STEP 1: Develop a Strategy

Actions taken at the outset of a breach can greatly influence the outcome. At this stage, you should focus on two main objectives:

• Prevent or reduce disruption to regular operations
• Ensure the protection of sensitive information

To achieve this effectively, it’s essential to identify which systems and data are at risk and determine how to block the attacker’s actions (containment). Unfortunately, containment measures may compromise or destroy evidence, making it difficult to identify additional affected systems, ascertain how the breach happened, or determine which data has been impacted.

We suggest that you begin by compiling several lists:

1. Which systems are affected?
2. Which data has been compromised?
3. What strategies can you implement to contain the breach?
4. What effects will these strategies have on:
   1. Regular business operations
   2. Regular business operations
   3. Regular business operations

These lists will then be part of the incident documentation and should be updated as the situation develops.

STEP 2: Keep Detailed Records

Document all actions taken and the corresponding times. This is particularly crucial when executing actions that could affect evidence. Keeping thorough records also aids in system restoration and helps identify which systems might still be vulnerable. Ensure that records are kept for systems that are currently inaccessible.

STEP 3: Create Backups

Ensure that production systems and data are backed up before any modifications are made. This approach is especially important when dealing with malware. Even if anti-virus tools flag a file as a certain variant, there may still be valuable information to extract from malicious files, such as IP addresses of command-and-control servers, connections to other harmful payloads, and timeline data. Additionally, malware identified by anti-virus software may belong to a larger family with different or enhanced behaviors and capabilities.

Seek assistance from your emergency response team. The Digisecuritas team includes dedicated malware analysis specialists ready to dissect these threats.

STEP 4: Identify At-Risk Systems

Once an incident is detected, the systems directly impacted can be easily pinpointed. However, it’s important to assess how these systems interact with the broader network, what information they hold, and how that information could help an attacker move laterally to other systems. This can include system and application configurations (such as trust relationships, account credentials, and APIs) as well as intelligence (like email templates, network diagrams, and organizational charts). Attackers often exploit compromised systems in various ways to gain access to additional systems and data.

In our experience, many underestimate the scope of systems and data at risk. A thorough forensic investigation is necessary to establish which systems and data the attacker may have accessed. Since you are likely working with limited information at this point, it's prudent to consider the worst-case scenario rather than being overly optimistic.

STEP 5: Apply Containment Measures

Once you've identified the systems at risk and gained some insight into the breach, you can decide on the best course of action to protect your systems and data. Containment is a temporary measure aimed at quickly halting further damage. Some actions might only be in place long enough for you to introduce more lasting solutions, such as taking the network offline while firewall rules are reviewed and updated. When applying containment, it's important to think broadly about the potential impact on both production systems and the preservation of evidence. Common containment actions include:

1. Isolating compromised systems from the network. Unless data is actively being destroyed (e.g., during a ransomware attack), leave systems powered on so that memory and other volatile data can be collected, which will aid in the investigation.
2. Adjusting firewall rules. If a compromised system is communicating with suspicious systems, it's wise to block these connections across the network. Continue logging any attempted connections to or from the flagged IPs.
3. Disabling accounts and updating passwords. If any user or application accounts have been compromised or are at risk, at a minimum, passwords should be updated.
4. Updating anti-virus rules. Push the latest updates to your AV agents and submit any malware samples to your AV vendor for analysis.
5. Blocking malicious executables. If you use EDR software, update your ruleset with the malware hash, and create alerts for the executable name and associated indicators.
6. Removing malicious files, records, and emails created by the attacker (after making a backup). This step prevents other users from falling victim to the same attack, whether through phishing emails, files dumped on shared drives, or unauthorized accounts created by the attacker. Be sure to back up everything before deletion to retain evidence.
7. Applying security patches. While it may seem like locking the door after the fact, patching your systems can help prevent further exploits.
8. Restoring systems from backups. If you're able to determine when the breach began, you may be able to restore affected systems from a clean backup. Before bringing the system back online, address the vulnerabilities that allowed the attack. Create backups of the compromised systems beforehand, or, for a more detailed analysis later, remove the hard drives.

STEP 6: Review Breach Notification Requirements in Your Jurisdiction

Breach notification requirements can vary widely depending on legal jurisdiction. You must consider both the location of the breach and the location of any individuals whose data may be compromised. In some regions (such as the EU), even if your systems are not physically located within the jurisdiction, you are still obligated to notify affected individuals if their personal data is at risk. It's crucial to review both state and federal laws, as well as business relationships, in conjunction with the type of data involved. For instance, different regulations apply to credit card data versus medical records.

STEP 7: Consult Legal Experts

To ensure you're meeting legal requirements, it’s a good idea to engage a law firm with expertise in cyber breach law. Digisecuritas can connect you with firms that we collaborate with regularly.

STEP 8: Inform Stakeholders

Beyond legal obligations to notify affected parties, think about how the incident and your containment efforts might affect your users and partners. Are there immediate consequences they need to be informed about? Could partner systems be at risk? Are there steps your users should take to help with containment?

If you believe your organization is the victim of a cyberattack,
Digisecuritas emergency responders can help.
We recommend you to fill the form below.