Best Practice for Effective Cyber Incident Response

Von John van Rooyen

Although a cyber-attack can be devastating, the vast majority of organisations are ill prepared. Even armed with a good prevention plan and a great security team, breaches do happen. That's why you need to have a good Incident Response Plan in place.

Having worked with numerous organisations across the globe, Dreamlab Technologies’ experts can suggest best practices in incident response regardless of the size, sector or location of your organisation.


Benjamin Franklin supposedly said, “If you fail to plan, you plan to fail”. Your organisation’s plan should identify critical data and infrastructure and describe how your organisation and employees will respond in the event of a cyber incident. The 3-2-1 backup rule will help restore operations in worst case scenarios. For example, keep at least three copies of your data, store two backup copies on different storage media and keep one of them offsite. Decide beforehand who should be involved and explain their roles and responsibilities. Regularly test your plan to ensure employees still know what to do when an incident occurs. The more prepared you are, the less likely it is for critical mistakes to be made or for your organisation to fail.


In this phase you’ll determine whether your organisation has suffered a breach. A breach, or cyber incident, could originate from many different areas in your organisation. Agree beforehand who should be notified and involved in the identification process.


When a breach is confirmed, your initial instinct might be to securely delete everything. However, that may hurt your organisation in the long run, because you’ll be destroying valuable evidence in your search for where the breach started and how it could be prevented from happening again. It is crucial to quickly suppress the breach and prevent the infection from spreading to other areas in your organisation. If you can, disconnect affected devices and servers from the Internet. Prepare and practise easily deployable suppression strategies for short- and long-term containment.


When you have suppressed the issue, you must find and eliminate the root cause of the breach. You may want to involve Dreamlab Technologies’ cyber security specialists to securely remove all malware, harden your organisation’s security posture, and patch and update your organisation’s systems.


It is important to test the restoration in a staging environment before returning affected systems and devices to your production environment. The objective is to restore systems and operations without opening yourself up to another breach.


Examine the incident by holding debrief meetings with all Incident Response Team members and discuss what you’ve learnt from the data breach. It is important to analyse and document the breach, review the effectiveness of the response plan and identify areas for improvement. Document the lessons learnt from simulations and real events to strengthen your organisation against future attacks.

The planning you do before a security incident occurs will help you to respond quickly and efficiently, so focus on what matters most: having a complete and up-to-date incident response plan and a trained team that understands the chain of command, responsibilities and actions.

Advanced cyber security solutions, such as Honeykube, allows your security team to identify potential attackers and understand how they plan to attack your infrastructure before they have the chance to impact your organisation’s real assets. The opportunity to safely and quietly observe threat actors in action and understand their methods and motivations in advance can support organisations outsmart the enemy when it counts.

Download our Whitepaper to learn more about how Honeykube can help you detect, capture and analyse advanced cyber-attacks in real-time with ease or contact us to learn more about how we can help you with Incident Response and Cyber Security.

Best Practice for Effective Cyber Incident Response

Alle Blog-Posts