James Moos, Director of Digital Forensics Bureau, examines a range of ways to deal with the intricate issues faced when under cyber attack.

Wise advice that’s worth sharing comes from Schneier1: ‘security is a process, not a product.’ These words will ring true throughout this article as it explores a variety of challenges and solutions.

Your organisation is currently experiencing a cyber attack. Various parts of the network are affected, your customer facing portals are down and, as a business, you are presently unable to operate. You have a serious and significant problem on your hands. Depending on the complexity and scale of a cyber attack and the tools you have at your disposal, this can be a challenge to combat.

This type of scenario is unfortunately a realistic one; 90 per cent of large organisations reported an information security breach in 2015 according to PwC2. Organisations need to be prepared to handle such incidents so that when they do strike (and they will), plans and procedures are in place to minimise the business impact as much as possible.

Krall3 provides a starting point by listing the key stages that an incident handler should follow. They are as follows:

  • Preparation
  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons learned


Preparation for a cyber attack is paramount. With an ever-increasing number of media articles reporting cyber breaches, you will always be preparing for a case of ‘when’ and not ‘if’. You may have to accept that you will be unable to stop a determined attack. Hence, whilst you still have to build your layered defences, your plans must include processes to minimise the damage.

First and foremost, three important plans should be produced. These are a business continuity plan, a business recovery plan and an incident response plan. The first two revolve around the organisation while the third is a technical plan.

A business continuity plan is all about how to continue essential business operations while suffering from an issue such as a cyber attack. Risk management should feed into this and identify key operational assets. This allows solutions (technical or otherwise) to be chosen to maintain the services these assets provide during a problematic period. This plan should consider circumstances ranging from natural disaster (such as flood, earthquake or fire) through to intentional breaches such as hacking.

Organisations sometimes make use of hot sites - a secondary site with all the necessary infrastructure and equipment pre-installed - to transfer operations to if the main site is unable to operate. The solutions available to you as an organisation will depend on your resources and business impact assessments of an attack.

A business recovery plan differs from a business continuity plan because a it focuses on how to repair damage caused after an event has occurred. This considers a longer-term perspective than the business continuity plan, of which the sole priority is short-term operational continuity.

An incident response plan relates to the technical and non-technical response surrounding a cyber breach. Many organisations will have an internal computer emergency response team (CERT) or have a contractual agreement with another organisation to supply a CERT. Either way; this should be in place before an incident occurs.

This incident response plan is likely to be produced by, or with the consultation of the CERT. It will highlight priorities for the team to identify, contain, eradicate and recover from an information security breach. It will also contain other important incident-handling information, such as other teams to be involved during an incident. This could include senior management, public relations and legal teams.

All of these plans should be updated on a periodic basis to reflect changes in the organisation. This follows a continuous cycle, which is often the case with many parts of information security such as risk assessments and management.

Such plans are not the only form of preparation. Information security preparation should never be limited to handling an incident, but also preventing one. This comes in the form of user awareness and training, policies and procedures, physical security and technical security measures.


Moving on to the second stage of ‘identification’ that Krall provides - the name is self-explanatory. Tools such as intrusion detection systems (IDS) are not always accurate and so identifying whether a situation is indeed a cyber attack, or whether a false positive has occurred, is the first priority.

Beyond this, once a cyber attack has been confirmed, the identification stage will also incorporate trying to learn as much about the attack as possible - the ‘who, why, what, when and how’. The priority amongst these questions is always likely to be the ‘how’ - this will pave the way for the next stage - ‘containment’.


Evidence gathering should also begin at this point to support any legal proceedings that may follow. This should always be done, even if there is no present intention to initiate legal action. It is far easier to produce evidence that is acceptable for court standards if captured at the time of investigation, rather than trying to produce it at a later stage, when evidence may no longer exist or may have been contaminated.

Containing a cyber attack is crucial. As an attack may be ongoing alongside the organisation’s incident response, the natural first objective must be to halt the attack. If an attack was detected early on, it may even be possible to prevent serious damage occurring.


Even if an attack is over, vulnerabilities clearly exist somewhere in the security chain, meaning these must be identified and plugged before further exploitation can occur. This is addressed in the ‘eradication’ stage. Any affected systems may be removed while work is carried out to prevent further attacks from taking place.


The ‘recovery’ phase is about restoring an organisation’s information systems back to their original state i.e. fully operational. This is where the business recovery plan comes into play and having this pre-defined will save precious resources such as time and money.

Lessons learned

The importance of the ‘lessons learned’ phase cannot be overstated. Just as children learn from their mistakes and develop into mature adults, the process of protecting an organisation’s information security is one that constantly evolves.

Lessons learned should feed directly back into the ‘preparations’ stage, both pre-incident and post-incident. Pre-incident preparations such as user training and technical security measures should be updated or changed as required. Post-incident solutions such as the business continuity plan, business recovery plan and incident response plan (and procedures) should all adapt in order to improve.

The complexity of a cyber attack means that in order to effectively deal with it, ‘there is no single riddle wrapped up in an enigma’ - more accurately, it is a series of riddles. Being prepared to initiate these stages in incident handling will afford the best chances of reducing a cyber attack’s impact.


  1. PwC (2015) 2015 Information Security Breaches Survey. (Accessed: 26 December 2015).
  2. Schneier, B. (2014) ‘The Future of Incident Response’, IEEE Security and Privacy, 12(5), pp. 95-96.
  3. Kral, P. (2011) The SANS Institute: The Incident Handler’s Handbook.