With an ever changing IT world consisting of new technology, the web, mobile capabilities, applications and social media, businesses are now exposed to cybercriminals and breaches more than ever before. The complexity of IT infrastructures continue to grow everyday making it more difficult for companies to protect important data and comply with regulations such as SOX, HIPAA, & PCI DSS just to name a few. Although it has become increasingly difficult over the years to protect consumer data, an effective Incident Response Plan (IRP) will allow for Security Operations Centers (SOCs) to reduce the impact of an IT security incident.

Before diving into an investigation, it is key that your company define exactly what an IT security incident is to them. This may vary based upon the type of information your company stores, as well as the type of industry your company is a part of. As stated in Incident Response & CompTop 5 Things to Check after an IT Security Incidentuter Forensics, there is no single accepted definition, but we consider a computer security incident to be an event that has the following characteristics:

• Intent to cause harm
• Was performed by a person
• Involved a computing resource

With that in mind, one must understand that breaches happen. Despite the fact that many companies spend large sums of money to prepare and prevent security incidents from happening, it is always inevitable that a response may be necessary.

Top Five Things To Check After An IT Security Incident

1. Discover The Systems & Data That Were Affected

It is vital that a company first begin by discovering the systems and data affected during an Incident. This will allow them to begin formulating an effective remediation process with the respective departments that may have been compromised. This will also allow for a company to report important breach notifications to regulators in the proper amount of time. This will potentially prevent additional information from being stolen from the corporation.

2. Isolate The Systems & Networks

It is important that during the IR process that an IR team isolate any affected systems from the production network if there is a compromise. This can include disabling user accounts, changing user credentials for escalated users or removing important systems and servers that have been suspected of a compromise.
3. Discover How The Breach Occurred

After you have properly isolated any systems that were affected during the attack, it is time to establish a checklist of evidence containing information on how the attack happened. A good approach to take during this process is to create a high level checklist summarizing information about the incident. For example, who reported the incident, how was the incident discovered, and time of the incident, to name a few. After you have created a high-level checklist summarizing all of the information gathered about your systems and network, create another checklist that dives down deeper into the previously discovered information with the intent of detecting specific instances and events. SIEM technology also allows investigations into a breach much easier because it allows you to and review packet captures during the time of the investigation and look at data such as logs. SIEMs also allow for a real-time view of what is going on during the time of the breach, enabling the user to dive deep into specific events and alerts that could have been part of the initial attack.

4. Discover Who Breached Your Company

Although this step is not always a possibility in the realm of cyber security forensics, it can help a company re-structure their IT infrastructure by providing the company with information on why someone has breached their company. Diving deeper into the incident can help one discover information on whether the incident was external or internal, the motivations behind the attack, and the location of the attacker.

5. Restore Functionality To Affected Systems & Networks

Once the threat has been eliminated from your companies IT infrastructure it is time to restore functionality of all systems, applications, and host and user accounts. As stated by prior, this should include but is not limited to processes such as re-installing systems to the environment, securely erasing hard drives of compromised systems, restoring OS systems, re-enabling affected user accounts, and conducting vulnerability scans to restored systems.

This post was originally published here.