Cyber Incident management

Managing a cyber incident means following a structured process to limit damage, clean up the infrastructure and prevent future attacks.

Some of the steps to handle a cyber incident are:

Identification, i.e. understanding what has happened and what is really happening.
• Detecting anomalous behavior (Logs, SIEM alarms, interviewing users who report problems)
• Verifying indicators of compromise (IoC)
• Classifying the incident in accordance with the ACN taxonomy
• Creating an Output confirming the incident, indicating the level of criticality and the systems involved.

Containment, i.e. limiting damage and spread to prevent the attack from advancing further
• Isolate suspicious machines
• Block compromised accounts
•Disconnect services from the Internet, if necessary
• Apply patches
• Change compromised credentials
• Harden firewall configuration and/or network rules (VLANs)

Cleanup, i.e. remove the problem at the root.
• Eliminate malware/backdoors
• Close exploited vulnerabilities
• Delete malicious users
• Clean up compromised configurations

Recovery, i.e. returning to normal safely only after validating the systems
• Restoring systems from secure backups
• Carefully monitoring any new anomalies
• Verifying data integrity

Finally, it is a good practice to create or update the following internal documents:
• Incident Response Walkthrough
• Threat Response Playbook