An experienced CISO knows, that talking about a security breach the question starts not with “If…” but with “When…”. Indeed, it’s predicted that in 2021 every 11 seconds some company in the world will be hacked, so it’s possible your organization will be among them. Even if you expect it, still it doesn’t mean you are well prepared and will be ready to react calmly and properly. Unfortunately, a lot of Berezha Security customers come to us only after the breach and we regret to observe the situation was not handled well. So let us share several immediate practical steps you need to undertake when you discover a breach of your critical infrastructure.

The first immediate task after any breach is to regain control over your infrastructure. Usually, the control over the critical components is stolen by compromising the administrative or superuser accounts. The first step would be to change the passwords for ALL administrative accounts and switch on the multi-factor authentication wherever possible. We also strongly recommend subsequently acquiring and implementing the physical token for the second factor, e.g. YubiKey.

The next thing we recommend if not yet done is to switch on the multi-factor authentication for all users, at least with a software token like Google or Microsoft Authenticator. This will allow to significantly reduce any impact connected with user accounts being compromised as a result of the attack. 

As a longer-term measure – we recommend embedding a compromised password check into the password change procedure, e.g. based on the have I been pwned service. This is not a one-click effort, so in case you need help with the implementation, we can definitely help.

Implement an intrusion detection system for the early discovery of further attacks. We would definitely recommend paying attention to the Thinkst Canary – an innovative trending tool that solves this task efficiently and without a need to spend huge budgets.

Perform a full scan of the critical infrastructure components, especially hosts, for malware or changes in configuration. Schedule end-user scans to be run ASAP as well in case you possess a centrally managed anti-malware solution, or instruct the users on how to run the scan in case you don’t. 

Once you take back the control over the infrastructure, minimize the impact on user accounts, and are prepared to react to any further attack attempt, you can deal with the next layer of actions. Such as data recovery (if any data was lost), communication with the users and customers about the potential data breaches, evaluating the whole attack vector and removing exploited vulnerabilities, and so on. But first things first – get the control back. 

Of course, any of the steps can be executed employing different tools than mentioned, we have just provided examples of the most typical ones at the date of this post. We wanted to make our advice practical and actionable, not just a list of correct but generic action items most of the similar posts would provide. Berezha Security has no direct commercial connection to the mentioned vendors or solutions, however, we indeed can help you with the recovery after the breach and further planning of remediation actions. 

Stay calm, be prepared, and take care.