In the previous article (here and here), we have discussed a way to identify that our system was attacked by somebody, either the attack was successful or not. next question is What needs to be done after a cyber attack / during the attack (if you know its currently happening where you are watching what they are doing through the log file).
well some things you can do after / during an attack:
- Checking the damage. is this recognise attack has any impact on our system? if yes what are they?
- Minimise attack impact: for example: blocking IP address of the attcker
- Recovery from backup if the attack successful
- Do coordination with related organisation. why coordination? because bad guys doing coordination for doing attack. so why cant we do the same?
- Inform your organisation about what is happening
- Inform local CERT (Computer Emergency Respose Team). in indonesia, you can report to ID/SIRTII. inform them that we were under attack from XXX IP address, and attcker was doing X,Y,Z on our system
- Inform Foreign CERT. inform them the same.
Thank you for reading 🙂