Incident Response Plan – Part 2

Be Structured Los Angeles IT Security
This entry was posted in Security and tagged , on by .

The Risks and the Needs Associated of Going Offline

When a business or a corporation is hit by a Cyber-attack, one of the first questions that often gets asked is just how much of the IT Infrastructure has been damaged, or even if the Cyber attacker is still lurking around trying to infect other systems. It is in these instances that the thought of shutting down the entire IT Infrastructure or just parts of it in order to prevent further damage comes to mind.

While this might be a tempting option to utilize, there are certain risks that are inherent with doing this, as this is often considered one of the most drastic scenarios to take. Information and data might be lost that may never be recovered.

Or, if the software development team is working on a mission critical application for a customer this could mean that the source code could be lost, thus resulting in further delays.  In other words, a complete shutdown would not only have a detrimental impact upon the entire organization, but its customers as well.

A direct shutdown can also mean that any forensics evidence could also be lost, thus impeding any subsequent investigations. This is not a decision to be taken lightly, as sometimes it may have to be made in just a matter of minutes.

If it is deemed by the IT staff that the situation can be quickly patched and there is no sensitive data that has been impacted, then there is no need to go offline.

But this is not the only permutation to take into consideration.  There are others that need to be considered by mere observation of the server logs.  For example, if it is discovered that a Cyber attacker is still attempting to gain access to just a certain network component of the IT Infrastructure, then a partial shutdown is warranted.

But there are those instances where a complete shutdown might be needed.  For instance, if the Cyber-attack involved the use of malware or worms, these can be spread very quickly to other systems and can bring an organization to its knees.  In order to prevent this from happening, it may be decided quickly to go completely offline in order to prevent the malware or the worms from causing further damage by spreading itself.

Thus, determining which systems, and processes need to be shut down or brought offline is also a direct function of their level of importance to a business. This is best ascertained by conducting a Business Impact Analysis, also known as a “BIA”.

This document will help to quantify the importance of the IT assets, what they are used for, and the impact they will have if they are indeed brought offline.  The BIA can thus be used to determine if an impacted area can be protected while a patch is being quickly developed; or if it is better to take that particular area either partially or completely offline.

It is important to note that this decision is a combination of considering both quantitative and qualitative variables, and there is no hard and fast rule for making it.



If your organization is the cross hairs of a Cyberattacker, you have to act quickly in order to confirm your suspicions.  If you are indeed about to be hit, you have to respond in order to mitigate the threat, before it causes widespread damage.  We examine this is more detail in our next blog.