When we are seriously ill, we seek medical care. If the situation is acute and dangerous, we go to the intensive care unit or ICU. The best medical professionals and equipment work there to get us out of danger.
A trip to the ICU is a matter of life or death; mere hours or even minutes can decide the difference. The patient might not even realise how much trouble they are in. But that is why we have doctors and ICU wards.
There is a direct parallel with cybersecurity called incident response. This practice, IR in security jargon, steps up when an organisation detects a system breach. The signs—the indicators of compromise— may seem small, such as a failed login to an Active Directory administrator account or mysterious IP numbers appearing in the logs. But like doctors evaluating symptoms, security IR experts know these are signs of potential cybercrime activity.
If the right symptoms appear, it's time for action. In cybersecurity, this means activating your incident response plan. Scan computer systems, contain threats, inform stakeholders, and get the business out of danger. The objective of an ICU unit is to keep you alive, not if you can go home tomorrow.
That's what happens during incident response. The IR team enters the war room to stabilise the company's condition and recover from damage.
IR is complicated. It applies specialised skills to track and uncover a breach and isolate the attackers. Think of cybercriminals as a viral infection: they will try to spread quickly while undermining the company's defences. They are as worried about being removed as being exposed. This reason makes IR a very intense and demanding event.
Imagine a patient with multiple injuries. You may not know what those injuries are. You may not know if there's internal bleeding, if a limb is gone, or whether they've got a brain injury. Yet you know that the patient could die if you do not deal with the situation right now.
The same applies to incident response. What was the attack? Is it ransomware? Industrial espionage? Business email compromise? How did the attackers get in? How are they staging the attacks? What are they after? What should you be protecting? IR specialists look for indicators of compromise and then help choose the necessary steps towards containment and recovery.
Once ICU removes the danger, the patient can move to a high-care ward for long-term recovery and strengthening. But if things go wrong, they might stay in ICU, hooked to life support.
A bad breach is the same. In a good breach with proper incident response, it can still take months to remove all traces of the attackers. But if an organisation does not have a sufficient incident response, the damage could last years. The cost of the breach goes up dramatically as it impacts more of the business. Even after the attackers have been isolated and stopped, the effects of a breach can linger without sufficient incident response.
There are more options when the IR teams can do their jobs. Once we know the business environment is stabilised, we shift into rehabilitation. We start recovering data from backup, applying patches, addressing discovered issues, and proactively monitoring the patient's health.
Few companies maintain in-house incident response teams due to their cost and complexity. Security experts such as Performanta help get companies off life support quickly, and accelerate their remediation and rehabilitation steps. Speed and efficiency are critical: they strengthen security and reduce costs, lowering the long-term fallout of a breach.
That is the purpose of a proper Incident Response partner. We help plan, coordinate and deliver responses to breach incidents, recruiting from our partner networks for maximum effect. Nobody goes into ICU and takes care of themselves. They rely on a team of skilled professionals to get them out of danger.
Without that team, they might survive. But what state will they be in? Will their full health return? That is very unlikely. The consequences of an untreated breach are the same. But with the proper response and treatment, recovery can be assured. So, don't neglect your Incident Response strategy. It's a healthcare policy for your business.