A Brief Guide to Handling a Cyber Incident

Incident response planning entails how an organization handles a data breach or cyberattack. How an organization responds to a data breach or cyberattack can have an enormous financial and reputational cost, and organizations that quickly contain a data breach in less than 30 days save more than $1 million. Unfortunately, only 24 percent of organizations have an incident response plan.

An organization’s failure to have or implement an incident response plan can have serious legal repercussions. Best practices recommend that an incident response plan include at least the following:

1. applicable law or regulation,
2. data breach trigger,
3. person or organization to contact, and/or
4. information to include in reporting requirements.

In addition to these four items, two other items remain essential for a robust incident response plan: preparation for prosecution and attorney-client privilege.

An incident response plan must have a data retention policy in preparation for prosecution. The policy should include specific steps on preserving data and documenting the chain of custody. Without this policy, the cause of the data breach remains unknown and a similar breach could occur again in the future. Additionally, an organization can experience numerous legal repercussions for failing to properly preserve data.

During a cyber incident, legal counsel should work with the incident response team (IRT). The attorney’s participation during this process helps establish an attorney-client privilege regarding incident response inquiries, data breaches, or cyberattacks. However, some tasks—such as when an IRT performs daily operations—do not receive attorney-client privilege.

So, the question arises: What steps should an organization take to plan for and handle a cyber incident? Below I provide steps found in the SANS Incident Handler’s Handbook (see the handbook for further details).

1. Preparation. This step involves creating an IRT that remains ready to handle a potential data breach or cyberattack. For example, an IRT requires policies that document member roles and responsibilities, a communication plan, and the proper tools to quickly respond to any potential cyber incidents.
2. Identification. This process involves determining whether an organization experienced a data breach. If a data breach occurred, the IRT should immediately implement the incident response plan.
3. Containment. After an organization discovers a data breach, the organization must find a way to limit its impact. The IRT must isolate the impacted workstations, servers, or other devices from the network. Also during this phase, the IRT must make forensic copies of affect systems for further analysis.
   
4. Eradication. This phase involves removing and restoring affected systems.
5. Recovery. This phase entails moving previous affected systems back into the IT infrastructure. The IRT must test, monitor, and validate all systems prior to integrating them back into the production environment.
6. Lessons learned.  This last phase entails completing the incident report and finalizing the lessons learned from the incident.

Like the SANS Incident Handler’s Handbook, the National Institute of Standards and Technology (NIST) also provides a guidance document for handling cyber incidents, the Computer Security Incident Handling Guide. These two documents provide an excellent starting point for creating a robust incident response plan to manage a data breach or cyberattack.