10. Isolate infected systems.
Just as we had to quarantine for Covid infections, power down compromised endpoints to avoid spreading the contagion to other parts of the network.
9. System recovery.
Create, review, and exercise a system recovery plan to ensure the restoration of services as part of a comprehensive disaster recovery strategy. This may involve using backups, reinstalling software, or patching vulnerabilities. Perform periodic testing and evaluate the backup plan. Test and test again.
Assess the damage and root cause of the breach. Did a user click a bogus link or download a malware-laden file? Were credentials stolen by a successful phishing or social engineering scam?
7. Notify authorities.
The federal government requires reporting of cybercrimes. Contact the local FBI, file a report with CISA (Cybersecurity and Infrastructure Security Agency): CISA exists to protect organizations from cyberattacks and respond to incidents. Report to FinCEN (Financial Crimes Enforcement Network), which receives reports of suspicious financial activity, including ransomware payments.
6. Patch systems.
Apply all available software updates immediately. Automate the process as much as possible because threat actors create exploits soon after a patch is released. Use a reliable update service provided directly from the software vendor.
5. Prepare for emotional fallout.
Cyber-attacks can cause feelings of distress, anger, guilt and fear among employees.
4. Change passwords.
Suggest using a popular password manager to store and generate unique and complex passwords for every online account. Activate multi-factor authentication (MFA) options; these should default to being turned on but are not generally.
3. Train security awareness.
Educate employees about the attack. This will help them to be more aware of the risks and to identify and report suspicious activity.
2. Review security policies.
This may include deploying new security controls, increasing security monitoring, and conducting regular penetration tests both inside and out. Regularly test your incident response plan (IRP) to avoid chaos and confusion should an attack occur by performing tabletop exercises.
1. Engage experts.
A cybersecurity expert can help the organization report and investigate the attack, develop a remediation plan, set up threat detection controls, test systems for weaknesses, set policies and procedures, and implement practical security measures.