Take action in response - containment, eradication and recovery

Containment is important to prevent further damage and escalation of the incident, including preventing the incident from overwhelming your organisation's resources. It can buy your organisation time to develop a more complete remediation plan.

The containment strategy will be different for different types of incident. In deciding on the appropriate strategy you should consider:

  • potential damage to and theft of organisation property and resources
  • preservation of evidence
  • service availability (eg network connectivity, services provided to external parties, etc)
  • time and resources needed to implement the chosen strategy
  • effectiveness of the strategy (eg will it achieve partial or full containment?)
  • duration of the solution (hours, weeks or permanent)

Stopping and/or monitoring the incident

Stopping the attack: if the incident is still in progress, you should consider taking steps to stop it. This decision will usually rest upon the technical advice from your internal or external computer security experts.

The most common way to do this is to disconnect the affected systems from the network.  You should note that some attacks may cause additional damage when they are contained, so you should not assume that once a host has been disconnected from the network, further damage has been prevented.

Monitoring: while your first instinct may be to stop the cause of the incident as soon as possible, technical and legal advice should be sought concerning whether it may be more effective to monitor the incident in the short term. This usually involves redirecting the attacker to a "sandbox" (a form of containment) so it can be monitored and additional evidence gathered. However, other monitoring techniques should only be used with caution. If an organisation knows its system has been compromised and allows the compromising behaviour to continue, it may be liable if the attacker uses the compromised system to attack other systems and organisations.

Are injunctions required? You should also consider whether it would be appropriate to use legal action to restrain the continuation of the behaviour in question or to prevent any third party using or disclosing inappropriately acquired data (see Are injunctions required? below for more information).

Eradication and recovery

Eradication: once the incident has been contained, eradication may be necessary to remove incident traces, such as deleting malware and disabling compromised user accounts, as well as identifying and mitigating the vulnerabilities the incident exposed by the incident.

Recovery: after eradicating the residual elements of the incident, a recovery process may take place to restore the systems to normal operation. This may include restoring systems from clean back-up versions, rebuilding systems from scratch, replacing compromised files, installing patches, changing passwords and tightening perimeter security.

Identifying the attacking entity

Following a cyber security incident, the focus will normally be on containment, eradication and recovery to minimise the business impact of the incident on the organisation. Although an important issue, identifying the attacking entity or person can be time-consuming and futile and, as such, may only be undertaken if it is likely to help with this process.

Common methods used to identify an attacking entity include:

  • validating the attacking entity's IP address
  • researching the attacking entity through search engines
  • using independently maintained incident databases
  • monitoring possible attacker communication channels

Are injunctions required?

  • if the breach is ongoing, and/or there is a risk that information will be published you should consider urgently whether you need an injunction or similar remedy from a competent court to prevent continuation of the breach or further disclosure
  • while considerations for injunctions vary from jurisdiction to jurisdiction, typically, you should consider:
    • is it possible to seek an urgent interim injunction to prevent a specific act in the short term?
      • interim injunctions are sought before or during the hearing of the substantive merits of the case
      • such injunctions typically remain in force until discharged by the court
      • factors the court will take into account when seeking an interim injunction vary across jurisdictions but may include:
        • the broader context in which the injunction is sought. Different jurisdictions may have different tests in this regard. For example, testing whether there is a serious question to be tried or a likelihood of success in the action upon which the injunction is based
        • the consequences for the parties of not granting the injunction
        • other factors which the court is required to consider by law in a particular jurisdiction
  • if necessary, jurisdiction-specific legal advice should be sought to understand the relevant considerations in a particular market