* Take steps to minimize additional damage. To prevent an attack from spreading, you must take steps to stop ongoing traffic caused by the perpetrator. Preventative measures include: rerouting network traffic, filtering or blocking a Distributed Denial of Service attack or isolating all or parts of the compromised network.
* Keep detailed records. Take immediate steps to preserve relevant existing logs. All personnel participating in the incident response should keep an ongoing, written record of the steps taken to respond to and mitigate an incident and any costs incurred as a result of the attack. They should record all incident-related communications, the identity of the systems, accounts, services, data and network affected by the incident and information relating to the amount and type of damage inflicted.
* Notify law enforcement. Many companies have been reluctant to contact law enforcement following a cyber incident due to concerns that a criminal investigation might disrupt their business. However, the FBI and U.S. Secret Service cause as little disruption to an organization's normal operations as possible. These agencies will also attempt to coordinate statements to the news media concerning the incident, ensuring that information harmful to a company's interests are not disclosed.
* Work with law enforcement to contact other potential victims. Contacting other potential victims through law enforcement is preferable to contacting them directly. Doing so protects the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigations, which may uncover additional victims.
* Stay informed about threats. An organization's awareness of new or commonly exploited vulnerabilities can help it prioritize its security measures. There are organizations that share real-time intelligence on threats. For example, Information Sharing and Analysis Centers, which analyze cyber threat information, have been created in each sector of the critical infrastructure. Some centers also provide cybersecurity services.
Sign up for Computerworld eNewsletters.