The SANS Institute defines the 6 phases of Incident Response (PICERL). Every organization must have an IRP (Incident Response Plan) modeled on this.
PICERL Lifecycle
- Preparation: Training, backups, tools ready. (Do this NOW).
- Identification: Detecting the breach. Tracing the scope.
- Containment: Stopping the bleeding. (Disconnecting infected servers).
- Eradication: Removing the malware/rootkit completely.
- Recovery: Restoring data from backups and bringing systems back online.
- Lessons Learned: Post-mortem. How do we stop this from happening again?
1. The Containment Dilemma
When you see a hacker on a server, your instinct is to pull the plug.
Wait! If you pull the plug, you lose the contents of RAM.
RAM contains encryption keys (for ransomware) and evidence of where the hacker came from.
Correct Action: Disconnect the network cable (Air Gap), but keep the machine powered on for forensics.
2. Communication Plan
Who do you call?
- Legal Team (GDPR notifications within 72 hours).
- PR Team (To handle the press).
- Cyber Insurance.
Do NOT use corporate email or Slack to discuss the breach (The hacker might be reading it). Use Signal/Phone.