article
Will Lefevers
Many small companies, especially startups and SMBs, won’t have full-time security staff when hit with their first security incident. The process looks simple on paper, but several “gotchas” can trip up a team. As a result, understanding how to manage a security incident from start to finish correctly is critical for minimizing damage and preventing future breaches.
This guide provides a lightweight, minimal framework for resolving security incidents. The goal is to enable anyone to confidently and cleanly close out security incidents while minimizing business risk.
This step is pre-work, designed to make your process smooth and repeatable so you’re not trying to develop a process under pressure.
This step focuses on verifying the incident’s facts to prove it warrants a total response effort. Many investigations never turn into incidents; focus on finding the evidence that proves you have a probable loss of confidentiality, integrity, or availability due to malicious activity.
This stage is about scoping and stopping the harm; it’s the most crucial step to prevent further harm. If poorly executed, you may have to revisit the containment stage multiple times, discovering additional affected resources and expanding your exposure window. Focus on being comprehensive rather than quick.
This step is about being confident that all sources or artifacts of the intrusion are removed, ensuring bad actors don’t have another way in. Sophisticated attackers usually leave backdoors or alternate “persistence methods” to regain access if you remove their initial point of intrusion.
This step is about restoring normal operations and monitoring for re-infection or anomalous behavior. Some time must pass after the last signs of intrusion before you can safely declare the incident resolved.
This step is about capitalizing on the experience and ensuring this type of incident or root cause cannot happen again. Any repeated root cause findings across incidents should lead to a thorough analysis of why your environment is susceptible to this type of incident and what can be done to prevent it in the future.
Despite our best efforts, incidents can go awry. Below are some common pitfalls that prevent security issues from being closed quickly and cleanly. While every environment is different, these issues will likely impede small businesses without full-time security teams.
Whether due to competing business priorities, fear of the consequences of taking systems down, or general “analysis paralysis”, incident responders need to feel like this immediate incident is their one-and-only concern. Everything else can wait.
That level of priority must be recognized by managers and leadership as well—there should only be one Incident Commander at a given time. Outside parties interfering with the flow of the incident can result in incomplete knowledge, sloppy incident handling, a much longer time-to-close, and significantly more damage to the company.
Finally, executives tend to focus on the external perception of the incident (public relations, stock impact, customer disclosure) or fast recovery before all the facts are known. Once the evidence is trampled, it’s nearly impossible to get it back. Security news is full of stories from companies who had repeated re-infections or “rolling remediations” for months because they could not be sure they had fully evicted their intruder. Avoid the temptation to let outside parties drive the incident.
Your initial understanding of the incident is rarely your final understanding. Every person on an incident response team has key knowledge and perspective that has to be brought together to provide the proper corrective actions to prevent the incident from happening again.
Create an environment where everyone can speak up, entertain any reasonable theory, and prove/disprove it with the facts. Staring an inconvenient truth in the face and feeling that pain creates the motivation and consensus to close vulnerabilities for good (rather than cutting corners). Likewise, rushing the retrospective or glossing over the paperwork will likely result in repeat root causes and preventable future incidents. Take the time to do it right, once.
Lawyers have a crucial role in some incidents, especially if mandatory notifications are required (e.g. GDPR Breach Notifications) or regulatory assessments are performed. Pull them in as soon as the incident is fully scoped (Containment) and ensure they have all the evidence and understanding they need to do their part.
They may label the incident “Privileged and Confidential” and want to direct specific response actions (especially during employee investigations) to protect the company from potential lawsuits. Recognize that they should not be making technical decisions on isolating, containing, recovering, or preventing future incidents.
Your Incident Commander is empowered to make the business calls and close the incident clearly and efficiently. Your Technical Lead should provide expertise on the “how”. Finally, suppose lawyers fully “lock up” the incident. In that case, it’s unlikely your team will be able to do a thorough retrospective or inform your customers of the additional steps they might need to take to protect themselves. You owe your customers the chance to defend themselves if their data is exposed.
Effective management of security incidents is not just about immediate containment. Instead, it involves thorough investigation and long-term prevention strategies. Failing to address any phase—identification, containment, eradication, recovery, or lessons learned—exacerbates the situation and puts your organization at greater risk. As cyber threats evolve, staying ahead requires a well-planned, dynamic approach to incident response.
Choose DigitalOcean for a simple cloud solution that drives business growth. Experience reliable cloud computing services, robust documentation, scalability, and predictable pricing.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
* This promotional offer applies to new accounts only.