In the aftermath of a cyber incident, swift and coordinated action is key to minimising damage and recovering swiftly. Part 1 of this blog series addressed the initial response and when to engage a Cyber Incident Investigations team. Now, let us explore how to collaborate effectively with your Incident Investigations team to ensure a successful incident response.
Knowing your team
A Cyber Incident Investigations team comprises of a range of highly skilled professionals, each playing a crucial role. Here is a breakdown of some key roles:
- Incident Commander/Manager: Oversees the overall incident response process, making critical decisions and ensuring team coordination with your business. This person will likely be your primary contact point for the team.
- Forensic Investigators: These analyse digital evidence to identify the root cause of the incident and reconstruct the attacker's actions.
- Security Analysts: Utilise their expertise and tools to analyse network activity, identify malicious files, and track attacker movements.
The Incident investigations team also has access to additional specialists within CCL, such as, but not limited to:
- Red Team Penetration Testers
- Mobile Device Digital Forensic Analysts
- Computer Forensic Digital Forensic Analysts
- E-Discovery Experts
Information sharing is key
To effectively investigate and remediate the incident, the Incident Investigations team will effectively utilise your organisation's knowledge and resources. Here's how clear communication and information sharing can expedite the processes:
- Chronology of events: Provide a detailed timeline of events leading up to the incident, including any suspicious activity or warnings.
- Affected systems: Identify all potentially compromised systems, including hardware, software, and user accounts.
- Access logs: Share relevant access logs and security event data to assist the Incident Investigations team in tracking attacker activity.
- Security policies: Provide copies of your organisation's security policies to help the team understand your security posture.
- Break glass accounts: The Incident Investigations team may require administrative access to your networks, including security monitoring software you may have already installed across your network.
Preserving the digital crime scene
Digital evidence is crucial for identifying the attackers, understanding their tactics, and potentially pursuing legal action. Here are some best practices for preserving evidence:
- Forensic imaging: Create forensic images of potentially compromised systems, capturing their state at the time of the breach.
- Secure storage: Store evidence securely on a separate system to prevent further tampering or accidental deletion.
- Chain of custody: Maintain a clear chain of custody documentation to demonstrate evidence has not been altered or compromised.
Communication is paramount
Throughout the incident response process, clear and consistent communication is essential. Here is what it entails:
- Regular updates: The Incident Investigations team will schedule regular meetings to discuss updates on the investigation and share any new information between both parties. It is important to be transparent and open with the team, so they can more effectively help you and streamline the investigation.
- Incident command: In some critical incidents it may be effective to establish a Gold/Silver/Bronze command structure to disseminate updates and actions to the correct teams.
- Dedicated communications: The Incident Investigations team will be available to you 24/7 through a dedicated hotline, should you need to reach the team urgently.
Building strong communication and transparency fosters trust, allowing the Incident Investigations team to focus on their expertise while you remain informed and involved.
In the next installment of this series, we will explore the path to recovery and how to leverage this experience to enhance your organisation's cybersecurity posture.
