🛡️ Don't Panic

We highly recommend you not to panic and ensure that you don't take any actions without having a clear idea about the attack. Any knee-jerk action may harm the key artifacts required for later stages or increase the impact to your organization.

We at i6 have real-time hands-on experience in handling multiple types of attacks and containing them successfully. The following is an overall guideline for you to analyze the attack and keep your answers ready when you contact our experts.

Any security incidents can create panic. Being an incident manager, you need to ensure there is no panic across the organization and that the situation would be brought under control before executing/performing some recovery steps. Educate the required stakeholders about the incident and ensure the DR/BCP options are enabled to continue your business as usual before we move further to continue the investigation.

💼 Facing any Business Impact?

If any of your business services are down due to the incident, please ensure to look for immediate alternative solutions available within your organization. You need to ensure none of your customers/services are impacted thereby impacting your organizational credibility.

🔍 How are you confirming it's a security breach?

We need to ensure what kind of attack you are facing before taking any further procedures. Else, the attack can incorporate with more intensity and make substantial damage to your organization. To avoid such issues, ensure the incident is evaluated meritoriously.

Key indicators to verify:

• Do you have any visible evidence where adversaries compromised your environment?
• Any of your organization/customers PII/PCI/HIPAA data has been disclosed publicly by some attackers?
• Are you facing any targeted attacks like DOS/DDOS attack on your public services?
• Any Ransomware/malware implantation in any of the servers/systems within your organization?
• Are you facing abnormal traffic within your organization?

⚙️ Any Remedial Actions executed?

After re-confirming the incident, have you performed any remedial actions to contain the incident?

• Shutting down the Impacted Servers/Services
• Enabled the DR/BCP solutions for the impacted services
• Removing the system from Power supply
• Isolating the impacted Server physically or over EDR
• Blocking the traffic in your firewall
• Blocking the incident impacted system ports and network
• Re-installed the operating system of the impacted machine/servers

📋 Visible Evidences observed?

Visible evidence confirms the attack's criticality in which we need to take quick actions to avoid further impacts. Identifying such evidence is highly important and a threat to the organization.

• Any of your websites/applications carrying hackers' compromised logo?
• Any of your websites/applications are pwned by hackers with some messages?
• Identified Ransomware images on any of your systems and servers?
• Malware activities found from a number of systems
• Any email communications from attackers which substantiate as evidence to the attack