First response to cyber security incidents

Taking clear action in the first few hours of a crisis to minimise future risk

Incident response is hard, and the hardest part can often be in the first few hours where chaos reigns supreme and nobody really knows what’s going on or what they should be doing.

Follow the seven steps for immediate incident response to provide clear direction, take appropriate action, and lay the foundations for an effective response: confirm, triage, document, escalate, plan, mobilise, and report. These are shown as a linear process, however the reality may of course be different, with concurrent or reordered tasks.

Seven steps for immediate incident response

Seven Steps for First Responders

Confirm

Confirm that the incident report is not a false-positive (for example, through verification of logging or alerting system data), and confirm basic details about the incident such as:

• How was the incident initially detected, when, and by who?
• What systems and data have been impacted?
• What security controls (eg. anti-virus software, network monitoring, file integrity monitoring) exist in the impacted environment?

Triage

Triage the incident to identify:

• Category, for example using FIRST’s CSIRT Case Classification guide, the attack vectors in NIST 800–61r2, or CERT-US’s incident categories
• Impact or priority, calculated by considering the nature, scale, geography and business criticality of systems and data impacted, and expressed, for example, as either a number (“Priority 1”, “2”, “3”, etc) or colors (“red”, “orange”, “yellow”)
• Any relevant reporting requirements such as California Civ Code 1798.82, GDPR, NYDFS or SOX

Document

Document the known facts relating to the incident and actions taken to date, preferably in a pre-prepared template (for example, using this template from the IAPP).

Escalate

Escalate internally as required (usually determined by the impact/priority), for example, to IT management, executives, or the board.

Plan

Plan for the response, and consider defining:

• Response objectives (for example, is the objective to minimise cyber security risk, minimise legal risk, to protect customer data?)
• Response strategy (for example, “whack a mole” or “watch and wait”) and plan, including workstreams and tasks, logistics, update cadence, and budgeting
• Roles and responsibilities, possibly using a framework such as FEMA’s NIMS Incident Command System or Gold/Silver/Bronze
• Watch out situations, i.e. those situations which represent an immediate and significant risk and require urgent action, for example, threat actor access to a production domain controller or Internet-facing web server
• Communications strategy, both internal (communicating with the incident team, other internal stakeholders, and employees) and external (communicating with customers, suppliers, regulators, shareholders)
• Risk appetite for the response, i.e. how much access will the threat actor be allowed to maintain while the team

Mobilise

Mobilise teams to enable an effective response, including digital forensics, crisis management, legal, communications, and any third-party providers.

Report

Report the incident as needed to regulators, insurance brokers, and law enforcement or security services. This should be guided in part by the incident triage, which will identify any mandatory reporting obligations.