What Do You Do After a Security Incident?

Of course, immediately after the cyber security incident is discovered, what to do next is clear.  You need to understand what happened, and what was accessed. You also need to make sure that the attacker has been removed from your assets and can’t regain access.  Any relevant parties (insurers, information commissioners) need to be notified.  However, once the immediate threat has been dealt with and you’ve fulfilled your legal, regulatory, and contractual obligations: what next?

It’s natural to want to put such a stressful situation behind you, however security incidents can prove fertile ground for improving security – it’s now at the forefront of your organisation’s mind.  What are the next steps you can take following an incident?

You may want immediate assurance that the initial point of compromise is secured.  A tightly scoped penetration test can provide this in a matter of days, giving your organisation peace of mind to move forward, confident that same incident won’t immediately repeat itself.

Quite often following a particular sort of incident, an organisation will update their procedures for that threat.  This can be considered analogous to backups though – if you don’t test them, how do you know they’re working?  In these situations, it can be helpful to simulate incidents (either in real time, or at a pace to suit your organisation) and allow playbooks to be tested.  This can either be done on systems via attack simulation or in lighter weight fashion by way of a tabletop exercise.

Another way to bolster defences is to perform purple team assessments, whereby the tester acts as an attacker, but also collaborates with defenders to assist in detection and response to threats.  This serves as both an exercise for technical controls, but also training for security teams.

If an incident was missed by detection controls, it can be useful to perform configuration reviews to ensure that technology is performing optimally, as well as specific control-based testing, to ensure that controls have well-rounded rule bases and detections.

Following a severe incident, more wide-ranging assurance may be required, which can be provided by an Organisational Security Maturity Assessment (OSMA).  This fuses GRC consultancy with cyber security expertise to provide a current state, desired future state, and roadmap to success.  A consultant can review technologies, policies, and procedures to give deep insight into the weaknesses of your organisation’s security, as well as the next steps needed to level up.

Hopefully this article has provided you with some ideas of actions you might want to take following a security incident, regardless of its size or nature.  If you find yourself in this situation, consider talking to URM – we will happily advise on what we’d recommend doing, as well as offer any of our services which could help: the two aren’t always the same.

How URM can Help?

If your organisation has been subject to a cyber security incident, or would like to take precautions to prevent one from occurring, URM can offer a wide range of cyber security testing services to both identify vulnerabilities and gaps in your security infrastructure and advise you on how to remediate them.  For example, we can offer your organisation a wide range of penetration testing services, with our CREST and CREST OVS accreditation verifying the quality and reliability of these.  We can provide infrastructure and network penetration testing services, web application pen testing, social engineering pen testing cloud pen testing, web application pen testing or, if you want to address the unique issues and risks your organisation faces, business-led penetration testing.

Meanwhile, if you would like to evaluate, practise, and improve your incident response capabilities, URM is a Cyber Incident Exercising (CIE) Assured Service Provider under the National Cyber Security Centre (NCSC) scheme.  In this capacity, we can facilitate table-top and live-play simulations of cyber security incidents, allowing you to exercise and improve your incident response plans, enhancing your ability to effectively respond to cyber attacks and providing you with a realistic understanding of your recovery time.