The Cyber Blog Times

How to React to a Cyber Incident?

by Excellium SA

The Cyber Blog Times

How to React to a Cyber Incident?

by Excellium SA

by Excellium SA

Welcome back to our second article from The Cyber Blog Times addressing cyber incidents.

If you have missed our first article, catch up and find the rules right here.

Ready? Grab your glasses, help yourself a cup of coffee and let’s nail this month reading.

What is a Cyber Incident?

Let’s begin at the beginning, what is a cyber incident? According to NIST, a cyber incident refers to: “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”

When dealing with a cybersecurity incident, the organization must be able to react quickly and appropriately. In other words, it is crucial to decide beforehand how to handle certain situations rather than waiting until the first confrontation during an incident. You need to develop a strategy to limit damage, reduce costs and recovery time, as well as communicate with internal and external stakeholders.

The cyber incident response lifecycle

In this section, we are going to discuss the incident response lifecycle. But first, what is this exactly? It is your organization’s step-by-step framework for identifying and reacting to a service outage or security threat.

Cyber Incident Life cycle schema

Phase 1: Preparation

Firstly, comes the preparation. This phase covers the work an organization does to be ready for incident response including putting the right tools and resources in place and training the team. This phase includes the work done to prevent incidents from occurring.

Some of the important points for the preparation phase are:

  • Develop a response plan in case of a cybersecurity incident and update it regularly.
  • Identify your assets and potential threats.
  • Assign responsibilities and create a team to lead the cybersecurity incident response.
  • Work with external experts that are specialized in cybersecurity incidents.

Phase 2: Cyber incident’s detection & analysis

Secondly, we have to monitor security events to detect, alert, and report on potential security incidents.

  • Monitor security events in your environment using firewalls, intrusion prevention systems, and data loss prevention.
  • Detect potential security incidents by correlating alerts within a SIEM solution.
  • Analysts create an incident ticket, document initial findings, and assign an initial incident classification.
  • The reporting process should include accommodation for regulatory reporting escalations.

Phase 3: Containment, Eradication, Recovery

Thirdly, we have to keep the incident impact as small as possible and mitigating service disruptions.

Phase 4: Post-Incident Activity

Finally, learning and improving after an incident is one of the most important parts of incident response yet too often ignored. In this phase, the incident and incident response efforts are analyzed. The goals here are to limit the chances of the incident happening over again and as well as identify ways of improving future incident response activity.

Cyber incident challenges

Organizations face daily attempts to get access to their data or systems. This creates a new form of expertise, which needs to be deployed across the different teams to respond to the following:

  • Manage intrusions and security incidents.
  • Neutralize or contain the attack.
  • Elaborate intrusion response plan.
  • Gather information on discovered malicious file.
  • Assessment of controls in place.
  • Damage’s evaluation.
  • Keep evidence.
  • Train team to incident handling.
  • Stop data leakage.

CERT-XLM: Computer Security Incident Response Team of Excellium Services

A Computer Security Incident Response team is a bit like the fire brigade except that instead of putting out fires they help organizations contain, neutralize, and eradicate intrusions. Just as fire drills help save lives if a real fire strikes. Along these lines, careful preparation makes it easier to detect, handle and mitigate actual intrusions.

With the expertise of CERT-XLM, you may react in real-time to security incidents. Not to mention that the networking and data intelligence of CERTXLM also help you improve drastically your threat survey.

The Excellium CSIRT helps organizations respond efficiently to IT incidents by providing the following services:

  • Help customer with incident handling.
  • Malware analysis (Windows, Unix & Mobile).
  • Prepare and evaluate your incident response plan.
  • Forensic Investigations.
  • Malicious document analysis.
  • Breach analysis.
  • CERT collaboration and intelligence sharing.
  • Server “takedown”.

Security Skills:

CERT-XLM is composed of highly experienced security experts who can handle sophisticated attacks and threats.


CERT-XLM gathers, aggregates, integrates, and analyses intelligence feeds.

Furthermore, CERT-XLM also develops tools to identify threats to your infrastructure.


Regarding networking, CERT-XLM is a member of the CERT.LU initiative and an accredited member of Trusted Introducer.


CERT-XLM as Excellium has held PSF accreditation since 2016.

Ready to play?

Last but not least, our cyber quiz!

According to you, a takedown is…

  • the removal of a website, web page, or file from the internet.
  • related to malicious file analysis.
  • a support for organizations to decrease the number of threats.
  • a way to keep evidence in case of forensic investigation.

Send us your answer here and get the chance to win the final award.

Did you like the article? Feel free to let us know by sharing the word online: #TheCyberBlogTimes

Alaaedine CHATRI,