What to do after a cyber breach

As with any suspected crime, the actions taken in the immediate aftermath of a cyber breach are crucial. Stuart Poole-Robb provides an overview.

Such actions will not only enable detection of the perpetrator, but also ensure no further breaches occur.

As soon as the hack has been detected, the first step should always be to inform the organisation’s incident response team, assuming one is in place, and to secure the organisation’s IT systems, if necessary bringing in third-party advisers to detect, identify and contain the security breach.

A key priority at this stage must be to take a forensic image of the infected hard drive(s). As with any physical evidence that may have to be presented at a later date, a chain of custody must be established throughout the process. Should this evidence be interfered with in any way or the code altered by a single digit, the forensic image might not be acceptable in a court of law.

The next step will be to remove any existing malware and recover the system, determining the source of the security breach and why it took place. This would usually involve investigation companies or a local Law Enforcement Agency (LEA) to identify the perpetrator.

The final step is remediation, which involves closing all back doors into the system and employing an external adviser to carry out a ‘black-hat’ penetration test to reveal any remaining flaws in the IT system.

Maximise your Law Society membership with My LS