6 Questions You Must Ask for a Successful Incident Response

Jul 18, 2016
4 minutes

For most organizations, suffering a cyberattack is not a matter of “if” – it is a matter of “when.” Today’s hackers have more technology and are more persistent than ever before. Lately they seem to have rapidly evolving methods that allows them to circumvent even the most sophisticated preventative measures.

Considering recent large-scale attacks – including those involving ransomware – their success is based on social engineering – phishing emails, pop-ups, and free download links built by hackers launch and disseminate Trojan attacks and other malware. Once a user clicks on the download or attachment and allows malware into their system, it initiates events that result in an organization either paying a king’s ransom or risk having their private files and other important business information broadcast publicly or deleted permanently.

Having response mechanisms in place for swift, timely disaster mitigation and limited system downtime helps organizations successfully address a cyberattack on their network. An effective incident response program must consider these important questions:

1. Who is the responsible for the attack?

When the mindset of a hacker is understood, it is easier to be prepared for a comprehensive defense. Organizations need to identify the potential criminal element at the beginning of their breach analysis. It is important to consider the type of business under attack – there is a big difference between the Scottish teenager hacking Facebook and a successful ransomware attack against a major university. Identifying the attacker means distinguishing whether they are a lone wolf, a state-sponsored criminal organization, or a hacktivist social group.

2. What is the attack’s target?

Organizations should examine what the hacker attacked to understand their attacker’s sophistication, resources, and level of commitment. In the examples cited above, the response is vastly different when addressing a hacker who is out for social glory, and whose goal is $10,000s with a threat triggered by an expiration date.

Serious cyber criminals seeking large financial rewards with just minimal effort are turning to DDoS attacks and ransomware as their preferred methods of crime.

3. When did the attack take place?

Timing is truly everything in incident response. It can mean the difference between losing an entire database of business information and spending hundreds vs. thousands of dollars for information to be returned in a rescue effort.

Hackers are smart, and their attacks often happen during holidays and other times offline when businesses are more likely to be short-staffed and off-guard.

Timing also includes disclosing information about an attack. Incident responders should be sure that those needing the information will receive it in a timely manner to mitigate damages on their end as well.

4. Where was the attack directed?

Likely the most important piece of information to consider when evaluating the entire circumstances of a data breach is the target of any cyberattack. Incident responders should examine the entire attack landscape, including the network, partners, suppliers, remote contacts, and any outside sources of portable data that could be involved. For example, email is often the culprit in today’s attacks since the aim is to persuade unknowing users into opening attachments to launch Trojan attacks and other malware.

5. Why did the attack take place?

A very important element to consider during a cyberattack is the attacker’s motive. Effective external communications are required to explain why the attack occurred in the first place so those affected know exactly where they need to turn to best address their own damages.

6. How did the attack happen?

Organizations need a detailed account of how the attack was orchestrated and how the breach occurred to effectively defend against it and begin the remediation process.

Addressing these questions and a well-devised incident response plan can limit emotion-driven actions and enable an organization to perform quick and effective remediation. What’s more, solutions are available today to help SOC analysts gather all the information to these questions to best collaborate on an incident response plan of action. An information sharing platform can help the incident response team collect, process, and share large amounts of information. It helps gather and facilitate the information flow between all parties during the investigation process. Overall, good incident coordination depends on information gathering, processing, and sharing. And as a bonus, accumulated data can be invaluable for handling future attacks.

If you are an IT security professional looking for a platform to help streamline incident management processes and security operations, sign up for the Free Community Edition of Cortex SOAR.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.