1. Assumption: - Someone has alerted the IT department to a potential security incidient, or an automated security system has alerted the IT department to a potential security incident.
1.1. Establish Scope of security incident. This means identify how many systems are infected, damage done and potential for further damage to business.
1.1.1. IT Manager, or COO if IT Manager isn't available assigns one CIRT team member to begin investigation to determine how many systems are affected in security incident.
1.1.1.1. Does Sophos Central \ Intercept X able to detect threat?
1.1.1.1.1. Yes
1.1.1.1.2. No
1.1.1.2. How many staff are reporting issue?
1.1.1.2.1. Only one workstation or server
1.1.2. IT Manager deploys diaster recovery laptop that is specifically provised for emergencies. Laptop is connected to Internet via celluar hotspot and not allowed on internal network.
1.1.3. IT Manager works to deteremine if staff user account lockouts have happened. Questions staff and checks logs.
1.1.3.1. Yes
1.1.3.1.1. Elevate Incident level to Medium.
1.1.3.1.2. If Active Directory Accounts have been locked out review EVENT ID 4740 on domain controller to establish which workstations or servers are launching attacks that are triggering account lockouts.
1.1.3.1.3. Notify All Staff of a unfolding security incident and a threat level set to "High"
1.1.3.1.4. Notify remote users that VPN will be disabled temporarily.
1.1.3.1.5. Disable VPN services on Sophos Firewall Cluster
1.1.3.2. No
1.1.3.2.1. Make a note in the Post Incident Documentation of no reported account lockouts.
1.1.4. IT Manager begins investigation to determine if incident is affecting customer facing systems such as Phone System, Email Services or website.
1.1.4.1. IT Manager assigns CIRT team member to execute Website Security Breach Assessment SOP. The idea is to determine if the Website has a security breach.
1.1.4.1.1. Yes
1.1.4.1.2. No
1.1.4.2. IT Manager directly executes the Email Security Breach Assessment SOP to establish if the security incident is using RC email accounts to proliferate the virus or malicious application.
1.1.4.2.1. Yes
1.1.4.2.2. No
1.1.4.3. Is the 3CX Phone Server involved in the incident or need to be shutdown due to incident?
1.1.4.3.1. Yes
1.1.4.3.2. No
1.1.5. IT Manager begins accessing any potential damage to ERP systems from security incident. Have accounts been comprimised? Has data been stolen? Is the ERP damaged and not able to function?
1.1.5.1. Implement ERP Security Breach Assessment SOP. This will be used to determine if there is a security threat to the ERP.
1.1.5.1.1. Yes
1.1.5.1.2. No