In the event you have a cyber security related emergency, there are some simple, immediate steps you can take to help get the situation under control and preserve evidence for investigation.  Most incidents can be classified as a malware compromise, a data compromise, or computer misuse.  Each of these types of incidents require immediate action to help reduce impact and loss. 

Follow these steps

  1. If the system is on, leave it on. Turning it off will destroy information that is stored in volatile memory that is critical to evaluating the state of the system.
  2. Preserve logs. Any logs you have at that time should be archived offline for use in further investigation.
  3. If possible, do not make any system changes once the event has been classified as an incident. Typically, changes you may be tempted to make immediately could destroy evidence key to identifying the source of the compromise or action.
  4. Isolate the system from the network, but do not disconnect it from its upstream switch. Sophisticated malware can sense changes in system state and change its behaviour or remove itself when changes are detected. 

These simple steps are crucial.  The information that could be destroyed through improper or over aggressive recovery techniques may make the difference between cleaning up malware on a single system versus an enterprise wide system rebuild and data restoration project.

Courtesy of Coalfire Systems Inc.