The steps we take after a cybersecurity event occurs
The first priority is to prepare in advance by putting a concrete IR plan in place. We assist organisations to establish and battle-test a plan before a significant attack or data breach occurs. We address the following response phases as defined by NIST
Planning in advance how to handle and prevent security incidents
Containment, Eradication, and Recovery
Developing a containment strategy, identifying and mitigating the hosts and systems under attack, and having a plan for recovery
Detection and Analysis
Everything from monitoring potential attack vectors, to looking for signs of an incident, to prioritization
Reviewing lessons learned and having a plan for evidence retention
Figure 1 – The NIST recommended phases for responding to a cybersecurity incident
Building on the outlined NIST phases, here are specific incident response steps to take once a critical security event has been detected:
1. Assemble your team
It’s critical to have the right people with the right skills, along with associated tribal knowledge. Appoint a team leader who will have overall responsibility for responding to the incident. This person should have a direct line of communication with management so that important decisions—such as taking key systems offline if necessary—can be made quickly.
In smaller organizations, or where a threat isn’t severe, your SOC team or managed security consultants may be sufficient to handle an incident. But for the more serious incidents, you should include other relevant areas of the company such as corporate communications and human resources.
If you have built a Security Incident Response Team (CSIRT), now is the time to activate your team in collaboration with Wire Speed Systems Tiger team bringing in the entire range of pre-designated technical and non-technical specialists.
If a breach could result in litigation, or requires public notification and remediation, you should notify your legal department immediately.
2. Detect and ascertain the source
Our CIRT(Tiger-Team) with your team will first work to identify the cause of the breach, and then ensure that it’s contained. Our teams will become aware that an incident is occurring or has occurred from a very wide variety of indicators, by making use of our Next-generation security solutions as well as your other existing solutions :