editione1.0.0
Updated October 9, 2023While the steps outlined as examples in our overview of the incident response process are a good starting point, each incident scenario will have its own set of recommended actions and priorities. Creating documented playbooks for common incident scenarios can help you respond quickly and minimize the disruption of these events.
In this section, we will take a look at some common examples your company may face. You can use these as the basis for your playbooks or add new scenarios that are specific to your company or operating environment.
| Description | • Computing or communications equipment is stolen or lost. |
| Potential Scenarios | • Theft from any of the organization’s offices. • Theft while traveling (hotel, in transit, at the event). • Item left behind or lost while traveling. |
| Incident Response Priorities | • Device replacement • Assessment of potential data loss • Insurance process compliance |
| Suggested Actions | • Notify security team of the loss. • Identify if the device was secured sufficiently (passcode/password, disk encryption). • Gather written accounts of circumstances. • (In case of theft) Contact law enforcement if the intention is to prosecute or claim from insurance. • Contact insurance company to initiate claim. • Conduct root cause analysis to ensure travel choices, storage security, or device security choices remain appropriate. |
| Description | • Data is corrupted or lost due to malicious actions or systems compromise. |
| Potential Scenarios | • Customer instance is compromised and data for a specific customer is corrupted or lost • Central system component is compromised and data for several (or all) customers is lost or corrupted. • Configurations or source code is corrupted or lost. |
| Incident Response Priorities | • Understanding the extent of data loss or compromise • Understand and document the timeline of the incident • Restore lost data to a known trusted state • Manage customer relationships where needee • Identify likelihood of data publication, resale or use in follow-up malicious activity (identity theft, extortion, fraud) |
| Suggested Actions | • Extensive log and systems interrogation to understand and document the event timeline. • In case of customer specific compromise, construction of a communications plan and management of relationship • Identification of required backup data and initiation of backup processes. • Monitoring of external communications channels to ensure any chance or instance of follow up malicious activity using this data is known or managed if possible. • If data loss may leave consequences for customers or stakeholders, manage communications to focus on concise, action-oriented messages, and data limitation for all parties. |
| Description | • Malicious software is installed and used on computing or communications equipment. |
| Potential Scenarios | • Cryptolocker attacker renders organizational files unreadable • Malicious browser extension identifiee • Malicious application installed on device • Removable media containing malicious software used on network or systems |
| Incident Response Priorities | • Containment of the issue to ensure malicious software (or its effects) are unable to spreae • Restoration of systems to a known good state • Communication and education of staff to ensure |
| Suggested Actions | • Isolation of affected machines from networks and key systems • Revocation of accounts for affected systems if appropriate • Clean build and restore of systems from backups or known clean sources. |
| Description | • Unauthorized or inappropriate systems usage is suspected or has been identified. |
| Potential Scenarios | • Use of organizational systems for criminal or inappropriate activities • Fraud or deception • Intentional corruption of data or attempts to mislead |
| Incident Response Priorities | • Understand the extent of the issue • Limit impact and reverse and damage caused. • Liaise with people and culture team to ensure the process is appropriate and within legal remit |
| Suggested Actions | • Evidence gathering from logs and authoritative data sources (forensic investigation) • Interview with individuals or groups in question with appropriate assistance from people and culture teams. • Revocation of access during investigation period |
| Description | • Organizational systems are subject to extreme levels of traffic or activity and are unable to continue normal levels of availability. |
| Potential Scenarios | • Distributed denial of service (DDoS) attack against hosting provider • Distributed denial of service (DDoS) attack against application layer • Denial of service from unanticipated fault • Denial of service against individual customer instance or assets |
| Incident Response Priorities | • Maintain or restore systems availability • Manage communications with customers and stakeholders • Respond to guidance from hosting or third-party providers as and when it emerges. |
| Suggested Actions | • Increase monitoring and alerting • Manage operations team to ensure changes are controlled and appropriate • Work closely with communications teams to manage customer experience • Contact hosting providers directly to ensure all possible steps have been taken. |
| Description | • One or more accounts are accessed without authorization. |
| Potential Scenarios | • Poor quality password used for system • System did not require 2FA • Account left active after staff exiting the organization • Customer account compromisee • Phishing attack (see Social Engineering section below) |
| Incident Response Priorities | • Containment of affected accounts • Limitation of the access granted to said account(s) • Investigation of data and systems accessible from account • Understanding of scope of compromise (what happened and what was lost). |
| Suggested Actions | • Suspension of affected accounts • Investigation of associated accounts and systems • Audit of account logs to understand the scope of compromise • Education for the account holder (if appropriate) and other staff |
| Description | • An individual or group within the organization complies with or falls for a social engineering attack. |
| Potential Scenarios | • Phishing email • Malicious link in social media channel • Phone scam or phone-based attack |
| Incident Response Priorities | • Identification of compromised accounts (if any) • Identification of data loss or corruption (if any) • Attack profile generation and awareness education material creation and delivery • Damage limitation |
| Suggested Actions | • Interview with the affected person (people) • Examination of any physical or electronic records for the attack (emails, logs, phone logs) • Suspension or monitoring of suspected compromised systems or accounts • Creation of education material or warning messages for internal staff to reduce the likelihood of future success for the attacker. |