Home > Articles > Responding to a Breach

Responding to a Breach

Chapter Description

In this sample chapter from Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer, you will explore the basic concepts for proper incident response procedure to understand why organizations commonly fail at the process when responding to a breach. The authors also share techniques used by organizations that have a successful incident response plan and provide an overview of industry-proven components required to build an incident response process within your organization.

Assembling Your Incident Response Team

Creating an incident response team means assembling a group of individuals to work and train together. Many organizations do not have the luxury of a dedicated incident response team, and use people who have another primary job function. It is critical that, as with any functional team, the IRT team needs to practice its tradecraft, improve its skills, and understand how to work together. If your team is not dedicated, it is recommended to at least set aside dedicated time on a regular schedule for the team members to get together and work on mock scenarios. The incident response team should include forensic investigators, corporate communications and public relations teams, network and system administrators, and legal representatives so that everybody is aware of who the IRT members are and how to work with them. You don’t want to be doing introductions while under the pressure of a major cyber incident.

When you are choosing members of the incident response team, they should include individuals who have experience in how technical systems can be breached and those that understand how to configure and manage such systems. Breach experience could be associated with a job title like penetration tester while managing a system could be a job title like network engineer. Additionally, the incident response team needs managerial, leadership, marketing, and legal representatives to accurately gauge the situation and make appropriate calls that may be financially or politically sensitive. If you are wondering why marketing personnel would be involved, the short answer is that they are probably better able to spin a situation in the most favorable manner for a negative situation like a cyberbreach. What you don’t want is an upset analyst complaining about the situation to the local news.

Here is a list of roles that should be included in a incident response program:

  • C-level sponsor

  • Technical members who have knowledge of virtual, physical, and cloud technology

  • Managers who are authorized to make decisions that impact changes to technology and services

  • Legal representatives who can advise on the impact of a manager’s decisions

  • Marketing personnel representing a public-facing message

When to Engage the Incident Response Team

The first sign of trouble will likely be determined by people who are not on your incident response team. Many breaches are reported by customers, outside organizations, or general employees. Brian Krebs, who runs the extremely popular and well-respected website Krebs on Security (https://krebsonsecurity.com/), has reported on many data breaches on his site. It is rumored that some organizations first learn they are victims of data breaches because they have read the news on Brian’s website. This has led to the slogan “Brian Krebs is my IDS.”

This story unfortunately highlights how many organizations cannot accurately determine whether attackers have infiltrated their networks. Organizations need to understand when and why they should engage their incident response team. Engaging the team too soon can be costly for the organization and burn out team members. Engaging a team too late could mean attackers may have a chance to fully compromise a network and hide their tracks. There should be rules or triggers that require your organization to engage in incident response as well as a simple method for people to report an incident. Our recommendation is to centralize the method of contact to one email or phone number because people involved in an incident will likely be panicking and need to quickly find the IR resource. This is why the United States makes its emergency number simple to remember: just dial 911. We talk more about contact lists shortly.

The OODA loop provides a good reference process to understand how to quickly react to rapidly unfolding cybersecurity events. It is often used in cybersecurity in areas of threat intelligence. OODA, which stands for observe, orient, decide, and act, was developed by military strategist and United States Air Force Colonel John Boyd (https://en.wikipedia.org/wiki/OODA_loop). The process can be implemented as a workflow and is still used today by many incident response specialists when dealing with various types of crisis situations, including nontechnical ones. Figure 4-1 shows the OODA loop.

Figure 4-1

Figure 4-1 OODA Loop

From an incident response standpoint, OODA can be used as starting point for teams when they are investigating a situation. In Figure 4-2, we applied typical actions that an incident response team may take and the relationship of those actions in regard to the OODA loop.

Figure 4-2

Figure 4-2 OODA Loop with Cyber Correlations

When an IRT team initially responds to an incident, they should observe and understand the security event. We mentioned some of these steps earlier in the chapter in relation to initial assessment and interview guidelines.

As a technical member of the IRT team, a network engineer should pay close attention to the security events that are observable. This includes evaluating logs, SIEMs, and device alerts. Another technique we recommend when you are observing the environment is to note the applications that are being used and research any vulnerabilities or security notices for those applications. Most security logs do not show how attackers exploit them to compromise the network. As a network engineer and forensics specialist, you need to look beyond what the logs tell you and conduct additional, and sometimes manual, research. There are many ways to search for possible exploits. Normally, a Google search with the application and exact version number can reveal them. Additionally, sites such as https://cve.mitre.org/ are good places to look for common vulnerabilities and exposure. We also recommend searching the Exploit Database at www.exploit-db.com/ or even PasteBin at https://pastebin.com/. Figure 4-3 shows the search option within the exploit-db website. When you use these search engines, don’t just limit your searches to applications; try emails, IPs, ASNs, and other information belonging to the organization to see whether there are any data leaks.

Figure 4-3

Figure 4-3 Exploit-db.com Search Example

Let’s look at the typical actions conducted by attackers and how those actions correspond to the OODA model. In Figure 4-4, some actions of cyber attackers have been added into the OODA loop. These actions are loosely based on the Lockheed Martin Cyber Kill Chain Model and describe actions taken by attackers during a cyberattack. You can see the attacker’s potential techniques correlate nicely with opportunities that IRT members can use to investigate and respond to different aspects of an attack. Not every attack will follow a structured OODA loop, but this is a way to model a generalized attack process with how an IRT should operate.

Figure 4-4

Figure 4-4 Revisiting the OODA Loop

Outstanding Items that Often Get Missed with Incident Response

We have already given you a few reference frameworks you should consider when building an incident response program. A few outstanding items often get overlooked and you should be aware of them before we get into how a team will respond to an incident. These items may sound simple, and perhaps obvious, but the lack of planning in organizations around these items can become a major problem. First, let’s look at how the team is engaged.

Phone Tree and Contact List

Years ago, when I was first starting off my career, I was working at an IT helpdesk for a major global organization answering questions around VPN issues, resetting passwords, and performing other IT-related tasks. I normally worked a 2 a.m. to 10 a.m. shift, so I could continue taking classes at the university. One by-product of working an odd shift was that the IT helpdesk was one of the few phone numbers that was answered 24 hours a day. We did, however, get all types of unexpected calls that were really outside our expertise. One early morning, I got a call from the company operator. She didn’t know what other number to dial and remembered the IT helpdesk was managed 24 hours per day. One of the top executives of this corporation was a passenger on a hijacked commercial airliner, and the criminals were demanding a ransom for the life of the executive. Remember, when people are in a crisis, they will likely not be able to recall complicated numbers or processes. You should consider making your method of contact as simple as possible.

Often customers roll their eyes at me when I discuss creating a solid phone tree as part of an incident response plan. Hopefully, you will never be in a similar situation to the one I was in. In that situation, our IT team’s simple contact method was the only thing the executive could remember. I was probably not the best person to help the executive on the hijacked plane. Anybody would have been better than the late-night desktop support person. Then again, IT is expected to be able to fix anything. By the way, the executive as well as most of the passengers were fine.

A good incident response and communication plan should have a readily available contact list. This is sometimes done as a phone tree. A phone tree is simply a list of people who need to be notified when a breach occurs. The list may include people outside your organization such as third-party interests and contractors. The list normally specifies who is optional and who is required to contact. It should have multiple contact numbers, emails, or other methods of contacting the individuals because important people tend to be busy and mobile. Because criminals are never mindful of our schedules, most lists should include what to do if a person cannot be reached, how often to retry, and what the backup plan is. It is important to remember that contacting people can take valuable time away from your experts investigating the breach. This is why it is not uncommon for organizations to outsource the call list to a service company.

One final contact concept is feedback as the incident takes place. Leadership and stakeholders will likely want to be updated continuously on the status of an incident as it is being resolved. The incident response preparedness plan should include instructions on how the team can provide feedback and updates to company and data stakeholders. If this step is not defined, it is likely the incident response team will be overrun by update requests. If the plan includes a feedback loop, everyone will understand how updates are received and delivered, thus cutting down on the individual updates the incident response team must do, enabling them to concentrate on investigating the incident.


Similar to phone trees, small details surrounding facilities can often be overlooked. It can be surprising to walk into a facility and realize that you need to get to a camera mounted from the ceiling to analyze its hard drives, or you need to unmount an access point installed on a brick wall. What happens when investigators arrive in the middle of the night at an unfamiliar location? Will they be able to get access to the data center or be stuck in the parking lot while the business is destroyed by a cyber incident? Cyber forensic investigators may need access to areas and systems that are not normally available to unauthorized individuals or are hard to reach. Long delays in physical access could make the difference between preserving evidence or it being destroyed. Organizations need to prepare for quickly granting access to such areas when required. Information regarding how to access areas such as the data center, remote backup locations, technology located in the ceiling (wireless access points, for example), and so on should be included in the incident response plan.

Another question to ask is when all team members are required to be at the same physical location or if members can work remotely over secure channels such as VPN. If they are working remotely, how will information be shared without exposing results to the risk of contamination? Are the facilities able to accommodate the entire team if called in for an emergency? Some organizations make sure their facilities have beds and showers, along with caterers and food service available 24/7 to ensure their teams have everything in place to investigate complicated incidents. In most cases, you do not have to go to this extreme, but it may be wise to prepare for the worst-case situation or at least have something documented.

6. Responding to an Incident | Next Section Previous Section

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020