investigation is the first 24 to 48 hours. Make your decisions as evidence
the compliance team.
Technical analysis
materializes, and be sure to communicate
with your Incident Response team.
Who will participate,
what will their roles be, and what will each person do?
What machines were breached?
Containment
How were they hacked?
Did someone say PHI ? Better bring in
What will you tell the
board of directors, the public, law enforcement, and regulators?
What was stolen?
Communication is key. Dont make assumptions.
Where does the threat
still reside? Clean it up!
Restoration
Who will you contact
should you need to call on backups, adjust firewalls, block IP addresses, or reimage corrupted machines?
SET THE SCOPE OF THE INVESTIGATION, ANALYZE, AND REMEDIATE.
Triage affected hosts to find indicators of
compromise (IoC) and create a distilled timeline Event logs, file systems, etc.
Once a set of IoCs has been found, they
should be put into other security systems that can spot them elsewhere on the network.
The most compromised
hosts undergo a deep investigation for a full understanding of what the attacker did on that system and to use that analysis to create a remediation plan.
LEAD AND ENABLE THE TEAM.
COMMUNICATE DELIBERATELY AND EFFECTIVELY.
DERIVE AND APPLY LESSONS
LEARNED.
Clear roadblocks so that team members
can dedicate themselves to remediating the problem. Then ensure the effective flow of information within the team so that members can stay focused on their individual tasks.
Anything that is communicated outside
the Incident Response team should be supported 100% by evidence and for good reason. Information about the breach that is told to the board should be tailored to answering the question, How and how soon can business get back to normal?
Within a week of cleaning up a breach,
the team should discuss and document its actions to determine what went right, what went wrong, and how to be better prepared the next time.
7 THINGS TO DO WHEN YOUR BUSINESS IS HACKED
INCIDENT RESPONSE CHECKLIST AND CONTACTS INCIDENT RESPONSE CHECKLIST Bring in the right people. Collect information and work with your IR team. Build a plan. Derive and apply lessons learned. Set the scope of the investigation, analyze, and remediate. Lead and enable the team. Identify anticipated roadblocks. Communicate deliberately and effectively.
INCIDENT RESPONSE CALL LIST
Legal Lead: Executive Lead: Compliance Lead: Investigation Lead: Incident Response Team Lead: Incident Response Team Members (internal):
Incident Response Team Members (external):
Rapid7: 1-844-RAPID-IR
Endpoint Analysis Lead:
Network Analysis Lead: Backups Administration: Systems Administration: Communications Lead (internal): Communications Lead (external): Communications Approval: Communications Approval:
