It is as important to protect as it is to respond
Iñigo Ladrón Morales
Being adequately protected is important but, when something happens, when a cyber incident o one cyber attack In the company, you also have to know how to respond to it as you should, leaving nothing to chance if possible, executing a previously defined and tested plan.
Incident response is vital. In that situation we can run like headless chickens doing things that we think contribute but don't, or executing the action plan, he contingency plan, recovery plan, step by step, just as it has been defined to be done.
Framed in the framework of cybersecurity of the NIST (National Institute of Standards and Technology), incident response takes on all the importance it deserves, as it is based on its main functions from a holistic point of view: identify, protect, detect, responder and recover.
The response to incidents of cybersecurity Therefore, it stands as a fundamental pillar that allows minimizing impact and damage, as well as safeguarding the integrity of information assets. This is very necessary in companies and organizations.
Aligned with NIST facing a cyber incident, consists in detect, contain and to mitigate the effects of an attack. Its essential objective is to reduce the impact and restore the company's operational normality as soon as possible and in the best possible way.
On the other hand, experience is the mother of science and we must take into account the lessons learned after having suffered a cyber incident. Thus, with this knowledge of what we have experienced, we can prepare to prevent similar situations in the future.
But then, what exactly should we do in case a accident? We must follow a script (adapted and personalized to our company). This script translates into guidelines to follow in certain phases of action or evolution of oneself. cyber incident, which also determines the NIST:
- phase Preparation. The incident has not yet taken place but the company is already preparing for it, with the aim of being prepared and knowing how to act when it happens. Those responsible for cybersecurity must define and establish the controls, policies, procedures and response teams suitable. In addition, simulation exercises can be carried out to be prepared for when something really happens.
- phase Detection. The sooner we realize it, the sooner we will react and the less impact the incident will have, so the early detectionnothing is vital. To be able to do this, companies must have tools for monitoring (network traffic, system and device status, etc.). Collect all the information and all the evidence possible, for the purposes of a computer forensics Later, it is also very important.
- phase Analysis. When the incident has been detected, we must know it, know how it acts and assess its potential danger. The analysis of network traffic, for example, helps us identify suspicious activity, unusual patterns, strange behavior, etc. With this we will know not only the origin of the incident, but also its severity, scope and nature.
- phase Containment. It is time to act to stop, so the company must take measures to prevent the spread of the attack (isolation o isolation of affected systems, deactivation of compromised accounts, application of updates and patches available, etc.).
- phase Eradication. Now we can eliminate the threat that caused the incident and even leave the person without the ability to act. cyber attacker.
- phase Recovery. Let's try to back to normal although, for the moment (and it is very likely) this cannot yet be 100% as before the cyber incident. The company must restore affected systems and services, carry out tests, guarantee that there is no longer a threat and ensure the business continuity.
This is where the framework of action of the NIST, but it also suggests carrying out other activities of interest and relevance, even if only in the past, which will depend on each company.
The first of them is to take note of the learned lessons. As we said, experience is the mother of science and, therefore, let us learn from the incident suffered. We must evaluate what happened from all perspectives and write down what was done well, what was done wrong, why it went well or badly, and the results.
In the end we should have a document of best practices and even, from that compilation and reflection, we should be able to generate, enrich and improve the corporate incident response plan which will serve us tomorrow as a script to act in case of new incidents.
Throughout this process we must also take into account important aspects such as the coordination, the collaboration, the communication, the correct management and preservation of evidence of the attack.
As you see, it is not something as trivial as it seems and must be defined and guided by cybersecurity experts.
Our service Incident Response, provides organizations with technical support in the evaluation and containment of security incidents that your company may suffer, with expert staff it will help you contain the problem and take the necessary measures to restore the service.
Talk later?
You can expand details about our services visiting the Zerolynx page
If you prefer, contact us and we talked.
