The five Ws (and one H) of effective incident response

When a serious data breach hits the headlines, the media is usually only focused on the number of stolen user profiles or the volume of information leaked. Professional incident responders must take a far more detailed view of these incidents, learning as much as they can with the goal of dealing with the breach swiftly and advising on how best to improve the security practices.

But while all security professionals would love to stop every breach, every time, the reality is that a novel hacking technique, an extremely persistent attacker, a system misconfiguration or just good timing will stack the odds against you.

The effectiveness of your incident response team, tools, and processes will dictate how serious the repercussions of an attack are. In the wake of a breach (i.e. someone got in and was able to get something out) or attack (i.e. someone tried to get in, or did get in, but nothing was taken), it is important to analyse each and every step of the incident in a consistent manner. To start this process, an incident responder should ask six questions in order to establish the key facts:


If you can understand the mindset of the person attacking you, you stand a better chance of defending yourself next time. A good place to start your breach analysis is to consider who was behind the attack. With this knowledge, you will be able to build a better picture of the entire incident.

> See also: How to avoid the 5 'gotchas' of cyber incident response

Also, the tactics and targets of a lone cyber criminal will differ greatly to state-sponsored attackers, which will in turn differ to hacktivists.


There are a myriad of different attack techniques that target different weaknesses, so it is important to pinpoint exactly what caused the incident. Defacing web sites has fallen out of fashion, in favour of ransomware and data theft.

DDoS attacks that either directly target a company’s digital infrastructure or indirectly target its service providers, are also a growing concern. More recently, attackers have also started to implement mass data destruction attacks, which can seriously damage a business.


Understanding the timing is all part of building a better picture of the incident. There are no holidays in the global hacking community, though particularly savvy attackers may purposely engage in a cyberattack during national holiday periods, when they know security personnel could be short-staffed and on low alert. Timing is also an important factor to consider if you do need to notify business partners and customers that their data has been compromised.


Arguably the most important questions to answer following an attack or breach is where it was targeted. This will involve an in depth review of your entire attack surface; consider your network, your remote workers, your partners, your suppliers, and even whether an infected USB stick could be to blame.

Today, the most common entry point is email, for which hackers craft phishing attacks to target the weakest link in the security chain, the end user.


The motive of an attack is an important piece of information for any external announcements that might need to be made. Having these details is also very helpful when it comes to justifying your incident response plan or recommendations for additional security spending to company executives.

For the most part, financial motive is still the top reason for attacks against companies; even state-sponsored attacks are financially driven in some sense. It may cost years and millions of pounds to develop the intellectual property and customer base that can be stolen in mere hours.


In order to effectively remediate, you need to create a detailed step-by-step outline of exactly how the hacker attacked or breached your company. The tactics are evolving and some of the old tricks are making a comeback.

> See also: SQL injection: why is the oldest hack in the book still causing big problems?

Making matters worse, the black market for toolkits and 'hackers for hire' means that anyone can buy the technical savvy they need. Disgruntled employees, lost or stolen devices, and unintentional sharing of sensitive information are other possible causes of an attack.

Preparation is key

Having a solid plan prior to a security event is paramount. In the heat of the moment, mistakes can be made, even with breach simulations and the most talented incident response team.

The first part of a good incident response plan will focus on answering these six critical questions, thereby limiting any emotional-driven actions and allowing for a quick and effective remediation.

Sourced from Tim Bandos, Director of Cybersecurity, Digital Guardian

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...