What do to if you've got breached?
As every good thriller this one started from the call. Our local partner called me about his associate insistingly dialing him and texting about a security incident. He mentioned, that he will really appreciate if our security team can handle this request. As the typical unaware victim of the thriller I've said: "Of course!" and answered the call. Indeed, I never mind about helping our local partner and his associate. So, a bright, shiny, and sunny day of business as usual stops right now and the action begins!
Through more than 10 years we passed through a few hundreds of security incidents. But it was only a second one when the cybersecurity intrusion has been followed by breaking in a customer's premises.
Yeah, you can see there is nothing fun with this. Imagine that credit card information of several employees has been stolen, website was showing weird images, other people got contacted from accounts, related to this company in Linkedin, Facebook, Twitter, regarding financial help, accounting department laptops got compromised and out of control and finally, someone broke into the security room and perhaps to other premises, switched off surveillance and stolen all records related to this day.
Even having a good experience with such incidents, that's too much.
By the moment we've arrived at the customer's office, they've already called the police, called the bank and blocked their credit cards, shut down the office internet. The action involved me and all our cybersecurity team in this action thriller.
So what was right on this stage and what was missed:
- Call the cybersecurity consultants. CORRECT. Indeed, you need to have experts to get the situation under control without any delay.
- Call the police. CORRECT only if somebody broke into your premises. The police can potentially react on cybersecurity threat and perhaps, in future, they will do this as a part of their day-to-day duties, but now - they can start an investigation only if your privacy has been violated, life or health is in danger, something has been stolen.
- Call the bank and block the cards. CORRECT. In fact, even if no-one made an attempt to use your credit cards after the security incident - it's a very good idea to mitigate the future risks and change your credit cards information. For sure, the future will be less insulting for you.
- Shut down the office internet. Not quite correct. From one point of view, it's overreacting. From another, if the malicious software is already in your office - it still can spread through your computers and other devices connected to the intranet. Nevertheless, compromised computers should be turned off for sure. Their hard-drives should be removed for further investigation. They may have evidence regarding this intrusion.
- Gather all your employees. Inform them about the threat. According to statistics about 25% of confirmed cybersecurity incidents happened with the assistance from inside. In our case, if there was an intruder, who'd hit the surveillance room (which was in the basement, there were no people inside, an intruder had a key) - the probability of the "mole" assistance is ~99%.
- Record any and all evidence of the intrusion. Hackers will wipe out all signs of their presence as soon as they can. They only thing they are afraid of is exposure. Make a photo, screenshot, video, save the log file in another place. Anything with timestamps will help the investigation and will be included into forensics.
- Mirror log files, surveillance data, and key business information in another place. You already know that Hackers don't like exposure. If they will note that they can't hide their presence and/or it's very complicated - perhaps they even won't try to breach your infrastructure. Well, sure, if they are smart enough.
- Inform all and everyone that your social networks and/or e-mail accounts got compromised. Block these accounts or Change passwords to automatically generated strong passwords ASAP. As soon your associates and relatives will be informed - they won't do mistakes and less impact to your environment will be.
- Inform your customers/business associates about such a force-major incident ASAP. For sure, the business will be paralyzed for a while. Some deliveries will miss the date. Some important calls and meetings will be missed. It's better to let businesses linked to you know about this than wonder about your reliability. They also can eventually know about this, so your silence can be associated as an attempt to hide the impact to their business.
- Point the address to the website out from the compromised one. This is not only the bad PR for the company if the website got compromised - it potentially can be used by intruders for their own objectives. So, just cut this threat out until the further investigation.
To be continued