What to do in the event of a cyber security incident

August, 2013
5 mins read

Our recommendations in the event of an incident or breach.

If you’re in Security or IT operations and you find yourself in the middle of a cyber-security incident, you have a very important role to play. Response teams will likely be relying on you to collect the information they need to determine the source and extent of a breach. Following are some of the key points F-Secure’s Incident Response recommends internal teams cover when dealing with an incoming incident.

What data do I have to support response?

Identify sources of data that might be useful:

  • Domain/Server logs
  • Web proxy logs
  • Email server logs
  • Network flow data from firewalls, packet capture devices, etc
  • Application logs (SAP, SharePoint, cloud services etc)
  • VPN authentication logs
  • Physical security logs (card access etc)

Determine where these are stored:

  • On endpoints and appliances?
  • Centrally aggregated (SIEM, etc.)?
  • Combination of both?

What won’t I have tomorrow?

Logs and other potentially useful data captured from networks are transient and may be lost as time passes or due to user actions. Are these:

Stored centrally?

  • Check storage limitations, due to disk space or licensing
  • Some data may be sent to an aggregation point, but discarded due to configuration – review this.

Only present on endpoints or appliances?

  • Check and increase log storage limits – you want to keep captured data as long as possible.

In both cases:

  • Increase logging levels if possible – gather as much potentially useful data as is realistic.
  • Determine an archiving strategy – this may involve periodic exports from SIEM or network appliances, or constant retrieval of local logs from the server(s).

Where am I not looking?

Events related to an incident may show up in more than one data source. Move your focus beyond the point of detection / initial data source. For example:

Scenario: DLP detection of potentially malicious actions on endpoint

  • Domain logs: Which accounts have been authenticating to the endpoint? Which other endpoints have these accounts been authenticating to? Authentications to other systems and services from this endpoint?
  • Internal firewall logs: Network communication between suspect endpoint and other machines?
  • AV logs: Any recent antivirus warnings or events?
  • Proxy logs: What has this endpoint or user been contacting on the Internet? If there is anything unusual, is it used anywhere else?

Scenario: Compromised web application

  • DMZ firewall: Anomalous connections from DMZ to the rest of the network?
  • Domain logs: Unexpected sessions to other servers in DMZ?
  • Outgoing proxy: Connections to the Internet from within DMZ?
  • NetFlow: Connections to other servers in DMZ?

Am I considering the consequences of each action?

Actions taken during an incident may affect the outcome in unexpected ways. Therefore:

  • Keep communications related to the incident away from the potentially compromised network – the attacker/s may be watching (includes email, collaboration platforms [SharePoint, Confluence, etc.], helpdesk ticketing systems, etc).
  • Do not be tempted to “have a quick look”. Any actions risk changing and destroying artefacts valuable to an investigation.
  • Refrain from switching off potentially infected endpoints, rather disconnect from the network. Memory contents may be valuable during the investigation.
  • Don’t independently run malware scans, remove, relocate or upload malware to internet malware scanners. Let the response team know where new findings arise and advise on the best approach.
  • Delayed responses allow more time for additional damage – quick reporting of incidents and response to them could be hugely beneficial.

Sign up for the latest insights

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.

Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs