[BreachExchange] The First 24 Hours: How to Prepare and Respond to a Major Cybersecurity Attack

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 16 20:45:04 EDT 2017


In today’s digital age, data privacy and security incident response plans
are critical. Companies need to have a well-designed cybersecurity plan to
protect their systems from attacks and respond to a crisis when they are
affected. Whether you are preparing your incident response plan to respond
to a cyber attack, or if you are caught off guard by a major cyber
incident, you should consider deploying the following steps in the first
hours of a cybersecurity breach:

- Taking steps to preserve a claim of attorney-client privilege over the
incident response, including by establishing a written communications
protocol covering the investigation and requiring all participants in the
investigation to commit to adhere to the protocol.

- Working with the company’s chief information security officer and IT
security team to ensure that the organization is taking appropriate steps
to protect the company’s systems and, if necessary, to prepare for a
forensic investigation to determine the full scope of compromise. Depending
on the type of attack, such steps may include taking services offline,
scanning and imaging affected systems, forcing password resets, adjusting
firewall settings, identifying and terminating unauthorized programs
running on the system, implementing software patches, updating anti-virus
definitions, rebooting systems after the updates at an appropriate time and
generating backups of critical systems.

- Ensure that key IT security personnel remain alert to signs of the
attack, are available to the company and its workforce 24/7 and are
prepared to activate the company’s incident response plan immediately if
the company’s system is compromised.

- As appropriate, communicate with the company’s workforce to:

  - Remain alert for phishing emails and pay attention to the details of
emails, including the sender, body of message, attachments and links
directing to an unknown site;Be alert for suspicious emails and notify a
designated contact in the company’s IT team if the employee suspects that
he/she has received a phishing email, if he/she has unexpected difficulty
accessing a file or if he/she sees anything that might suggest a compromise
of the company’s systems;
  - Keep on hand the contact information for the IT security team and
ensure that the IT security is on 24-hour call until further notice.

If the company has been a victim of a cyber attack, such as a ransomware
attack where system files have already been encrypted, then additional
steps will be necessary:

 - Work with counsel on a plan to manage the incident response, including
preservation of a claim of attorney-client privilege, the retention of a
cyber-forensics consultant under privilege, compliance with notification
requirements, and the assessment of legal exposure arising from the
 - Work with the cyber-forensics consultant to preserve logs and images for
affected systems and to begin work on analyzing the attack, the extent of
the compromise and the adequacy of remedial measures.
 - Evaluate backup system availability and adequacy.
 - Consult with counsel, IT and your forensic expert about other
appropriate steps.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170516/de91f4d1/attachment.html>

More information about the BreachExchange mailing list