Your IT infrastructure has been breached! Maybe you discovered it when it was too late and everything is now encrypted by ransomware, or perhaps you have alarms in place that were activated. Either way, time is of the essence since downtime means lost revenue for the company, not to mention damage to reputation, lost customers, lawsuits, and many other potential implications.
The main goal is to get your business up and running as quickly and securely as possible. However, a few steps need to be taken to get you back on track again.
Most Importantly: Don’t Panic
During a cyber attack, it’s easy to panic and make wrong decisions. Unfortunately, and far too often, immediate actions taken in distress can be counterproductive. Many times, they lead to an even greater challenge in stopping the breach, making it more complex, time-consuming, and costly.
When a cyber breach occurs, your IT environment becomes a crime scene. Therefore, don’t touch anything. Don’t unplug servers, move files, shut down accounts, or make any changes to the IT environment. If you have backups, secure them by unplugging them from the network, but don’t switch them off.
Here are some simple steps to take action:
- Regain Control of Your IT Environment
The first step? Call the Cybersecurity Incident Response Team (CSIRT). When they have a clear picture of what has happened and the extent of the intrusion, it’s critical to see if the threat actor tries to breach or move around within the environment. By initiating active security monitoring with a Security Operations Center, (SOC), you’ll also get a better overview of the threat actor activities. - Scan for Data on the Loose
The next logical step is to determine what damage has been done and what data, if any, has been exfiltrated, damaged, or deleted. It’s also essential to conduct threat intelligence and scan the dark corners of the internet, looking for leaked information. - Eradicate the Threat Actor
To ensure that the threat actor no longer has access to or controls any parts of your environment, you need to take measures to eradicate the threat actor and all remaining backdoors. When the environment is clean, the recovery phase can begin, using backups if available, or rebuilding systems that you cannot restore. - Prevent Downtime and Ensure Efficiency
A CSIRT follows a predetermined operational methodology to work fast and efficiently. They will run the response; forensic investigation, containment, eradication, and recovery together with your company’s personnel to get your business up and running as quickly as possible. - Prepare for Real-life Cyber Attacks
It’s essential to ensure that you update your organization’s operational procedures and incident response plans to reflect the knowledge gained from the incident to prevent similar situations from occurring in the future. It requires insight into your vulnerabilities and how to minimize them to affect the probability of an attack.