You’ve been hacked. What’s your response plan?

Published on 07 May 2014

by GOsafeonline

Is your organisation prepared for a cyber-security incident? Hacking and other forms of cyber-attacks have become more prevalent as organisations continue to leverage heavily on ICT to maintain their competitive edge. These cyber attacks have become more costly and disruptive as organisations are unprepared to deal with the sudden interruption to business operations and the unexpected loss of sensitive and proprietary information. Many organisations only start to learn how to respond to such an incident after the cyber-attack has taken place. Hence, having a structured and tested cyber security incident response plan should always be part of the organisation’s risk management strategy.



Cyber-attacks occur frequently. To respond to these security incidents efficiently, organisations, in general, need to:

  • Take preventive actions based on the results of security risk and vulnerability assessments to minimise the possibility and reduce the impact of cyber security incidents.
  • Develop incident detection and response capability, including the definition of an incident response plan that outlines what steps or actions are needed to be followed through to recover from the incident.

Minimise Possibility and Severity of Cyber Security Incidents
Adopting a preventive approach is often less costly and much more effective than reacting to a security incident after it has occurred. Although it is impossible to prevent all security incidents, steps can be taken to ensure that its impact is minimised. Organisations should therefore consider the following:

1Secure IT Networks, Systems, and Applications
A higher number of cyber-security incidents may occur if these components are not secured. Organisations should routinely check all network and system devices to ensure that they have all the latest patches and relevant security controls installed, and enforce strong password requirements for user accounts.
2Assess and Monitor IT Systems and Services
Besides attempting to secure the ICT infrastructure, organisations should routinely assess their security posture. This can be done by performing security vulnerability assessments (conducted by security specialists), monitoring and analyzing network traffic and system performance, and regular checking of all logs such as system, event, applications, and intrusion detection logs. Continuous monitoring allows the organisation to have an increased awareness on their ICT systems and services, enabling them to be better prepared in the event of a cyber-security incident.
3Strengthen Response Capabilities and Resources
Organisations can handle security incidents more effectively and efficiently if they complement their incident response capabilities with adequate resources. This would mean that organisations need to establish and enforce clear ICT security policies and establish an incident response team. Many incidents are inevitably caused by employees who did not followed or were not aware of the proper procedures; or were caused by wrongly configured devices such as network equipment and authentication services. Proper training for employees should also be undertaken to ensure that they are aware of, and comply with the organisation’s ICT security policies.

Incident Detection and Response Capabilities
Indicators of cyber-security incidents can come from multiple sources. Detecting unauthorized changes made to critical systems or application files can be an obvious sign that a cyber-attack had taken place. Organisations can use anti-virus software to detect malware infections, monitor logs from intrusion detection or prevention systems to identify attack patterns, and analyze records from firewalls to detect unusual network traffic patterns.

Large organisations may also consider forming a dedicated Computer Security Incident Response Team (CSIRT), to be the main point of contact for dealing with cyber-security incidents in the organisations – including detection and mitigation of cyber security incidents, and to restore the organisation’s ICT services. Members of the CSIRT should be trained and prepared to deal with any type of cyber security incidents. Their roles and responsibilities must also be clearly defined. 
There are several benefits of having a CSIRT:

  • Proactively monitor the ICT infrastructure for security breaches, provide support during systems auditing, assessment, and even penetration tests.
  • Act as a central communication platform to receive and disseminate vital information to appropriate parties (law enforcement agencies, vendors, clients, and other incident response teams) about cyber security incidents.
  • Document and record the cyber security incidents, including the lessons learned to gain value and avoid repeating it again, as well as to provide documentation for new team members.
  • Improve and strengthen the security posture of the ICT infrastructure by updating the systems and procedures, and to develop new techniques to minimise vulnerabilities and risks

Define Your Incident Response Plan
Organisations in preparation for a cyber-security incident need to design an incident response plan. This plan should cover procedures that are needed to be followed in phases such as:


Initial Assessment

To determine if the incident is caused by an actual cyber-attack or a false positive. Besides determining the cause of the incident, the responding personnel / team will have to gather enough information to decide on how they should proceed from their initial assessment.


Contain Damage and Minimise Risk

Limiting and preventing any further damage is the main purpose of this phase.
A three-pronged approach is needed to mitigate a security incident:

  • Short-term containment (e.g. isolate affected network, shutting down servers, rerouting traffic, and etc.),
  • System backup (e.g. preserve evidence for analysis), and
  • Long-term containment (e.g. deploy temporary fixes such as patches and removing backdoors to allow continued use of the system without a total shutdown).


Removal and Recovery

Steps taken here are to remove the malicious content and restore the affected systems. Examples can be using the original disk images to restore the system, installing patches, scanning for malicious software, and disabling unused services to harden the system. Testing, monitoring, and validating the recovered system are also required to avoid repeating the security incident.


Lessons Learned

Lastly, the responding personnel / team will have to document the lessons learned from the security incident, providing a source of reference in the event of a similar incident, as well as suggestions on how to improve the organisation’s effectiveness in dealing with future incidents.

Report Cyber Security Incident

In event that the organisation is unable to resolve the security incident, they can contact the Singapore Computer Emergency Response Team for further advice and assistance.