This is the phase where the response team, having gathered the information and gained an understanding of the incident, tries to contain, combat and recover from the threat. It typically involves taking action to prevent further damage, such as disabling network access for infected computers, closing ports, isolating traffic or blocking IPs. Depending on the type of incident, there may also be a need to implement immediate action such as resetting passwords for users with accounts that were breached, or block accounts of insiders that may have caused the incident.
Many incidents involve responding to malicious software, such as ransomware, viruses or trojan horses, designed to cause damage, steal data or make extortion demands. A recent 2019 UK Government report 1 showed a third of businesses had a cyber security breach or attack in the prior 12 months with malware, including ransomware attacks impacting 27% of these businesses.
In recovering from such incidents, it’s important to maintain backups of the impacted systems, have appropriate and risk-driven business continuity plans and to review and update incident playbooks which allow your business to preserve evidence for further forensics or legal cases should this be required. Careful decisions need to be made around service restoration with two critical requirements:
- Carry out system/network validation and testing to certify all systems as operational.
- Re-certify any compromised component of the systems as both operational and secure.