REPORT AND REACT
If you suspect your organization has experienced a computer intrusion or an attack, contact the local FBI office or other law enforcement agency immediately and report the following:
1. Names, location and function of the systems involved.
2. Names and location of programs accessed.
3. How intrusion access was obtained.
4. Highest classification of information stored in the victimized systems.
PROTECT AND PROSECUTE
To preserve any evidence and help the federal, state and local law enforcement agencies investigate the incident, take the following steps:
1. Make backup copies of damaged and altered files and keep backups in a secure location.
2. Activate all auditing software.
3. Consider implementing a keystroke-monitoring program (provided an adequate warning banner is displayed on your system).
4. Do not contact the suspected perpetrator.
5. Document any steps you take to repair systems, make backups and so on prior to law enforcement’s arrival.
6. Keep track of how much time and money you spend in responding to an intrusion. This information may be needed to help build a criminal case.