Cyber Breach Triage
A cyber breach can significantly impact an organisation and its customers and can take considerable time to recover. Below is a very high-level guide to how to minimise the impact in the early stages of a breach becoming known.
If you have been compromised or suspect that you have been compromised, please contact us.
Our breach coaching service can help you respond.
Incident First Aid
A starter set of items to think about to initiate harm reduction to your organisation.
Triage
-
Identify and engage SME’s
-
Confirm Source / Report
-
Establish Timeline / Journaling
-
Establish Legal Privilege
-
Have you engaged a suitably qualified 3rd party?
-
Each item requires differing skills and should only be confirmed with appropriate training and experience.
-
System Log Review
-
System Inspection
-
Malware Identification
-
Contain
-
Contain is the phase that stops the actor or malware from spreading throughout your organisation. This should be conducted by subject matter experts.
-
Isolate the impacted systems
-
End Point Detection and Response software can do this.
-
Increase all anti-malware to the most aggressive settings
-
and isolate systems at a network level.
-
-
Turn off systems if they can not be contained via network isolation.
-
Use a firewall in a very constrictive manner
-
Iisolate the smallest footprint possible to ensure operations can continue.
-
Evaluate
-
The evaluation phase is the first time a holistic assessment is conducted on the event's scope, impact and scale.
- Key items to consider are;
-
Indicative number of hosts impacted
-
Business services impacted
-
Exfiltration investigation (telemetry & system)
-
Indicative PII Impact assessment
-
Provide update and any associated Legal Advice to Board
-
Retrospective
-
Learning from the events leading up to the incident and the events that occurred during the response is a key opportunity for improving your organisation's resilience from cyber impacting events.