Cyber attacks are common and can impact organizations of all sizes, within all sectors. This publication provides guidance on the actions you should take in the critical moments after a compromise is detected to lessen the impact on your organization.
On this page
What to do after discovering a compromise
The moments immediately after a compromise is detected are crucial to minimizing the impacts. Take the following steps immediately after detection.
Keep the system powered on
Your device holds volatile forensic evidence that can be used to help determine the source and scale of the suspected compromise. Although it may seem obvious to restart your device to see if the problem persists, it’s important to keep all potentially compromised devices turned on. You should take note of important information that may otherwise be lost.
To best preserve this evidence:
- Lock the system
- Do NOT shut down the system
- Do NOT reboot the system
- Do NOT log the current user out
Do not destroy any forensic evidence during the entirety of the investigation. Logging off, or even temporarily removing the device’s power source, will clear it of all volatile data.
Verify the incident
Contact your IT department to perform a thorough sweep on impacted devices. They can confirm if the issue is truly an incident and whether the host device is compromised. To assist IT in verifying the incident, ensure you have the following information:
- When you first suspected a compromise
- Which devices you think are compromised
- Who had access to the compromised device(s) and information
- Who currently has access to the device(s) and do they require access
- When did you last perform system and software updates
- What types of information do you suspect were stolen
- How many people do you think were affected and do you have their contact information
- Who is the designated point of contact for your organization
- Does the designated point of contact have the authority to permit and conduct forensic imaging for the sake of investigation
Recommended IT response to a compromise
Once your IT department has verified that an incident has occurred and there is a compromise, they should take the following steps to respond. These steps will help to minimize the impact of the compromise on your organization.
Contain the incident
Depending on the device or scale of the compromise, you may need to use a combination of these techniques for complete isolation:
- Isolate all compromised devices and systems from the network by using tools that support a quarantine feature
- Place the compromised devices in a separate virtual local area network
- Deactivate the network interface card
- Disallow Wi-Fi connection or remove the network cable
- Review access and control privileges in your organization and limit access where possible
- Revoke access to any third-party apps or services connected to the compromised accounts and review and manage app permissions
Inform necessary stakeholders
When an incident occurs, ensure you inform those in your organization that need to know. Consult with legal and financial counsel if necessary. Consider contacting relevant service providers, such as cloud service providers or managed service providers, who may offer additional assistance and security measures during your investigation.
The Privacy Act applies to the Government of Canada and private sector organizations are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). Private sector organizations are required to:
- report to the Privacy Commissioner of Canada any data breach involving personal information that poses a risk of significant harm to individuals
- notify individuals affected by the breach
- retain records related to the breach
Collect evidence
Before starting an investigation, your organization should have a dedicated forensics workstation to minimize contamination with other devices. Also, your organization should ensure that the appropriate authority has approved of these investigative actions. We recommend taking note of all the actions taken, including the purpose of each task. Your IT department can also take the following actions to collect investigative evidence.
Acquire volatile evidence
Volatile evidence is data that is only present when the device is powered on and running, such as random access memory (RAM). It is vital that the compromised device stay powered on until all volatile forensic evidence is collected and preserved. The collected evidence should be stored on an external device for safekeeping.
Acquire non-volatile evidence
Non-volatile evidence is data that persists even when there is a loss of power, for example, disk images (a bit-by-bit copy of data on disk).
Check for BitLocker encryption
BitLocker is a full-volume encryption feature on Microsoft Windows products designed to protect data by providing encryption for entire volumes. If you are collecting BitLocker encrypted data, make sure to have the BitLocker recovery key on hand.
Learn more
- Have you been a victim of cybercrime? (ITSAP.00.037)
- Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)
- Foundational cyber security actions for small organizations (ITSAP.10.300)
- Secure your accounts and devices with multi-factor authentication (ITSAP.30.030)
- Best practices for passphrases and passwords (ITSAP.30.032)