If there’s a fire, you should know where you can get a bucket of water quickly!
Sounds banal? But if you look closely at the sentence, there is a lot of content in it, which we will look at below.
“There is a fire” is an incident that is usually relatively easy to detect. In the right place, the fire can cause a lot of damage to your company, in other places it can cause little or no damage. Depending on how you assess the fire, you tip a glass of water over it, get the fire extinguisher or call the fire department.
Once the fire has been extinguished, the damage is repaired, the walls are repainted and then everything is OK again. Not quite! Of course, you should still consider whether it was a good idea to light a candle in a paper file archive and how to prevent this from happening next time.
But how do you proceed in an emergency?
The requirements for handling information security incidents can be divided into two groups: organizational and procedural measures.
For successful incident handling, your organization must be ready to respond. You should have a crisis team, make sure that all employees know how the reporting chain works and define what the crisis team will deal with and how.
Taking care refers to both internal and external addressees. Therefore, it should also be determined in advance who may or must speak to whom and how (e.g. press) (observe reporting obligations! e.g. BSI, police). In our experience, proactive communication is better than trying not to communicate.
In terms of processes, we are entering a cyclical process – something we know very well from our consulting work. A security incident always has a time component, a life cycle. The treatment is based on this life cycle:
- Detection and information – A security incident needs to be noticed first and this requires suitable means, a fire alarm, an alarm system, monitoring mechanisms for your IT infrastructure or similar
- Triage – Decide what impact the incident will have on the business, what resources should be allocated to the response and what “alert level” should be raised
- Containment – The incident is analyzed and, if possible, measures are taken to contain it. The impact on company processes must be taken into account, as well as the risk of the damage spreading. Measures may include, for example, isolating a section of the network, shutting down a server or deactivating user accounts.
- Removal – A certain surgical generosity is particularly appropriate in connection with malware, as some species of this genus do not appear as a single program, but in the form of modules with different tasks that are difficult or impossible to remove from a computer. It is therefore better to throw away one too many. The Bundestag hack in 2015 led to an extensive renewal of the infrastructure of the Bundestag network, including the endpoints. Something similar happened at Frankfurt University Hospital in early 2024.
- Follow-up – The most important and often unrealized step is the follow-up of the attack with the aim of learning for the future. This time should be taken because it generates valuable information. A good example of the fruits of the process is the MITRE ATT&CK® Framework(https://attack.mitre.org), in which the findings from cyber attacks are systematically processed and documented for the (specialist) public for further use.
- End of incident – When everything is done, you may declare the incident over. Done…
…and prepare for the next incident. Did we mention that we love PDCA cycles? They look good on PowerPoint slides.
Until the next and final part (link to Part 5 – Further building blocks)
Cyber risk check – a new service from Oberender AG
Do you want to know where you stand in terms of information security right now? Great – then let’s do the cyber risk check together. You can find more information here.