Security Breach Help
Call our hotline:
Email us: [email protected]
Our CREST-accredited incident responders are on hand to help you recover quickly from any breach or incident.
Available around the clock, we’re only a phone call away when an incident occurs.
What should you do?
It’s easy to say but try not to panic. A cool head is one of your best assets. Start getting your house in order by doing these 10 things:
1. Preserve the state of any system before any action is taken
2. Record all IR and containment actions taken, including date, time, and the name of those taking the action
3. Turn on all logging facilities:
- Windows – engage all security event logging and Sysmon logging
- AWS – engage Cloud Watch
- Google Cloud – turn on Flow logs
- Azure – Enable Security Centre if not already in use
- M365 – Unified Audit Logs must be enabled if not already set up
4. Retain all logs and prevent any log rotation or deletion
5. Change all domain administration passwords
6. Consider resetting all user passwords
7. Enable multifactor authentication where possible
8. Restrict all external access to known IP addresses
9. Conduct an asset audit, ensuring that all systems and IP addresses are accounted for
10. Review all user accounts and disable any unknown or obsolete accounts
Download our full advice PDF here.
If you believe you have suffered a security breach there is a lot to consider, that’s where we come in.
It is imperative that the situation is assessed properly, to understand the scale and scope of the breach. We will work with you on-site to examine the suspect systems and build a profile of what exactly has happened.
If you don’t have an incident response process, or any procedural guidelines we will start to compile an incident response log for you. It details items such as the type of incident (e.g. DoS, intrusion, defacement, data theft), the likely source, the level of severity, and the impact. We will also log who you have informed, and offer guidance on who should be informed bearing in mind your particular legal and/or regulatory obligations.
If the incident is live and ongoing we will help you to contain it, and bring it to a managed close. This is so that other at-risk systems can be properly protected, and so we can control the incident in such a way that evidence is preserved for forensic analysis. If the incident has already been successfully contained we will gather evidence, both electronic and physical.
Once we are happy that the incident is over our forensics work will commence. We first make a copy of the isolated drive(s) and advise that you keep the original(s) in secure storage. This is so that we can work freely without any risk of corrupting evidence that may be needed in legal proceedings.
The image of the drive is then interrogated to uncover the exact nature of the breach, the details of what has been compromised, and to root out any deleted, damaged, or encrypted files as evidence of intent.
We can also show you the cost of the breach, in accounting terms, so that repairs and remediation can be factored in.
Finally we will evaluate the performance of your personnel. Whether you have practiced for a breach or not it’s important to get a handle on the ability of your people to deal with it. This is never a blame exercise, it’s the only way that you can identify knowledge gaps and training needs. We will also assist you in putting together an incidence response plan and advise on the creation of your own computer/security incident response team.