Firstly, we recommend you don’t panic. It is important you don’t take any actions without first having a better understanding of the attack. Any reactive actions have the potential to increase the impact on your organisation as well as potentially disrupting evidence that could be crucial to any subsequent investigation
Zacco has extensive experience with handling multiple forms of cyber attack and containing them successfully in real time, restoring operational capability and preventing further damage to your systems. The following offers some suggestions to consider which will help you to identify the nature of the attack. Please keep this information available when you contact our experts within Zacco’s Cyber Defence Centre.
We have already said this but it really is important. You need to remain calm under pressure to ensure you follow all relevant procedures appropriately. Security incidents can quickly create panic across an organisation and, as the individual managing the incident, it is your responsibility to maintain order while you bring the situation under control. This is imperative before executing or performing any recovery steps. Inform the relevant stakeholders about the incident and ensure the any Data Recovery / Business Continuity Plans are operational to continue business as usual where possible., You can then begin to investigate the incident further. Please note: It is necessary to ensure that enabling the Data Recovery and Business Continuity Plans does not compromise any potential evidence, or allow it to be tampered with by anyone else in the organisation. This is vital for any subsequent forensic investigation where we can assist with securing digital evidence.
If any of your business services are down as a result of the incident, ensure that you have alternative solutions available to organisation as soon as possible. You need to minimise any impact on customers or services could negatively affect your organisational credibility.
Do you have any visible evidence of compromises to your environment? Has any of your private data, Customer payment or personal information been publicly disclosed? Are you facing any targeted attacks such as Distributed Denial Of Service (DDOS) attacks on your public facing systems? Have you discovered any malware on your systems or servers, or been notified of any ransomware? Are you facing abnormal traffic across company servers?
We will need to identify what form of attack you are facing before taking any further actions. Failing to do so quickly can encourage further intensity and potentially lead to an increase in damage to your organisation’s systems or reputation. To assist in avoiding such issues ensure that the incident is evaluated and documented meticulously.
After authenticating the incident, have you performed any remedial actions to contain the potential effects?
Shutting down the Impacted Servers or Services
Enabled the DR and BCP solutions for the impacted services
Removing the system from Power supply, if possible
Isolating the impacted Server physically or by using Endpoint Detection and Response (EDR)
Blocking relevant traffic through your firewall
Blocking the incident impacted system ports and network
Re-installed the operating system of the impacted servers
Visible evidence confirms the severity of the attack, and helps in identifying which actions need to be prioritised to prevent further impact or damage. Identifying and documenting such evidence may be integral to the containment of any threat to the organization.
Are any of your websites or applications showing compromised logos or images?
Are any of your websites or applications showing messages to announce they have been compromised?
Have you received or identified any Ransomware messages on any of your systems and servers?
Have you identified any Malware related activity operating within your systems or servers?
Have you received any communication from potential attackers suggesting your systems have been compromised? (Are you able to substantiate the communication?)
It is important to get in touch with us as soon as reasonably possible. The sooner we are made aware of any compromised systems or ongoing attacks, the sooner we can help you to identify the problem and begin the process of bringing your systems back under your control.