A malicious payload has sneaked into your network. Now, what do you do? You’d better be ready to act quickly.
That means having an incident response plan, a step-by-step process that you can activate in the aftermath of a security attack to minimize damage and accelerate recovery time. The plan must be well-defined, delineating in advance who plays what role in the response.
An incident response plan requires a team of people with assigned responsibilities. In addition to IT security experts, the team should include key stakeholders, such as legal counsel, public relations, and human resources. Legal plays a vital role in ensuring an organization follows the disclosure protocols prescribed by relevant data-privacy regulations, such as PCI-DSS and Sarbanes-Oxley, as well as any applicable state regulations.
Protocols vary by industry and state, but any incident response plan must cover these basics:
All users should be trained on security measures, such as software updates and password policies, to avoid risky practices and to know how to react when an incident occurs.
Once the alarm is sounded, the incident response team confirms that a breach has indeed occurred, identifies the entry point, and traces the payload to wherever it lodged itself on the network.
3. Containment and isolation
After identifying the malicious code, the team determines whether any damage was caused, and if so, how much. Team members should disconnect any affected systems to prevent the spread of infection and isolate the code sample for analysis.
Analysts observe how the code is written, how it behaves, what systems and files it targets, and what is its goal, and then take steps to eliminate it.
If the payload caused damseage before detection, it will be necessary to disinfect systems, then restore data and software from backup files to resume normal operation.
The team reviews the response for any possible fine-tuning and shares information about the malicious code with relevant parties, such as security vendors, to help prevent further incidents.
Cyber attacks are an everyday concern for all organizations. To defend your network, you must cover the basics with anti-malware. But that’s not enough. Attackers get bolder by the day, finding new ways to break into networks. Fending them off requires a clearly defined incident response plan that ensures your organization is ready to react if an attack should occur.
Does your organization have a plan for responding to security incidents? Learn more about taking proactive measures against cyber attacks with AT&T network security solutions.
Pedro Pereira is an independent business writer and the author of this blog. AT&T has sponsored this blog post.