Back | Blog

Best practices in the event of an intrusion into an information system

In the event of an intrusion on an information system, a swift response is crucial. First, assess the incident to identify its origin and impact. Then, implement containment measures (network shutdown

Written by Ballpoint June 12, 2025 Good Practices
Tags - #vulnerabilities
Best practices in the event of an intrusion into an information system

Information systems are key elements in managing and protecting an organization’s data. However, despite security measures in place, preventing all intrusions is impossible. In the event of an attack, every second counts, and it is crucial to react quickly and effectively to minimize damage. This article guides you through the best practices to adopt when an intrusion is detected, helping to protect your data and reduce the impact on your organization.

1 - Assess the Detection or Report

The incident management process begins with assessing the intrusion. This involves understanding the exact nature of the incident, its origin, and potential impact. This step is crucial, as a poorly directed response could worsen the situation.

Observing the Findings

When an intrusion is suspected, gathering information from multiple sources is essential to confirm or rule out the attack.

  • Security Detections and Systems:
    Security tools such as Security Information and Event Management (SIEM) systems, log files, antivirus software, and Endpoint Detection and Response (EDR/xDR) solutions play a key role in early intrusion detection. It is essential to review alerts from these tools to identify any suspicious activity. Logs should be carefully analyzed to detect anomalies in the systems.

  • IT Malfunctions:
    The assessment starts by examining IT infrastructure malfunctions. This includes detecting service or machine shutdowns, missing or unreadable files, and disruptions in critical applications. These anomalies are important indicators of an intrusion and help determine the extent of the attack.

  • Business Disruptions:
    Business teams should be consulted to evaluate the impact of observed malfunctions. If business applications or processes are affected, it is crucial to understand how they disrupt company operations.

Identifying the Source and Scope of the Incident

Once anomalies are identified, it is imperative to trace the source of the incident and determine its scope. This helps establish whether the attack is localized or has spread to other systems and applications. Key questions to ask include:

  • Do separate systems show anomalies, and are they interconnected?
  • How might the attack have spread from one subsystem to another?
  • What is the exposure level of the affected systems?

This step provides a clear overview of the incident, facilitating an effective response.

2 - Respond Effectively

Once the incident has been qualified, it's time to respond. The speed of reaction is crucial to minimizing the impact of the intrusion.

Decide: Summarizing Information for Decision-Makers

The first step in responding is to synthesize the collected information to provide decision-makers with a clear and concise overview of the situation. This summary should include:

  • The type of attack detected.
  • The affected systems and processes.
  • Initial hypotheses regarding the extent of the incident.

Decision-makers must be alerted immediately so they can take the necessary measures and initiate the incident response.

Act: Implementing Initial Containment Measures

Urgent actions must be taken to limit the spread of the attack and contain the incident. These measures may include:

  • Network shutdowns and remote access blocking:
    In some cases, disconnecting from the network can prevent further propagation of the attack. It may also be necessary to disable remote access to prevent the attacker from taking control of the system.

  • Securing backups:
    Protecting sensitive data is crucial, which means securing critical backups. If the incident could impact data availability, backup copies should be created and stored securely.

Preserve Evidence: Collecting Digital Traces

Another immediate priority is preserving traces of the attack. This includes securing system logs and records, which provide essential information for analyzing the incident and conducting further investigations. Key actions include:

  • Making copies of logs and sensitive data on isolated storage to prevent tampering.
  • Extending log retention periods to ensure data is preserved beyond standard storage cycles.

Mobilize Internal and External Teams

Internal teams (IT security, IT department, human resources) must be informed immediately to coordinate actions. Depending on the severity of the incident, external cybersecurity experts may need to be engaged. Clear communication is essential to prevent confusion and effectively manage resources in a crisis situation.

3 - Get help

When an incident becomes too complex or exceeds internal capabilities, it is crucial to call on external experts.

Specialized Services:

Incident response providers can be contacted to analyze the situation, provide technical support, and propose tailored solutions. For small businesses, the Cyber Malveillance registry offers certified providers, while larger organizations can seek assistance from specialized incident response firms.

Authorities:

In the event of a major incident, CERT-FR (the French government’s Computer Emergency Response Team) can be contacted to coordinate response actions. It provides support for incidents affecting systems of national importance, such as critical infrastructure or sensitive data.

Authorities must also be informed as soon as there is a suspicion of a personal data breach. The CNIL (Commission Nationale de l'Informatique et des Libertés) requires prompt notification if personal information has been compromised.

4 - Declaration of legal obligations

In the event of an incident, legal and contractual steps must be taken to comply with current obligations.

ANSSI and Other Competent Authorities

Essential service and critical infrastructure operators must report the incident to ANSSI. This declaration allows the authorities to be informed of the incident and implement coordinated response measures.

Filing a Complaint and Reporting to the CNIL

It is highly recommended to file a complaint with the relevant authorities, especially if sensitive data has been compromised. This filing initiates an official investigation and helps protect the organization from legal liability.

If personal data has been affected by the incident, a report to the CNIL must be made within 72 hours of discovering the breach.

Insurers

It is also crucial to inform the information system insurer as soon as the incident is detected. The insurer can provide support in managing the crisis and activate coverage for any losses incurred.

Conclusion

In the event of an intrusion into an information system, the speed and effectiveness of the response are crucial to minimize damage. Companies must implement rigorous procedures to detect, assess, and respond to incidents. Furthermore, calling on external experts and complying with legal reporting obligations are critical steps to ensure effective crisis management. By following these steps, organizations can better prepare to face cyberattacks and strengthen their resilience against digital threats.

You'll also like

Best practices in the event of an intrusion into an information system
Good Practices

June 12, 2025

Best practices in the event of an intrusion into an information system

Read the article
Social engineering : the biggest risk for SMEs
News

Feb. 21, 2025

Social engineering : the biggest risk for SMEs

Read the article
The importance of intrusion tests for companies
Good Practices

May 16, 2023

The importance of intrusion tests for companies

Read the article