You are a professional, manager, or IT team member who has just realized that your business has been hacked. Maybe you see signs of a hacked account, you realize that an infected file was downloaded, you receive an alert that files have been accessed - or perhaps you see the blank ransom message of a ransomware infection. What do you do?
Taking the right actions immediately after a cyber attack can change the course of the disaster. Acting quickly and knowing the right steps of a cybersecurity disaster plan can minimize the damage and exposure while protecting your company from spreading malware infection. We can break down your immediate cyber attack response into eight essential steps.
1) Assess the Infection/Infiltration Spread
If possible, determine whether the cyber attack is isolated to a single device, network, or file system. If you just clicked an infected link, or if no other devices have shown hacked behavior, there's a chance that the malware hasn't spread beyond the first device. Ransomware is more likely to spread because it is designed to cripple organizations, while spyware and adware are more likely to attack a single device.
Hacked websites might be limited to just one web server, while hacked accounts can potentially put anything that that account might access at risk.
2) Disconnect the Infected System(s)
Isolate the infected or infiltrated system. If just one computer or mobile device, disconnect from the network. Pull the network cable and/or turn off your Wi-Fi and data link. If you think a local cluster network is infected, disconnect the network from the internet and isolate each machine to be assessed and cleaned separately. If a cloud server is infected, take it down and check any parallel server resources for signs of infection.
3) Determine What Data Could Have Been Accessed or Stolen
Next, determine what the hacker or malware may have been able to steal. Ideally, your end-to-end encryption will make stolen files unreadable, but a hacked account might have gained read access. Were client files or employee files compromised? Are there files that are not backed up, or sensitive information that could hurt people/the company if exposed?
Document the proven and possible extent of exposure for damage control.
4) Perform a Wipe and Restore from Backup
Once the isolated systems have been assessed for damage and exposure, wipe them back to factory settings. For virtual servers, delete the server and remake it using the same settings. Then restore everything you can with backups. Hopefully, you have both install/infrastructure backups to quickly restore your system setup alongside frequent live-data backups to restore your active data back to the most recent uninfected copy.
At this point, your systems should be restored and safe to bring back online. For most businesses, this is your necessary recovery point to resume operations with an uninfected network. However, work closely with IT to make sure that there is no lingering or lurking malware in the most recent backups.
5) File a Criminal Report
Use the data you collected during the assessment to report the cyber attack to the government. Cyber attacks and releasing malware are crimes. Whether or not the hacker is caught this time, the more information is sent in, the more likely those using black-hat tactics can be tracked based on IP addresses, domains, and other identifiable patterns from one cyber attack to the next.
The right authorities will depend on your industry and the nature of the cyber attack.
6) Blacklist the Source
If you can identify a source, like the domain and IP of the infected email, phishing contact, or any signatures of the malware, blacklist. There are several ways to add a bad actor blacklists that are shared by IT departments and the overall internet security infrastructure. You might be able to protect others by ensuring that future emails and websites from the same origin are flagged as dangerous before anyone has a chance to be fooled or click the wrong link.
7) Alert Affected Persons & Provide Compensation, If Necessary
If any sensitive data is exposed, now is the stage in which damage control is enacted. Report the breach to any regulatory bodies involved and deliver a safety alert to any people whose data may have been exposed. This includes customers, business partners, and your employees who could potentially be affected. If personal or financial information was accessed in the attack, you may also need to issue identity monitoring services to each person whose data was involved.
8) Improve Your Defense and Response Plan
The last step of any cyber security breach response plan is to improve your response plan. What could your company have done better to prevent the cyber attack? What part of the response plan could have gone better, and how can you improve your protections to better avoid or mitigate this kind of attack in the future? Every challenge is also a learning experience in the business world, and a chance to thwart the next hacker or malware that tries to challenge your defenses.
Improve Your Cybersecurity with Trava
Trava makes cybersecurity protocols easier and more robust for businesses like yours. Whether you are a small team with a basic approach to cyber-safety or a growing company with a quickly increasing need for enterprise-level cybersecurity measures, Trava can help you build and implement the right defenses for your sector, size, and the kind of data you need to defend.