Notification: Notification: Visit our COVID-19 resource center - Learn More >

Using your cyber-response plan in a real-life attack

You’ve followed all the necessary steps to complete your cyber-response plan, and the call comes in that a breach has occurred … what do you do? It’s showtime!


Your security operation team will move into action as soon as an event is detected.


When an event is detected, it must always be recorded. Events do not always lead to incidents, and incidents do not always lead to breaches, but all breaches start with an event. Use your human intelligence; report who saw what, and when. The type of event will determine who is needed to take action and what action to take; this could range from a quick review to a much longer investigation.


All events, even small ones, should be reported and reviewed. You can then determine if an investigation is needed. Your team will look for a possible common denominator and try to think like an attacker. Remember: Time-to-compromise is measured in minutes; time-to-discovery is measured in days, months and years. As you prepare to mobilize, ask if your team has the skills to manage the event; do you need to engage outside help from a forensics team?


Now your teams will meet and begin internal communications. At this point, it’s very important to know the depth of knowledge and range of skills of your internal staff. Reach out to external resources if you need to, to work through the incident.


Classify the incident, aligning it with your framework of standards and into one of these categories: physical, human or electronic.


As you learn more, you may need to escalate your actions, always in close communication with your incident management team. If you have an actual breach (unauthorized access or acquisition of a system or data), it’s time to escalate to outside counsel and a breach remediation specialist.


Once the threat has been diagnosed contain it and start evidence collection.

Collect evidence

Your team or outside experts must be qualified to collect evidence that could be used during any formal governmental investigation. Are there legal requirements you need to be aware of?

Corrective actions

Now your technical operations team will get involved. Depending on the severity of the damage, technical operations may be able to fix the systems, or if the damage is severe they may need to build new systems. Mitigation will lessen or reduce the possibility of further damage. This first step may be accomplished by installing a temporary patch or implementing a quick additional control, ensuring up-to-date patching has been done on all components.

You may have to remediate by removing old hardware or software components that can no longer be patched, installing another vulnerability-management layer and implementing strict, permanent controls to prevent the vulnerability from reappearing.

In those cases where the system is very badly damaged, the only option may be to completely wipe the system or physically destroy it to eradicate the issue.


The last phase for technical operations is to return the system to normal operation. They will implement whatever actions are needed to recover your data and rebuild any damaged systems.

Once all this is done, it’s time to take a close, critical look at every step of your process with an eye towards better protection in improved response.

Want to learn more? Download your free guide, How to Develop an Effective Cyber-response Program, today.