BeginnerIncident Response

Be transparent during an incident — livestream the database deletion if you must

GitLab's response to accidentally deleting 300GB of production database data included a public live Google Doc updating in real time, and a YouTube livestream showing engineers working through recovery. The security and engineering community widely praised this transparency despite the embarrassing circumstances. LastPass's changing story — from "no customer data accessed" to "encrypted vaults stolen" over three months — destroyed trust more than a single comprehensive disclosure would have. Transparent, timely disclosure during an incident maintains trust, enables affected parties to take protective action, and demonstrates organisational integrity. Brief stakeholders early and update them regularly, even when the picture is incomplete.

Tags

transparencycommunicationdisclosuretrustGitLab

More in Incident Response

All guides
beginnerfeatured

Write and test an incident response runbook before you need it

Organisations that handle breaches well have one thing in common: they had a plan before the attack. Target had a $1.6 million FireEye security system that detected the breach — and ignored the alerts because there was no clear runbook specifying what to do when the alert fired. An IR runbook documents: who is notified (internal and external), who has authority to make decisions, what systems are isolated first, how communications are handled publicly and with regulators, and what evidence is preserved. The runbook must be tested through tabletop exercises at least annually and updated after every significant incident.

See: Target IR FailureIncident Response
intermediate

Establish a breach notification timeline before a breach occurs — not during one

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. US state breach notification laws require notification within 30–72 hours in many states. Equifax waited 40 days after confirming their breach before public disclosure. Uber concealed their breach for 13 months. Both paid enormous financial and reputational penalties for the delay. Know your notification obligations before an incident: which regulators must be notified, within what timeframe, what information must be included, and who in your legal team has authority to approve the notification. Draft template notifications in advance.

See: Equifax Breach ResponseIncident Response
advanced

Maintain an offline, isolated backup of Active Directory

Active Directory is the single most critical system in most Windows enterprise environments — it controls authentication for every user, every server, and every service. NotPetya encrypted every domain controller at Maersk simultaneously, making recovery impossible without an offline backup. Maersk found one domain controller in Ghana that had been powered off during a power cut — it was flown to the UK and used to rebuild the entire domain. You should not rely on a power cut in Ghana. Maintain at least one offline, network-isolated backup of Active Directory that is physically separate from your main environment and restored to a known-good state at least monthly.

See: Maersk NotPetya RecoveryIncident Response