An experienced CISO knows that talking about a security breach, the question starts not with “If…” but with “When…”. Indeed, it’s predicted that in 2021 every 11 seconds, some companies in the world will be hacked, so your organization may be among them. Even if you expect it, it doesn’t mean you are well-prepared and ready to react calmly and properly. Unfortunately, many Berezha Security customers come to us only after the breach, and we regret observing the situation was not handled well. So let us share several immediate practical steps you need to undertake when you discover a breach of your critical infrastructure.

The first immediate task after any breach is to regain control over your infrastructure. Usually, the control over the critical components is stolen by compromising the administrative or superuser accounts. The first step would be to change the passwords for ALL administrative accounts and switch on the multi-factor authentication wherever possible. We also strongly recommend subsequently acquiring and implementing the physical token for the second factor, e.g., YubiKey.

The next thing we recommend, if not yet done, is to switch on the multi-factor authentication for all users. One thing you can do is to go with a software token like Google or Microsoft Authenticator. This will significantly reduce any impact of user accounts being compromised. 

As a longer-term measure – we recommend embedding a compromised password check into the password change procedure, e.g., based on the have I been pwned service. This is not a one-click effort, so if you need help with the implementation, we can definitely help.

Implement an intrusion detection system for the early discovery of further attacks. We would definitely recommend paying attention to the Thinkst Canary. It is an innovative trending tool that efficiently solves this task without spending huge budgets.

Perform a full scan of the critical infrastructure components, especially hosts, for malware or configuration changes. Schedule end-user scans to be run ASAP if you have a centrally managed anti-malware solution. Or instruct the users on how to run the scan if you don’t. 

Once you take back the control over the infrastructure, minimize the impact on user accounts, and are prepared to react to any further attack attempt, you can deal with the next layer of actions. Data recovery (if any data was lost), communication with the users and customers about the potential data breaches, evaluating the whole attack vector and removing exploited vulnerabilities, etc. But first things first – get the control back. 

Of course, any of the steps can be executed employing different tools than mentioned; we have just provided examples of the most typical ones at this post’s date. We wanted to make our advice practical and actionable, not just a list of correct but generic action items most of the similar posts would provide. Berezha Security has no direct commercial connection to the mentioned vendors or solutions. However, we can help you with the recovery after the breach and further planning of remediation actions. 

Stay calm, be prepared, and take care.