Investigate (Location, Source)
During a cyber incident, you should immediately make an assessment of the nature and scope of the incident.
Your initial assessment should attempt to identify the following:
- The affected computer systems.
- The apparent origin of the incident, intrusion, or attack.
- Any malware used in connection with the incident.
- The identity of any other victim organisations, if such data is apparent in logged data.
- Which users are currently logged on.
- What the current connections to the computer systems are.
- Which processes are running.
- All open ports and their associated services and applications.
- Any remote servers to which data were sent.
- Any communications (in particular, threats or extortionate demands) received by the organisation that might relate to the incident should also be preserved. Suspicious calls, emails, or other requests for information should be treated as part of the incident.
Source of Information
Information taken from the USA Justice Government website “Best Practices for Victim Response and Reporting of Cyber Incidents”.