Saw a great WSJ article recently on steps to take if you’ve been breached. Well written! Here’s the Cliff Notes version:
1. Don’t Unplug
Though instinctively, it feels like the right thing to do, don’t shut the system down as valuable information on the malware or infection is likely in the system memory which could be lost if it’s shut down. You can remove the internet connection and isolate it from the rest of the network to contain infection.
2. Call in the pros.
Contact your incident response/forensic partner. They’re trained to handle these situations. This is not the time to flex your Columbo muscles.
3. Keep a chain of custody.
This is a written record of every person who touches the affected system/computer. You need this not only for the investigation but potentially for any legal follow ups.
4. Find out if the breach is still open.
Don’t assume only 1 system was affected. The hacker could have taken control of multiple systems.
5. Stop the bleeding.
After the investigators have taken a digital snapshot of the system, take the affected systems off-line, block all access to any internet connections associated with the malware. Figure out how the hacker broke in and plug the hole.
6. Figure out who to tell.
This is where you bring in the lawyers.
7. Be apologetic.
Striking the right conciliatory tone is important. There are P/R firms that specialize in breach notifications.
It’s important to be prepared. Train your employees. Have an Incident Response plan in place. Identify your Incident Response/Forensic partner and keep their number on speed dial.
Sr. Account Executive
Incident Response Hotline: 800-925-0559