What To Do In The Event Of A Cyber Attack
You may be well prepared with the tightest and most up-to-date security systems and yet, a threat actor managed to find his way to sneak into your network and cause disturbance. You finally discover that you have been breached. Your critical information, together with some of your clients’ and partners’ data, are now at risk of completely being stolen or corrupted. Soon, you are to expect hackers reaching out and asking for a hefty ransom.
What happens next? What should you do to effectively manage the breach? Before anything else, stay calm and respond immediately and proactively to contain the attack and prevent further damage. Recall the guidelines indicated in your company’s incident response plan. Subsequently, follow the steps indicated below to ensure that the breach is handled systematically.
Secure your operations and entire environment
Right now, the only thing worse than the attack itself is for it to multiply. Swift action is key to ensure all your systems will be safe. Mobilize your Incident Response Team to conduct a comprehensive crisis response.
a. Report the breach and call your Incident Response Team.
As soon as you discover a breach, you must report it to your IR team, as well as your company stakeholders. Although you may have been oriented on what to do to remediate the situation, getting experienced professionals on board will help assess and investigate the incident appropriately and arrive at the best solutions.
b. Secure assets and run your backup servers.
Your top priority is to save as much critical data and IT systems as possible. Since you have yet to determine the extent of the damage, you must ensure that your files are protected and copied onto an external device. Lock all assets and change all passwords and credentials immediately.
Have your IR team switch to a backup server to keep your network running concurrently, while an investigation is ongoing.
c. Isolate the infected system.
It is imperative to isolate the affected endpoints and servers. Compromised sections must be disconnected from the rest of the computer environment to limit exposure and ensure the attack does not progress further.
Never turn off your machines until incident responders have already examined and collected forensic evidence from them. In some cases, separating the infected endpoint may mean suspending that part of your network and may cause temporary disruption.
After isolating the infected endpoint, the IR team will evaluate the rest of the network and check for other compromised systems.
d. Remove improperly posted information online.
If the breach is discovered to be related to information posted on your social media accounts, your own website, or other online platforms, you must remove the post at once. This will avoid other hackers from accessing any exposed data provided by detailed error messages that could reveal stack traces, privacy information, or passwords. Likewise, removing the error will prevent the spread of exposure to users online.
2. Survey the damage and fix vulnerabilities
At this point, the IR team will conduct a thorough investigation of the breach to find out the root cause, the threat actor/s involved, other vulnerabilities, and determine the extent of the impact to the company. All actions taken must be well-documented, as these documents may be required as part of public regulatory notification and legal process.
a. Collect forensic evidence.
Review logs and records in order to track all related activities. These records are helpful to trace the timeline of the incident and determine what malicious activities have occurred and how extensive they are.
b. Check your exposures, especially from third parties.
Identify individuals who have access to your network and evaluate whether they really need that privilege.
Conduct due diligence and check whether any of your service providers or external partners were involved in your breach. Make sure these third parties are taking proper measures to reduce risks and verify whether they have fixed their vulnerabilities, especially those that may affect you.
c. Inspect your network segmentation.
Examine whether your network segmentation has been effective, especially in containing the breach that occurred. If you need to make any changes, do so now.
3. Communicate and notify concerned parties
Inform all concerned parties of your beach for them to be aware of your predicament and be mindful of any implications this might have on them. Although you must not withhold vital information that your stakeholders, partners, and clients might need to protect themselves, never publicly share information which could further imperil everyone else.
a. Notify the authorities.
Alert law enforcement agencies immediately, e.g., the local police, the Federal Bureau of Investigations and the United States Secret Service, of the cyberattack, which is essentially considered a crime. Besides making the incident official, informing authorities help in rapidly catching and prosecuting the perpetrators and ensuring that no sensitive information is disclosed. Find out specific legal requirements you need to submit in line with the reporting of the breach.
b. Inform clients.
Difficult as it may be to reveal that you have been breached, as it might result in clients losing their confidence in your company, it is your indispensable obligation to inform clients, partners, and other related parties of the current situation so they can take necessary measures to secure themselves and their assets. Being honest about the situation will allow your clients to recognize your efforts in remediating the incident and fulfilling your responsibilities to them.
Coordinate with the authorities the schedule of your notifications to avoid unnecessary delays or interruptions in the investigation. In addition, assign a point of contact who will manage all essential communication. This will ensure that you only release a single narrative of the incident, discussing the breach and the latest updates, the response conducted, and the actions that must be made by all involved.
4. Learn from the breach
Once you have gained a full understanding of how the incident took place and vulnerabilities have been identified, harden your overall security posture by using a defense-in-depth approach. Acquire better technologies and tools, update your security plans, and conduct further training and simulations among all employees to test your company’s crisis preparedness.
You can also consider getting an external IR team. Aside from being cost effective for not having to pay full-time employees, an external IR provider will present you with a clear and timely unbiased reporting of the event. Furthermore, cyber security companies have more advanced tools, offer various services, and are more equipped to handle and manage cyber events.
To learn more about why you should consider an incident response provider, click here.