BeginnerIncident Response

Write and test an incident response runbook before you need it

Organisations that handle breaches well have one thing in common: they had a plan before the attack. Target had a $1.6 million FireEye security system that detected the breach — and ignored the alerts because there was no clear runbook specifying what to do when the alert fired. An IR runbook documents: who is notified (internal and external), who has authority to make decisions, what systems are isolated first, how communications are handled publicly and with regulators, and what evidence is preserved. The runbook must be tested through tabletop exercises at least annually and updated after every significant incident.

Tags

runbookincident response plantabletop exerciseplaybookpreparation

More in Incident Response

All guides
intermediate

Establish a breach notification timeline before a breach occurs — not during one

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. US state breach notification laws require notification within 30–72 hours in many states. Equifax waited 40 days after confirming their breach before public disclosure. Uber concealed their breach for 13 months. Both paid enormous financial and reputational penalties for the delay. Know your notification obligations before an incident: which regulators must be notified, within what timeframe, what information must be included, and who in your legal team has authority to approve the notification. Draft template notifications in advance.

See: Equifax Breach ResponseIncident Response
advanced

Maintain an offline, isolated backup of Active Directory

Active Directory is the single most critical system in most Windows enterprise environments — it controls authentication for every user, every server, and every service. NotPetya encrypted every domain controller at Maersk simultaneously, making recovery impossible without an offline backup. Maersk found one domain controller in Ghana that had been powered off during a power cut — it was flown to the UK and used to rebuild the entire domain. You should not rely on a power cut in Ghana. Maintain at least one offline, network-isolated backup of Active Directory that is physically separate from your main environment and restored to a known-good state at least monthly.

See: Maersk NotPetya RecoveryIncident Response
intermediate

Do not use bug bounty programmes to pay extortion — it is illegal

Uber's security team paid $100,000 to the attackers who stole 57 million user records by routing the payment through their HackerOne bug bounty programme, falsely classified as a legitimate vulnerability report. The payment was intended to conceal the breach. The CSO who authorized this was convicted of obstruction of justice and sentenced to three years of probation. Bug bounty payments to attackers who have already stolen data constitute obstruction of a federal investigation. If you receive an extortion demand, contact your legal team and law enforcement immediately. Never use a bug bounty platform to pay a criminal — it does not legitimise the payment.

See: Uber Cover-UpIncident Response