7 Steps to Cyberattack Containment and Eradication

Concerns over how to manage cyberattacks and data breaches have moved beyond IT teams to the C-suite and the board. Recognizing that attacks happen to the best of organizations, board directors are asking, “What can be done to minimize the damage?”

Recently, I was asked to contribute some of my lessons learned as Chief Security Officer of Rackspace in a new book, Navigating the Digital Age: the Definitive Cybersecurity Guide for Directors and Officers, and it’s definitely worth picking up.

But if you’re looking for a primer on how to contain and eradicate future breaches, here’s a quick look at a few steps your business should take. After all, no matter how many precautions you put in place, every company is vulnerable to cyberattacks.

  1. Establish priorities as you gauge the impact

When you work to contain a cyberattack, you have to quickly stop the spread of the attack and prevent further damage. To do this, you will inevitably have to reduce, shut down or block services, which can have a huge impact on business workflows and services. It’s a tough decision to make, and it needs to be made based on how much risk your organization can tolerate. To help determine your risk tolerance, establish priorities of business processes and ensure that company leadership has helped shape this prioritization.

  1. Establish unity of command

Crises have a way of bringing people out of the woodwork to get involved. But time is of the essence during a cyberattack, and an influx of untrained hands or a fight for control can make things significantly worse. Combat this possibility by building an incident plan and rehearsing it yearly.

  1. Take holistic measures

Quick technical fixes can be tempting and — on the surface — seem like the right thing to do. But you’ve got to remember that additional technology adds complexity, and complexity is an enemy of security. Look across your entire organization and make sure that you have the necessary processes, policies, services and personnel in place in addition to the technology you need to keep your network and data safe.

  1. Retain an external forensics team

Frequently, internal response teams assume they can handle a crisis, and in the process of trying to fix one problem, make another worse. It can be extremely beneficial to engage with an appropriate forensics partner during your planning phase.

  1. Case management is critical

Because you never know where an investigation will lead, it’s important to follow best practices from the outset. During a crisis, engage your external forensics team to help maintain the integrity of evidence. If an attack leads to legal proceedings, the proper handling of evidence by your forensics team may prove invaluable.

  1. Focus on outcomes

Your first inclination may be to take a checklist approach to incident response. But since no two cyberattacks are the same, a checklist isn’t the most effective approach. Instead, utilize the O-O-D-A loop: Observe, Orient, Decide, Act. This methodology allows you to make informed decisions based on feedback from various sources. Recognizing that attackers may also be observing, orienting, deciding and acting against you, the goal is to tighten and accelerate the OODA loop, using people, process and technology to move quicker than your adversaries.

  1. Debrief

Once you’ve made it through your ordeal, it’s time to take stock of what went wrong in the beginning, and evaluate what worked and didn’t work during the recovery process. I cannot stress the importance of this step enough. You just came out of a nightmare. And if you do not make the right changes, you could be thrown back into it again. Capture the lessons you learned and make sure your team knows them inside and out.

If you’re looking for a deeper dive on how you can secure your IT environments against advanced persistent threats, check out our new on-demand webcast, Improving Security in Multi-Cloud Environments.

Brian Kelly is Chief Security Officer at Rackspace, responsible for protecting the company and its customers from the constantly-evolving risks and threats that exist in the IT world, as well as focusing on the physical security of Rackspace facilities. He has more than 35 years of experience, beginning in the United States Air Force, where he rose to the rank of Lieutenant Colonel.


Please enter your comment!
Please enter your name here