5 Things NOT to do During an Incident

It’s easy to get stressed out when there is an incident in your organization, and this can lead to making rash decisions out of haste. This is the worst thing that you can do during a security incident. Oftentimes, people make these rash decisions and do not know of their harmful impact until they worsen the problem that they were originally trying to contain. Here is a list of things NOT to do during an incident:

1. Panic: Do not panic. It is the worst thing that you can do during an incident. You want to remain calm and having an IR plan will help to do just that. An IR plan will provide you with a preplanned path that outlines the best course of action to take during an incident. It is extremely important to create a strong plan before an incident occurs in order to ensure that the procedures are detailed and specific.
2. Shut Down Systems: Do not shut down the infected systems. By shutting down, you could lose volatile data that contains important forensic information. This information can be essential in determining the timeline of what transpired. Following this timeline will also tell you what information is potentially stolen so that you can choose the best way to handle the stolen data.
3. Socialize: Do not discuss the incident with others unless otherwise directed. It is important to be cautious about the audiences that you choose to communicate with about an incident that has just begun to unravel. It is best to only share information about the breach with those that absolutely need to know, otherwise the situation could become worse.
4. Use Domain Admin Credentials: Do not use domain administrative credentials when accessing systems environment. Threat actors patiently wait for a user with enterprise-wide access to log in so that they can capture the password to gain complete control over the environment. Using admin credentials to log in could potentially give a hacker an easier way to access your sensitive data.
5. Non-forensic Tool Usage: Do not execute any non-forensic software on the infected systems because this will overwrite the timelines associated with the attack in the Master File Table. Again, it is imperative to not tamper with the timeline so that you can follow exactly what occurred during the incident.

4 Things TO DO During an Incident

Instead of making hasty decisions during an incident, people should take some steps towards containing and fixing the incident. Gathering as much information about the incident as possible is extremely helpful when containing an incident. Follow the tips below to correctly address an incident:

1. Collect Data: Collect volatile data and other critical artifacts from the system using forensic tools. Forensic tools have the ability to connect to the system without modifying any timestamps that are on the device.
2. External Intelligence: Gather external intelligence based on identified indicators of compromise (IOC). Search the web for intelligence about specific MD5’s, IP addresses, and domains that you discovered during your initial incident investigation. You are attempting to identify what the potential infection is or what type of malware may be in the system.
3. Safeguard: Safeguard Systems and other media for forensic collection.
4. Collect Logs: Collect the appropriate logs. This may include Windows Events, Proxy, Netflow, Anti-Virus, Firewall, etc. It is important to view the story at both the network and at the endpoint level.

Interested in learning more about incident response?

Read more in our Field Guide to Incident Response Series

1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
2. The Do’s and Don’ts of Incident Response
3. Building Your Incident Response Team: Key Roles and Responsibilities
4. Creating an Incident Response Classification Framework
5. The Five Steps of Incident Response
6. 3 Tips to Make Incident Response More Effective
7. Using Existing Tools to Facilitate Incident Response
8. Learning From a Security Incident: A Post-Mortem Checklist