A 6-Step Network Security Breach Response Plan

Unfortunately, there’s no such thing as 100% foolproof cybersecurity. Last month, we walked readers through 5 steps to implement a solid, multi-layered NIST-compliant security protocol. Many businesses right now are solid as far as the first 3 steps are concerned: Identify, Protect and Detect. But what about the fourth step: Respond?

Even the best network security systems fail: the EternalBlue exploit was stolen straight from the NSA. What do you do when you’re faced with a computer security breach? Who are you going to call? Ghostbusters? You need a plan to mitigate the impact of the breach and prevent further breaches from taking place. In this article, we’ll guide you through the 6 Steps of Incident Response according to the SANS Institute, from preparation to recovery and beyond.


The preparation stage is about ensuring your organization is ready to respond when a breach occurs. Poor preparation and planning can waste valuable time in the initial minutes and hours right after a breach and hamper mitigation and recovery efforts.

Know your weaknesses
It’s important to identify weaknesses in your cyber defenses. A cybersecurity risk audit is an important first step in preparation. This can help you identify gaps in your existing security strategy as well as prioritize which assets need the most protection.

Build a team and a clear plan of action
Often, cybersecurity audits identify your team’s readiness as a critical risk factor. During preparation, you need to ensure that your network security team is made up of qualified individuals who have access to all the hardware and software solutions they need to effectively protect your critical assets.

During the preparation stage, you’ll also want to draft a clear plan of action, detailing the processes to be set in action, each team member’s role and the chain of communication.


The identification stage focuses on your network security team’s ability to spot abnormal activity and correctly identify a breach or potential threat before it’s too late.

Identification serves 2 key functions: to clearly understand the threat you’re dealing with and to prepare a dossier that can help the authorities investigate and prosecute the cybercriminal responsible, once the dust settles.

Layer up your threat detection
It’s important to rely on multiple levels of threat detection for optimal identification. This includes automated threat detection with heuristic analysis and a 24x7 eye-on-the-glass team.


When a breach has been positively identified, your network security team’s responsibility shifts to containment. This means mitigating the impact of the breach, limiting its spread and stabilizing your network and systems before you eradicate the threat. There are 2 main approaches to containment, short and long-term. Your team will need to make use of both, depending on the situation.

Cutting off access with short-term containment
Short-term containment is similar to emergency amputation – it’s messy and brutal, but gets the job done in the here and now. The aim of short-term containment is to physically limit the spread of an attack. This can be accomplished by taking down servers or isolating affected segments of the network. During the global NotPetya attack last year, cybersecurity companies advised businesses to take down servers and connected devices. This short-term containment strategy mitigated losses that could’ve otherwise amounted to millions of dollars.

Cauterizing your network with long-term containment
Long-term containment is only long-term in the context of the computer security hack. Once you’ve cut off access to affected parts of your network, you get time to apply temporary fixes, to rebuild VMs and set up systems for thorough cleaning.

During the long-term containment stage, you also have a chance to triage assets: to keep affected systems down while booting and connecting unaffected assets to enable some measure of continuity.

Be prepared with cryptocurrency for ransomware demands
If you’re dealing with a ransomware attack, chances are you’ll be offered your data and assets back in exchange for money. The problem is that cybercriminals generally demand payment in the form of cryptocurrencies. While Bitcoin is the best-known cryptocurrency, the threat actor might demand payment in Ethereum, Litecoin or less-known cryptocurrencies. How do you stay prepared so you can respond to a cryptocurrency demand on time?

Set up a Bitcoin wallet and fill it up with an emergency Bitcoin reserve
Whether or not cybercriminals demand Bitcoin specifically during a ransomware attack, it’s a good idea to maintain a Bitcoin reserve, just in case. Why is this? Because other cryptocurrencies are easily exchangeable with Bitcoin. Trading Bitcoin for other cryptocurrencies is a lot faster and easier than getting hold of Bitcoin initially.

To set up your Bitcoin reserve, you’ll want to

  1. Download a Bitcoin wallet app
    Either on a PC, Mac or a trusted iOS or Android device that’s isolated from the external network
  2. Configure your wallet
    Then you’ll have a unique Bitcoin address associated with it
  3. Sign up to a public Bitcoin exchange
    For example, Coinbase
  4. Complete a simple KYC procedure
    KYC is a process of verifying your identity – it stands for “Know Your Customer”
  5. Exchange your cash for Bitcoin
    We recommend you set aside a few thousand dollars for your Bitcoin reserve to ensure you’re prepared for a ransomware demand


Once you’ve contained the breach and prevented its further spread, it’s time to eradicate the malicious code on your affected assets.

Root cause analysis
The data collected during the identification stage is critical. Your cybersecurity analyst needs to leverage this information to assess the root cause of the breach. Are you dealing with a particular strain of ransomware? Were foreign state actors probing your network? Was it a run-of-the-mill that someone downloaded from a pop up?

Rectify vulnerabilities
Once you know exactly what caused the breach, you need to take action and eradicate the threat on affected assets. At this point, you’ll also want to address the weaknesses in your system that made the breach possible. Did the attack exploit a known vulnerability? You need to patch it. Did the attack take advantage of poor authentication methods? Consider replacing passwords with passphrases and implementing 2 Factor Authentication (2FA) or Multifactor Authentication (MFA), if you haven’t already done so.


The recovery stage focuses on getting your business back on its feet. Your network security team connects machines back to the network once they’ve been thoroughly cleaned, enabling your business to function again. The team will need to carefully monitor your network to ensure that the threat has, in fact, been eradicated.

Data recovery
During this stage, the team will perform data recovery processes. It’s important to prepare a data recovery plan beforehand to ensure that the recovery process goes smoothly. This includes deciding on exactly what data is going to be backed up and which backup to recover from.


This needs to be done as soon after the event as possible. Your team will take care of any additional pending documentation. You’ll also do a thorough analysis of your computer security response to identify strengths and weaknesses in your team’s approach.

The Lessons Learned phase helps to iterate and improve on your response capabilities. The lessons you learned from a breach act as a starting point for a new planning phase.


It’s OK! Every organization responds differently to a network security hack. There isn’t a “right” or “wrong” way to handle a cyberattack. There is, however, a better way. By following these 6 steps and building your information security strategy in alignment with the NIST framework, you can substantially mitigate the impact of a computer security breach when you’re faced with one.

At Arnet Technologies, we develop comprehensive security strategies that align with your goals while remaining cost effective. Reach out to us today for a free cybersecurity assessment. We aren’t the Ghostbusters. But, we’re definitely who you wanna call (1-888-487-0720) to prepare for an information security breach!

3 Essential Types Of Cybersecurity Your Business Must HaveCLICK HERE!
+ +