Cyber incident investigation is one of the most crucial skills that an organisation can master.
With countless information security threats looming over your business, you need to understand that data breaches are inevitable. When you come to this realisation, you can implement an incident response plan that helps you identify and investigate security threats.
This ensures that you can respond promptly when disaster strikes, mitigating the damage, and saving your organisation time and money.
But how exactly should you investigate a cyber incident? We explain everything you need to know in this blog, outlining five steps to guide you from disaster to recovery.
1. Identification
Speed is of the essence when it comes to incident response. The faster you can identify a breach, the sooner you can kick a malicious actor off your systems and begin the recovery process.
There are many ways that an incident might be identified. You might, for example, have automated threat detection tools that issue an alert when it spots malicious activity. Alternatively, someone on your team might spot something suspicious and alert the IT team.
2. Initial investigation
Once you’ve identified a potential data breach, you should conduct a preliminary investigation. The goal is to identify all systems and services that have been affected, which will help you understand the scope of the damage.
You should also document what sensitive information, if any, has been compromised. It’s best to err on the side of caution here; you might not know definitively what data a malicious actor accessed, but you will know what they could have viewed given the nature of their intrusion.
For example, if a single corporate account was compromised, the attacker would have access to anything that employee viewed. By contrast, if they launched a ransomware attack, they could conceivably have exfiltrated every piece of sensitive information on the network.
3. Immediate action
Now that you know exactly what’s happened, you must take urgent steps to isolate the affected areas of your business. You can think of this part of the investigation like police cordoning off the scene of the crime.
The goal is to prevent any contamination of the evidence and to gather any relevant information about what has happened. You should interview the people who discovered the breach to find out what they know, and gather any evidence that’s immediately available.
Where relevant, you must also notify law enforcement and regulators about the data breach.
4. Analyse the data
Once you’ve gathered the relevant information about the cyber incident, you must analyse it. The goal is to gain a more complete understanding of how the data breach occurred and what information or systems were compromised.
You should discover, for example, whether it was caused be an internal actor or a criminal hacker. You might also discover whether a malicious actor had privileged access to data and for how long the information was compromised.
5. Remediation planning
Now that you have a clear understanding of what happened and – more importantly – how, you can draw conclusions about the incident and look for ways to resolve the data breach.
The specific actions you take here will depend on the nature of the incident. You must therefore have a comprehensive plan that outlines remediation efforts related to all relevant information security risks.
The documented plan should include estimates for how long remediation tasks will take, the level of priority each one is given and the person responsible for overseeing the task.
What next?
With the investigation complete, it’s time to contain the threat and get back to business as usual. As part of this process, security specialists should carefully monitor the network and recovered systems to ensure that the threat has been fully addressed.
We understand at IT Governance that you might not have the internal expertise to manage this process with confidence.
It’s why we created our Cyber Incident Response Investigation service to provide support.
Our team of experts will help you manage the investigation process from beginning to end, answering key questions such as how the threat actor gained access and the steps needed to contain, eradicate and recover from the attack.
This CREST-accredited service is highly scalable, and can be used for anything as small as a data breach involving a single compromised USB stick or as large as an organisation-wide outage.