What to do in the event of a cyber security incident

Our recommendations in the event of an incident or breach.

If you’re in Security or IT operations and you find yourself in the middle of a cyber-security incident, you have a very important role to play. Response teams will likely be relying on you to collect the information they need to determine the source and extent of a breach. Following are some of the key points MWR’s Incident Response recommend internal teams cover when dealing with an incoming incident.   


What data do I have to support response?

Identify sources of data that might be useful:

  • Domain/Server logs
  • Web proxy logs
  • Email server logs
  • Network flow data from firewalls, packet capture devices, etc
  • Application logs (SAP, SharePoint, cloud services etc)
  • VPN authentication logs
  • Physical security logs (card access etc)


Determine where these are stored:

  • On endpoints and appliances?
  • Centrally aggregated (SIEM, etc.)?
  • Combination of both?


What won’t I have tomorrow?

Logs and other potentially useful data captured from networks are transient, and may be lost as time passes or due to user actions. Are these:

Stored centrally?

  • Check storage limitations, due to disk space or licensing
  • Some data may be sent to aggregation point, but discarded due to configuration – review this.

Only present on endpoints or appliances?

  • Check and increase log storage limits – you want to keep captured data as long as possible.

In both cases:

  • Increase logging levels if possible – gather as much potentially useful data as is realistic.
  • Determine an archiving strategy – this may involve periodic exports from SIEM or network appliances, or constant retrieval of local logs from server(s).


Where am I not looking?

Events related to an incident may show up in more than one data source. Move your focus beyond the point of detection / initial data source. For example:

Scenario: DLP detection of potentially malicious actions on endpoint

  • Domain logs: Which accounts have been authenticating to the endpoint? Which other endpoints have these accounts been authenticating to? Authentications to other systems and services from this endpoint?
  • Internal firewall logs: Network communication between suspect endpoint and other machines?
  • AV logs: Any recent antivirus warnings or events?
  • Proxy logs: What has this endpoint or user been contacting on the Internet? If there is anything unusual, is it used anywhere else?

Scenario: Compromised web application

  • DMZ firewall: Anomalous connections from DMZ to rest of network?
  • Domain logs: Unexpected sessions to other servers in DMZ?
  • Outgoing proxy: Connections to Internet from within DMZ?
  • NetFlow: Connections to other servers in DMZ?


Am I considering the consequences of each action?

Actions taken during an incident may affect the outcome in unexpected ways. Therefore:

  • Keep communications related to the incident away from potentially compromised network – the attacker/s may be watching (includes email, collaboration platforms [SharePoint, Confluence, etc.], helpdesk ticketing systems, etc).
  • Do not be tempted to “have a quick look”. Any actions risk changing and destroying artefacts valuable to an investigation.
  • Refrain from switching off potentially infected endpoints, rather disconnect from the network. Memory contents may be valuable during the investigation.
  • Don’t independently run malware scans, remove, relocate or upload malware to internet malware scanners. Let the response team know where new findings arise and advise on the best approach.
  • Delayed responses allow more time for additional damage – quick reporting of incidents and response to them could be hugely beneficial.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.