Responding to a Cyber Incident
Your Incident Response Plan (IRP) should list the parties accountable for: 1) Containing the breach 2) Recovering lost data 3) Notifying clients, partners, and the authorities. Detection, response, and timing are critical components of an effective IRP.
What are your priorities?
1. Verify WHAT the breach is
Step one is to know what kind of damage has been done before attempting to put out the fire. Were your devices stolen? Information leaked? Often, information hacks are uncovered only after the sensitive data has been leaked. Another example is Ransomware, where discovery of the breach is delayed until documents become inaccessible due to encryption.
2. Initiation of mitigation plan
Take all affected equipment offline and closely monitor entry and exit points. All information should be documented, and infected machines should be replaced. Avoid storing classified and sensitive data on your standard network in the event of malicious hack. Finally, notify:
• Management and employees
• Local and federal authorities
• Legal counsel
• Data forensics team
3. Secure network, social media, and web credentials
If sensitive data is improperly posted on your website, immediately remove it. Internet search engines store information and you can contact the search engines to ensure that they do not archive anything in error. Additionally, update the credentials of authorized users – If a hacker stole credentials, your system will remain vulnerable until you change them. Generally, turn no machines off until your MSP arrives – instead, disconnect the machine from the network.