path allows companies to learn from mistakes and address vulnerabilities. Even after IT systems are restored, it's important to continuously monitor the IT environment 24/7. There is no 100% certainty that the attacker isn't still hiding and progressing laterally in the network.

Prepare the entire company: To cope with a cyber incident without significant damage, careful preparation is crucial. A detailed emergency plan is an essential part of the cyber-defense strategy. This plan should not only include the emergency number of the incident response service provider and instructions for the IT department but involve all stakeholders in the company.

Incident response isn't purely an IT matter. Who reports a cyber incident to the relevant supervisory authority? Who informs affected customers and business partners? Who handles crisis communication? All these tasks need to be coordinated after a cyberattack. Stakeholders should include, for example, the legal department, PR and marketing department, data protection officer, and, of course, the management. An emergency plan establishes clear responsibilities and defines procedures. Thus, everyone knows immediately what tasks to take on in case of an emergency. Business continuity plans, without a technical background and situated in risk management or order control, can also be helpful.

Review, update and test the emergency plan: Many companies already have an emergency plan in place, but it may fall short. For example, how does one determine which backup state isn't compromised? How long would it take to restore the offline backup stored on tapes in the cabinet? Is it even cost-effective?

Companies should contemplate various scenarios in their emergency plan and define alternative actions: If A does not apply, we do B. This also includes setting up a communication channel outside the company's IT environment for communication in case the email system fails or attackers intercept messages. A secure messenger service is recommended.

Companies should have their emergency plan readily available and preferably store it offline so that it cannot be encrypted in a cyberattack. It should also include a network plan providing an overview of the IT environment. This plan should be updated at regular intervals. This way, there is at least a rough plan in case digital asset management isn't available during a cyber incident.

Emergency planning isn't something written once and then stored in a drawer. It must be regularly reviewed and adjusted if requirements change. To test whether the emergency plan works in practice, Red Teaming or Purple Teaming, simulating an attack situation, can be beneficial.

Conclusion

Incident response strengthens a company's resilience to survive a cyberattack with minimal impact and secure business continuity. It's no coincidence that the network and information systems NIS2 directive mandates such measures for critical infrastructures as well as important and particularly important entities. Article 21, paragraph 2, defines Incident Handling, Backup Management, Disaster Recovery, and Crisis Management as minimum standards. However, even companies not falling under NIS2's directive of the EU-wide legislation on cybersecurity need a thoughtful strategy to quickly handle a cyberattack, given the growing threat landscape.