FireEye Stories

The Power of a Good Plan

Attacker tactics, techniques and procedures may not have changed dramatically over the last year, but global trends continue to evolve, leaving organizations at risk. Fortunately, as we shared in our latest M-Trends report, organizations are detecting incidents more quickly than ever before. Yet there is still more work to be done; a recent FireEye Mandiant study of over 100 enterprise organizations revealed that security tools and processes had not detected or prevented 53 percent of attacks. It truly is a matter of when, not if—attackers are getting through unnoticed and that means anything from data compromise to business disruption or even worse.

Repairing systems and data following a breach delays business recovery. Without an effective incident response plan to shut down a successful cyber attack and manage the repercussions, bouncing back to business normalcy becomes rather difficult.

Gartner Report: Be Ready for the Next Attack Banner


Be Prepared: Planning Your Attack Response 

Understanding how secure a business is today and the different types of attacks the organization may face is critical to the overall effectiveness of any security program. Organizations should first use cyber threat intelligence to understand the characteristics of cyber attacks on their specific industry, including attacker behaviors, techniques and motives. Teams can then use this information to develop scenarios that test how defenses will perform against real-world attacks. The results of these tests will provide many details on how an attack and breach would actually play out, paving the way for an informed and robust response plan. 

Mandiant incident responders have been on the front lines of the most complex security breaches worldwide, helping clients investigate and remediate successful attacks so they can resume normal business operations. Their typical response plan consists of six steps: 

  1. Deploying technology to investigate indicators of compromise that can identify attacker activity 

  2. Crisis management planning involving executives, legal teams and senior security personnel 

  3. Monitoring real-time attacker activity and searching for any past attacker activity 

  4. Analysis of all actions taken by the attacker to establish the extent of compromise 

  5. Damage assessment of all systems, facilities, applications and data 

  6. Development of a custom containment and remediation strategy to eliminate attacker access and improve the client’s overall security posture 

Develop a Comprehensive Response Plan  

To better support this plan and a speedier recovery from incidents, organizations should consider alternative working processes for when IT goes down, as well as strong crisis management and communications processes for internal and external services. 

Response plans help the organization develop best practices that can swiftly be deployed when needed. They are more effective when cyber security incident response teams (CSIRT) and business continuity management (BCM) personnel combine efforts to resume normal operations and reduce the financial impact of a cyber attack. In a joint relationship, these groups can learn from one other, align efforts and evaluate their organization’s ability to respond effectively to advanced attacks through a continual review cycle. This is not only necessary, but will help ensure the organization experiences minimal business disruption.   

If an attack is successful, the crisis management team should be contacted immediately. The breach may not be classified as a disaster, but the crisis management team needs to lead remediation efforts and record activities. Record keeping and monitoring is essential to enabling the activation of contingency plans and allows the team to escalate the severity of the breach as needed after the impact of the incident has been verified. 


Following the response to any cyber attack, there is a stand-down phase. After the crisis is declared over, there are three main practices to apply: 

  1. Mop up operations: Reconciliation of new data and security updates into the cleansed environment, as well as reporting, insurance claims and continuing communications with suppliers, partners and customers 

  2. Post-mortem: A review of the response and recovery processes with identification and documentation of lessons learned to improve future security posture  

  3. An update of response and recovery strategies  

It can take months to complete the stand-down phase and resume normal operations, and any legal proceedings will likely prolong the process. 

A response and recovery strategy is vital to safeguard an organization from the devastating damage caused by successful cyber attacks. While every organization hopes these plans are rarely or never used, the pace and scale of security incidents puts all organizations at risk. Using front-line, real-world and timely threat intelligence, modern defenses and holistic strategies will offer the best possible chance of coming through a security breach relatively unscathed. These strategies, however, must be continually validated and tested to ensure they are relevant, robust and applicable.  

And for more information on how to prepare an incident response plan, visit our Mandiant Services page.