Preliminary review of data involved to determine if personal data has been compromised.

In the case of a researcher reporting, check on their reputation.

Conduct quick research on the possible adversaries involved.

Is personal data included? i.e. names, address, postcodes, email address, etc.?

Check if the credentials of any management team members or admins is involved

Check if any core company financial data included

Check if any user credentials have been leaked.

Quickly scope on data - Highly Restricted, Restricted or Unrestricted?

Identify possible sources or owners of the data

Preliminary business impact assessment

Quantity of data i.e. number of accounts, unique numbers, client names

Location of data, both physical and logical

Was there any encryption around the data and if so how was this provided?

Is financial data included? i.e. credit card numbers, pins, expiry dates, etc.?

Check how old the data is

See if you can purchase the data based on approval from management

What has caused the cyber incidents (i.e. lost laptop, suspected hacker, malware. Etc.);

Review security and access logs, vulnerability scans and any automated tool outputs

Analyse any suspicious network traffic

Analyse any suspicious activity, files or identified malware samples

Determine the attack methodology and cyber incidents timeline

CIA - Establish the likelihood that confidentiality, integrity or availability has been compromised.

Contain the technical mechanism of the Data Breach . Eradicate the technical mechanism of the Data Breach

Is data leakage happening - first analyze and block it immediately

Get Mitigation support Research Threat Intelligence sources and consider Cyber Security Information Sharing Partnership (CiSP) submission to gain further intelligence and support mitigation by others.

Monitor customers, employee or confidential data published online

Monitor clients or their customers being contacted by an unauthorised third party with access to personal or confidential information

Monitor targeted emails to clients or employees containing personal or confidential information

Monitor lost or stolen devices containing confidential information

Monitor Data loss prevention logs or alerts

Monitor lost or stolen paperwork or hardcopies of data

Monitor other incidents that suggest data has been extracted outside of the network perimeter

Reset passwords of legitimate user accounts and reduce permissions where possible.

Isolate unauthorised user accounts and analyse any remove data stored.

Isolate all affected systems or accounts from the infrastructure through removal from the network or application of strict access controls, to prevent further data exfiltration.

Implement rules to block detected suspicious traffic leaving the network.

If systems infected, secure copies of infected systems and malware for further investigation, if not already completed.

Reverse engineer malware to identify the indicators of compromise that will assist with eradication phase.

Safeguard critical assets to prevent further harm or theft of data.

Implement the notification strategy including any internal or external notifications, the notification of employees, third parties, service providers and customers.

Support the development of external communications by providing accurate, simple lines to take, in line with technical remediation activities.

Prepare notifications required as per regulations.