At Nanonets we have 5 Step Incident Response Plan
1. Identification
This is the process where we determine whether we've been breached.
Questions we address
- When did the event happen?
- How was it discovered?
- Who discovered it?
- Have any other areas been impacted?
- What is the scope of the compromise?
- Does it affect operations?
- Has the source (point of entry) of the event been discovered?
2. Containment
When a breach is first discovered, we contain the breach so it doesn’t spread and cause further damage to our business. If we can, we disconnect affected devices from the Internet. We have short-term and long-term containment strategies ready. We also have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever.
At this time we also update and patch our systems, review our remote access protocols, change all user and administrative access credentials and harden all passwords.
Questions to address
- What’s been done to contain the breach short term?
- What’s been done to contain the breach long term?
- Has any discovered malware been quarantined from the rest of the environment?
- What sort of backups are in place?
- Does your remote access require true multi-factor authentication?
- Have all access credentials been reviewed for legitimacy, hardened and changed?
- Have you applied all recent security patches and updates?
3. Eradication
Once we've contained the issue, we find and eliminate the root cause of the breach. This means all malware will be securely removed, systems will again be hardened and patched, and updates will be applied.
Questions to address
- Have artefacts/malware from the attacker been securely removed?
- Has the system be hardened, patched, and updates applied?
- Can the system be re-imaged?
4. Recovery
This is the process of restoring and returning affected systems and devices back into our business environment. During this time, we get our systems and business operations up and running again without the fear of another breach.
Questions to address
- When can systems be returned to production?
- Have systems been patched, hardened and tested?
- Can the system be restored from a trusted back-up?
- How long will the affected systems be monitored and what will you look for when monitoring?
- What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)
5. Lessons Learned
Once the investigation is complete, we will analyse and document everything about the breach. Determine what worked well in our response plan, and where there were some holes.
Questions to address
- What changes need to be made to the security?
- How should employee be trained differently?
- What weakness did the breach exploit?
- How will you ensure a similar breach doesn’t happen again?