How to Respond to a Cyber Attack
What you SHOULD and SHOULD NOT do in the event of a cyber-attack
In the event of a Cyber Attack, here are our tips on what to do and what to avoid for an effective response:
What NOT to do
Don't delete anything that might be needed as evidence
We understand - you're in the midst of an attack and you just want to stop it as soon as possible. You may think its best to remove or delete anything associated with the infection.
However, be careful - you'll need this information later on for post-incident analysis. Try to preserve as much evidence as possible, as these details are crucial to identifying how the attacker managed to bypass your security, and who was behind it.
Don't bargain with the attackers
Don't try to contact the attacker to negotiate.
At best, they'll ignore you. At worst, your pleading will encourage their efforts. If their aim is to generate cash rather than chaos (which is the most likely case) they may be incentivized to increase the ransom on your data. You may even end up accidentally exposing more details and entry points that they can exploit, and more often than not you will be flagged for a future attack as an easy and willing target.
Don't provide a timeline to the media
Be honest and realistic. You can't be sure of when (or if) you will be back up and running at normal capacity, so try not to make any public statements that you will regret, or that may antagonize the cyber criminals into prolonging their attack.
Don't pull the plug
It's easy to panic and resort to turning everything off in an attempt to stop the attack in its tracks. Whilst switching your devices off may well stop an attack, it will also delete much of the forensic evidence that you will need for attribution, entry points, lateral movement and privilege escalation, essentially the entire attack profile. In cases of ransomware, it can also do more damage than good. Instead of turning them off, disconnect from the network by removing the network cable or turning off the wireless, whilst maintaining power.
What TO do
Triage and Prioritize the Incident
Could it just be a false alarm? Not every report or detection is a genuine incident. Triage the incident to first validate whether this is a genuine attack or not.
If the incident is valid, try to prioritise it - does the attack pose severe damage or are the consequences likely to be mild? To do so, you will need to classify the form of attack, and try to identify the intended targets. This will help direct you towards the next steps to be taken, along with the amount of resources you should allocate to them.
Contact your Incident Handlers to enact your Incident Response Plan
Now is the time to put your Incident Response Plan into action. You should have a team of Incident Response Handlers who are experienced and certified in dealing with such situations.
Notify relevant parties
You will need to notify any relevant parties - such as customers, suppliers and stakeholders. If you are a high-profile organisation and/or you have sent staff home, it is likely the media will pick up on the story and you feel pressure to communicate with them, in which case you should do so by working with a public relations agency (do not engage the media directly). You may already have a Communication Plan defined within your Incident Response Plan which you can follow too, but again, consider what message you are sending (or not).
Be aware of your legal responsibilities
This point leads on from the last. Depending on your location, there may be laws in place that govern when and who you should be making aware of the attack. This is likely to include authorities and customers.
Additionally, if your organisation operates in the UK and the attack involves a personal data breach - you will need to report it to the Information Commissioner's Office (ICO) within 72 hours.
Backup your Data
If you've been using our Compliance Manager to build a strong foundation of Information Security Governance, Risk and Compliance (GRC), you'll be familiar with Business and Disaster Recovery (BCDR).
Remember all of the Test Recovery Drills you've (hopefully!) been performing? This is where they'll become invaluable.
One of the biggest threats you'll be facing in a cyber attack is the loss of data. To prevent as much loss as possible, you'll need to ensure you have taken pre-emptive action by backing up your data and regularly testing this is recoverable. One of your first ports of call in cyber-attack should be to check the integrity and recoverability of systems and data to ensure you are definitely able to recover, as this will have a direct impact on what you do next.
Contain the Incident
Stop the damage from spreading by isolating the compromised devices. Examples include implementing firewall rules to block the IP addresses that the attack is originating from or calling home to, disconnecting your network from the internet or other internal networks entirely, isolating devices by blocking their mac addresses / disabling their switch ports, or removing network cables / WiFi adaptors from affected devices.
Investigate the Incident
Once you have contained the incident, but before you have eradicated it, you need to gather as much evidence as possible to aid in the investigation, incident reporting and post incident analysis phases. This evidence may come from many sources such as your security logs, IDS, endpoint protection control centre, SIEM tools, log stashes, endpoint logs, network monitoring etc. Try to gather as much as you can! (and a note to self, go check the time/date on all your devices now so you are logging data with the current timestamp, there's nothing worse than looking at logs from the 1971 !!)
Aim to build a comprehensive Incident Report detailing entry points, attack vectors, targets, the data, users and business functionality impacted, the amount and sensitivity of the data affected, the source of the attack, the timeline, and the cost of the incident. You will review this in-depth in your Post Incident Analysis later on to determine how to prevent this from happening again.
Learn from the incident
Last but by no means least - use your Incident Report and everything prior to this point in the Post Incident Analysis stage to learn from the attack. What defences can you put in place to ensure this kind of attack can't happen again? What could be improved in your Incident Response Procedure? Were you equipped with the right resources to deal with the situation?
The one positive you should take from a cyber attack is that you will be better prepared for if (but most likely when...) there is another one!