April 19, 2024

Incident investigation – Part 1: Recognising and responding to a cyber incident

In this new three-part series, CCL’s Adam Shortall offers an introductory primer on cyber investigations and incident response for IT professionals keen to learn more about this specialist area of cyber security.


The ever-expanding digital landscape presents a treasure trove of opportunities, but also harbours hidden threats. Cyber incidents, like data breaches and malware attacks, can strike with devastating consequences. Being prepared is the key to weathering these storms and minimising damage.

Incident response requires a working knowledge of many different specialities. It leaves IT professionals with a very difficult task that requires perpetual training across a large range of disciplines. Good incident handlers must be a jack of all trades and master of many: log analysis, disk forensics, memory forensics, malware analysis, network security monitoring, data recovery – just to start with.

This multipart blog series was prepared by the CCL Incident Investigation team which has extensive working experience in Digital Forensics and Cyber Incident Response. Most of this blog series is based on the lessons learned. If you, as an IT professional, find yourself in the position of defending your Information System, this blog series is for you.

Whether you are currently facing a cyber incident or simply seeking to bolster your preparedness, this series is your roadmap to navigating the digital battlefield and protecting your organisation's critical assets.

Cyber incidents: When to call in reinforcements

As IT professionals, you navigate the changing digital landscape and are constantly on guard against potential threats. But cyber incidents, such as Business Email Compromise (BEC), data breaches or malware attacks, can harm even the most robust businesses. In cyber incidents time is against you and knowing how to respond effectively makes all the difference.

This blog series aims to equip you with the knowledge to recognise a cyber incident and guide you through the initial response steps. We will also discuss when it is time to call in reinforcements – CCL’s Incident Investigation team.

What is a cyber incident?

A cyber incident is any event that disrupts, compromises, or damages your organisation's information assets. These incidents can range from a simple loss of a business laptop to complex malware infections and data breaches involving sensitive customer information. Some common types of cyber incidents include:

  • Data breaches: Unauthorised access to and theft of sensitive data (e.g. customer records, financial information, medical records, etc.).
  • Malware infections: Malicious software that disrupts system operations, steals data, or launches further attacks.
  • Ransomware attacks: Malicious software that encrypts your data, rendering it inaccessible, and in some cases is threatened to be leaked to the public, unless a ransom is paid.
  • Denial-of-Service (DoS) attacks: Overwhelming your systems with traffic, making them unavailable to legitimate users.
  • Business Email Compromise (BEC): This is where unauthorised scammers impersonate trusted senders (like colleagues or CEOs) to trick victims (employees or clients) into sending money or revealing sensitive information.

Recognising the signs of a breach

Cybercriminals are constantly evolving their tactics, but there are some telltale signs that can indicate a breach in your defences. Here are some red flags to watch for:

  • Unusual network activity: Spikes in network traffic, unauthorised access attempts, or a sudden increase in data transfers.
  • Unauthorised access attempts: Failed login attempts from unrecognised locations or unusual times.
  • Missing files or data: Critical files inexplicably disappear or become corrupted.
  • System performance issues: Slowdowns, crashes, or unexpected behaviour on your systems.
  • Unexplained security alerts: Firewalls or antivirus software triggering alerts without a clear explanation.
  • Employee reports: Employees report suspicious emails, phishing attempts, or unauthorised access attempts.

The initial response: Containing the situation

If you suspect a cyber incident, it is crucial to act quickly and decisively. Here are some initial steps to take:

  • Isolate compromised systems: Disconnect potentially compromised systems from the network to prevent further lateral movement of the attacker.
  • Secure evidence: Avoid modifying or accessing potentially compromised systems as it can destroy digital evidence.
  • Document observations: Keep a detailed record of events, including timestamps, affected systems, and observed behaviour.
  • Report the incident: Inform relevant personnel (IT Administration, CISO, legal advisors, etc.) within your organisation and consider notifying authorities, such as the Information Commissioner’s Office (ICO), local law enforcement, Action Fraud, or the National Cyber Security Centre (NCSC) depending on the severity of the incident.
  • Protect the crown jewels: Consider protecting critical infrastructure and what is realistically an appropriate response. Can you turn off/isolate backup servers, or systems containing sensitive information to protect them?

Your business should have business continuity plans and cyber incident ‘Break Glass’ plans in place for these types of scenarios. If you do not, feel free to contact CCL Solutions Group to assist you with these plans.

When to engage cyber incident response teams

In the face of a complex cyber incident, it is important to know when to call in the digital fire fighters. Here are some situations when engaging an incident investigation team becomes crucial:

  • The incident is complex and requires specialised expertise.
  • There is a potential risk of legal ramifications or regulatory breaches.
  • Your organisation lacks the internal resources or experience to manage the incident effectively.
  • Your business wants to better prepare before an incident occurs.

A Cyber Incident Investigations team brings a wealth of experience and specialised tools to the table, increasing the chances of a successful investigation and remediation. They can help you contain the damage, recover lost data, and identify the root cause to prevent future attacks.

In the next blog post we will delve deeper into collaborating effectively with your Cyber Incident Investigations team, ensuring a smooth and successful incident response process.

We're here to help

Our experts are on hand to learn about your organisation and suggest the best approach to meet your needs. Contact an expert today.

Get in touch