1. Establish a Strategy
Minimise Disruption
Protect Sensitive Data
To achieve this, you need to assess which systems and data are at risk and how you can block the attacker’s progress (containment). However, containment measures may destroy or compromise valuable evidence, hindering the investigation into the root cause, affected systems, and the full extent of data compromised.
Start by compiling several lists:
- Impacted systems and data.
- Methods of containment.
- Potential effects of these methods on:
- Business continuity.
- Data security.
- Evidence preservation.
These lists should form part of your incident documentation and be updated throughout the process.
2. Keep Detailed Records
Document every action taken, including timestamps. This is essential for tracking any potential impact on evidence and can help during system restoration and risk assessment. Ensure records are kept on systems unaffected by the breach
3. Back Up Everything
Before making any changes, ensure that all affected systems and data are backed up, particularly malware samples. Even if anti-virus software identifies the threat, there is often additional intelligence—such as command-and-control server IPs or links to other malicious payloads—that could be extracted. Always preserve the original state of the system for further analysis.
4. Identify At-Risk Systems
When an incident is detected, the systems initially impacted are usually obvious. However, consider how these systems connect to the wider network and what data they hold, as attackers may use this information to move laterally. This includes configurations, credentials, or organisational data that could assist in further attacks.
Often, the extent of the compromise is underestimated. A full forensic examination is necessary to determine the true scale of the breach, and it’s safer to assume broader system exposure until confirmed otherwise.
5. Containment
Once you understand the breach, implement measures to contain the threat, focusing on short-term solutions to “stop the bleeding.” Common containment actions include:
- Disconnecting compromised systems from the network while preserving volatile data.
- Updating firewall rules to block suspicious communications.
- Disabling affected accounts and changing passwords.
- Updating anti-virus definitions and blocking malicious executables.
- Removing attacker-created files, records, or emails (after backing them up).
- Applying security patches to prevent further exploitation.
- Restoring systems from known-good backups, ensuring vulnerabilities are addressed before bringing them back online.
6. Establish Regulatory Compliance Needs
Legal obligations for breach notification vary by jurisdiction. Consider both the location of the breach and the location of individuals whose data may be compromised. Jurisdictions like the EU require notification even if the breached system isn’t physically located there. Different regulations apply depending on the type of data involved, such as financial or health records.
7. Engage Legal Counsel
Specialised legal advice can help ensure compliance with breach notification laws and other legal obligations. Consider seeking counsel from a firm experienced in cyber breach law.
8. Communicate with Stakeholders
Beyond legal requirements, consider the impact of the breach and containment measures on stakeholders. Ensure users, partners, and other affected parties are aware of the situation and any actions they may need to take.