Checklist

Checklist for Public-Private Organizations: Actions During a Cyber Attack

CExperiencing a cyber attack can be overwhelming. Swift and effective action is crucial to
minimize damage and restore normal operations. This checklist provides step-by-step
guidance—with explanations—to help your organization respond appropriately during a cyber
incident.

If you need immediate assistance or have questions, please contact our cybersecurity hotline 1 (855) 550 6628 or email help@moatit.com. Our experts are available to help at no charge

01.Detect and Confirm the Cyber Attack

Early detection allows for a quicker and more effective response

Identify Indicators of Compromise

Monitor for unusual system behavior, alerts, or notifications

  • Early signs can include system slowdowns, unexpected file changes, or security alerts

Verify alerts from intrusion detection systems or antivirus software.

  • Confirming alerts ensure that you respond to actual threats.

Validate the Incident

Cross-check with IT and security teams to confirm the attack.

  • Collaboration helps in accurately identifying the nature and extent of the attack.

Consult with cybersecurity experts if needed.

  • Expert input can provide clarity and guidance on immediate steps

02. Activate the Incident Response Plan

Having a predefined plan ensures an organized and efficient response.

Initiate the Plan

Declare an incident as per your organization's protocols.

  • Officially recognizing the incident triggers the response procedures.

Follow the predefined steps in your incident response plan.

  • Ensures consistency and effectiveness in handling the incident

Notify Key Personnel

Inform the incident response team members immediately.

  • Prompt notification enables team members to fulfill their roles swiftly.

Contact senior management and relevant department heads.

  • Keeps leadership informed for decision-making and resource allocation.

Keep Cybersecurity Hotline Information Handy

Save 1 (855) 550 6628 and help@moatit.com for immediate expert assistance

  • Access to external experts can be critical in managing the attack effectively.

03. Contain the Attack

Limiting the attack’s spread minimizes damage to your systems and data.

Isolate Affected Systems

Disconnect compromised systems from the network.

  • Prevents the attacker from accessing other parts of the network.

Disable remote access temporarily if necessary.

  • Blocks unauthorized external entry points.

Disable Compromised Accounts

Deactivate accounts that have been or may be compromised.

  • Stops attackers from using valid credentials to access systems.

Implement Network Controls

Apply firewall rules or intrusion prevention measures.

  • Blocks malicious traffic and further intrusion attempts.

Increase monitoring of network traffic and logs.

  • Detects any additional suspicious activities in real-time.

04. Assess the Impact

Understanding the scope helps in making informed decisions on next steps.

Determine the Extent of the Attack

Identify which systems and data have been affected.

  • Helps prioritize recovery efforts for critical assets.

Evaluate the potential impact on operations and data integrity

  • Assists in resource allocation and communication strategies

Document Findings

Record all known details about the attack.

  • Essential for investigation, reporting, and future prevention

Maintain an incident log of all actions taken.

  • Provides a timeline and accountability for the response process.

05.Communicate Internally and Externally

Effective communication ensures that stakeholders are informed and coordinated.

Inform Internal Stakeholders

Update employees on the situation as appropriate.

  • Prevents misinformation and guides employee actions

Provide instructions to staff, such as avoiding email or network use if needed.

  • Reduces the risk of further spreading the attack.

Notify External Parties

Inform partners, suppliers, and clients if they may be affected

  • Helps them take protective measures and maintains trust.

Follow legal and regulatory requirements for breach notifications.

  • Compliance avoids legal penalties and preserves reputation.

Prepare Public Statements

Draft press releases or public announcements if necessary

  • Controls the narrative and provides accurate information to the public

Coordinate with public relations and legal teams.

  • Ensures communications are appropriate and legally sound.

06. Engage Cybersecurity Experts

Professional assistance can enhance your response and recovery efforts.

Contact Cybersecurity Hotline

Reach out to 1 (855) 550 6628 or help@moatit.com for immediate support.

  • Expert guidance can help contain the attack and mitigate damage.

Consult with Legal Counsel

Involve legal experts to understand liabilities and obligations.

  • Ensures compliance with laws and protects the organization's interests.

Consider Hiring Incident Response Specialists

Engage external cybersecurity firms if needed.

  • Provides specialized skills and resources for complex attacks

07. Collect and Preserve Evidence

Proper evidence handling is crucial for investigation and potential legal action.

Secure Relevant Data

Preserve logs, system images, and affected files.

  • Essential for forensic analysis and understanding the attack

Ensure evidence is stored securely and access is controlled.

  • Maintains integrity and chain of custody.

Avoid Altering Affected Systems

Do not reboot, access, or modify compromised systems unnecessarily.

  • Prevents loss or contamination of evidence.

Document Everything

Keep detailed notes on all actions and observations.

  • Supports investigation and may be required for legal proceedings.

08. Implement Mitigation Measures

Taking immediate corrective actions can prevent further damage.

Apply Security Patches and Updates

Patch known vulnerabilities exploited in the attack.

  • Closes security gaps to prevent repeat attacks.

Update antivirus and intrusion detection systems.

  • Enhances defenses against current threats.

Strengthen Security Controls

Change passwords and implement multi-factor authentication.

  • Secures accounts that may have been compromised.

Increase network segmentation and access controls.

  • Limits attackers' movements within the network.

Monitor Systems Closely

Increase surveillance of critical systems and data.

  • Detects any ongoing or secondary attacks

Set up real-time alerts for suspicious activities.

  • Enables immediate response to new threats.

09. Maintain Business Continuity

Ensuring essential operations continue minimizes the overall impact

Activate Business Continuity Plan

Implement procedures to keep critical functions running.

  • Supports organizational resilience during the crisis.

Reallocate resources as necessary to support key operations.

  • Prioritizes efforts where they are most needed.

Communicate with Customers and Partners

Inform them of any service disruptions and expected resolution times.

  • Maintains transparency and trust.

Adjust Operations if Necessary

Use alternative systems or processes to continue operations

  • Provides workarounds until normal services are restored.

10. Consider Involving Law Enforcement

Law enforcement agencies can provide support and may be required in certain cases.

Evaluate the Need to Report

Determine if the incident requires notification under laws or regulations

  • Compliance may mandate reporting certain types of breaches.

Assess whether law enforcement involvement could aid in the respons

  • They can assist in investigation and potentially apprehend perpetrators.

Contact Appropriate Authorities

Reach out to local or federal law enforcement as appropriate.

  • Ensures the incident is handled by the correct jurisdiction.

Provide necessary information without compromising sensitive data.

  • Balances cooperation with protection of confidential information.

11. Notify Your Cybersecurity Insurance Provider

Timely notification is often required to utilize coverage benefits.

Review Policy Requirements

Understand notification timelines and procedures.

  • Compliance with policy terms is essential for claim eligibility

Provide Necessary Information

Submit initial incident reports as required.

  • Initiates the claims process and access to support services.

Utilize Available Resources

Leverage any assistance or services offered by the insurer.

  • May include incident response support or financial compensation

12. Prepare for Recovery

Planning ahead facilitates a smoother return to normal operations.

Plan System Restoration

Decide whether to restore from backups or rebuild systems.

  • Ensures the chosen method is secure and effective.

Verify that backups are clean and free of malware.

  • Prevents reintroducing the threat during restoration.

Test Restored Systems

Validate the functionality and security of restored systems

  • Confirms that systems are operating correctly and safely

Communicate Recovery Progress

Keep stakeholders informed about restoration timelines.

  • Manages expectations and maintains confidence

13. Document All Actions Taken

Comprehensive documentation supports future analysis and improvement.

Maintain an Incident Timeline

Record all events, decisions, and actions chronologically.

  • Provides clarity on how the incident was handled.

Compile a Detailed Report

Include findings, response measures, and outcomes.

  • Useful for internal review and external reporting requirements.

Identify Lessons Learned

Note areas for improvement in response and prevention.

  • Helps strengthen defenses against future attacks.

14. Update Incident Response and Security Policies

Continuous improvement enhances your organization’s cybersecurity posture.

Review the Effectiveness of the Response

Assess what worked well and what did not.

  • Identify strengths and weaknesses in your current plan.

Revise Policies and Procedures

Update the incident response plan based on lessons learned.

  • Ensures future responses are more effective.

Train Staff on Updated Protocols

Communicate changes to all relevant personnel.

  • Keeps everyone prepared for future incidents.

15. Seek Support and Guidance

You don’t have to navigate a cyber attack alone.

Reach Out for Assistance

Contact 1 (855) 550 6628 or help@moatit.com for support.

  • Expert advice can guide you through complex situations.

Utilize External Resources

Engage with cybersecurity communities or forums.

  • Sharing experiences can provide additional insights.

Consider Employee Support Services

Provide resources to help staff cope with the incident.

  • Addresses potential stress and maintains morale.
Responding effectively during a cyber attack is critical to minimizing damage and facilitating a swift recovery. By following this checklist and utilizing available resources, your organization can navigate the incident with greater confidence and control. For immediate assistance or personalized guidance during a cyber attack, please contact our cybersecurity hotline at 1 (855) 550 6628 or email help@moatit.com. Our experts are ready to help at no charge.

Disclaimer: This checklist is a general guide and may not encompass all the specific needs of your organization. It is recommended to consult with cybersecurity professionals for personalized advice.

Need help with your security program?

Signup for our monthly newsletter

Cyber-Idaho

CONTACT US — AVAILABLE 24X7

Quick Links

About

Resources

Copyright © 2024 Powered by

MOAT-1
Privacy Policy