Finally we will evaluate the performance of your personnel. Whether you have practiced for a breach or not it’s important to get a handle on the ability of your people to deal with it. This is never a blame exercise, it’s the only way that you can identify knowledge gaps and training needs. We will also assist you in putting together an incidence response plan and advise on the creation of your own computer/security incident response team.
Start getting your house in order by doing these 10 things:
What should you do?
- Preserve the state of any system before any action is taken
- Record all IR and containment actions taken, including date, time, and the name of those taking the action
- Turn on all logging facilities:
Windows – engage all security event logging and Sysmon logging
AWS – engage Cloud Watch
Google Cloud – turn on Flow logs-
Azure – Enable Security Centre if not already in use 
M365 – Unified Audit Logs must be enabled if not already set up
- Retain all logs and prevent any log rotation or deletion
- Change all domain administration passwords
- Consider resetting all user passwords
- Enable multifactor authentication where possible
- Restrict all external access to known IP addresses
- Conduct an asset audit, ensuring that all systems and IP addresses are accounted for
- Review all user accounts and disable any unknown or obsolete accounts
Incident response
If you don’t have an incident response process, or any procedural guidelines we will start to compile an incident response log for you.
It details items such as the type of incident (e.g. DoS, intrusion, defacement, data theft), the likely source, the level of severity, and the impact.
We will also log who you have informed, and offer guidance on who should be informed bearing in mind your particular legal and/or regulatory obligations.
Incident management
If the incident is live and ongoing we will help you to contain it, and bring it to a managed close.
This is so that other at-risk systems can be properly protected, and so we can control the incident in such a way that evidence is preserved for forensic analysis.
If the incident has already been successfully contained we will gather evidence, both electronic and physical.
Post incident
Once we are happy that the incident is over our forensics work will commence. We first make a copy of the isolated drive(s) and advise that you keep the original(s) in secure storage. This is so that we can work freely without any risk of corrupting evidence that may be needed in legal proceedings.
The image of the drive is then interrogated to uncover the exact nature of the breach, the details of what has been compromised, and to root out any deleted, damaged, or encrypted files as evidence of intent.
We can also show you the cost of the breach, in accounting terms, so that repairs and remediation can be factored in.
