Skip to Main Content

Cybersecurity Incident Response Recommendations

A Guide for California Community Colleges

Cybersecurity incidents can be frightening, especially in the first few hours after an incident has been detected. The California Community Colleges Information Security Center, in collaboration with the Chancellor’s Office, has created the following guide to support you through this process. While the Chancellor’s Office and CCC Information Security Center can only play an advisory role in your incident response, please know that we are here to support you during this critical time.

Confirming a Significant Cybersecurity Incident

If you believe you are experiencing a ransomware attack or significant security incident, first activate your on-premises incident response team and proceed through your internal checklist.

If a significant incident has been confirmed, notify the CCC Information Security Center Incident Response Team (contact info below), your Cybersecurity Insurance carrier and/or contracted incident response provider.

Phone: (916) 431-0862
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Please note, the CCC Information Security Center only provides best practice recommendations and advisory support; incident response needs to be handled by either your internal or contracted incident response team.

Incident Response Flow

Always ensure that backups are secure and accessible for recovery. Backups should be made regularly and kept separate from your running environment. Keeping backups in an isolated and secure location is ideal to be able to recover data.

Analysis and Identification

The first step is analysis and identification. You may have done this already, however, it is important to identify the impact of the incident.

Questions to address:

  • When did the event happen?
  • How was it discovered?
  • Who discovered it?
  • What is the impact to critical systems?
  • What is the full scope of the impact?
  • How and why did this occur?
  • Has the source of the event been discovered?
  • Can you safely and reliably recover from backups?

Planning Your Recovery

The following should be considered as you plan your response and data recovery activities:

  1. Isolate: When a breach is first discovered, it would seem obvious to simply delete everything and start over. However, it would be more useful to isolate the environment to determine where the breach started as well as the scope of affected devices and how they were compromised (keep those log files!).

  2. Contain: You will also need to provide assurance that the vector was contained and there is no additional risk to the institution. This cannot be done without a forensic analysis and that analysis requires data. You or your incident response team will need to preserve this data as part of your threat analysis and risk mitigation strategy.

  3. Identify and assess: You will need to be able to tell your campus administration and all potentially affected users that you understand the vector, have identified potentially exposed PII, and have assessed the risk to students, staff, and your strategic partners. You will need to be able to clearly articulate what PII was exposed, if any, as well as how it occurred and how long the systems were compromised.

  4. Report: You may also need to provide reports to law enforcement and regulatory authorities and possibly even provide samples of the malware/ransomware/virus or malicious activity to independent auditors. This requires a concise recovery plan and data preservation strategy.

  5. Respond: You must be able to confidently provide assurance that the institution and its partners are no longer at risk from this vector. This is not possible without a forensic analysis of how the breach occurred, how it propagated, who was at risk, as well as what the attackers had access to, and for how long. You must also be able to detail how they were eliminated and will be prevented from returning. Preserving as much data as reasonably possible will be critical to completing your recovery to the satisfaction of all impacted stakeholders.

Containment

It is important to disconnect all affected devices from the internet as soon as possible. Update and begin to patch undamaged systems, review remote access protocols, make multi-factor authentication mandatory for all users, and change all user and administrative access credentials and passwords.

Eradication and Recovery

Once the environment is contained, eradicate the infection. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied. If backups are available, rebuild the system using backups, but beware of time-delayed seed files in backups that can result in reinfection.

Post-Incident Activity

The last few steps are related to post-incident activity. These include completing an incident report and updating risk assessments/threat intelligence. It is vital to continue monitoring activity post-incident. Creating preventive measures to avert future occurrences and planning corrective action for any future events may be beneficial for any recurrent attacks of the same nature.

Report the incident to local management and any relevant governing bodies. If PII has been breached, additional reporting will be required to the California Attorney General’s Office and other relevant bodies.

Resources

NIST Computer Security Incident Handling Guide, SP 800-61 Rev. 2 (PDF)

CISA MS-ISAC Ransomware Guide, September 2020 (PDF)

"The Five Steps of Incident Response," Digital Guardian, June 26, 2019

California Community Colleges Incident Response Policy, July 23, 2020