Inject 1

Inject 2

Set up a new server through a backup

Identifying which files have been altered, check for back-ups, try to restore the original #

Shut down the web server - temporarily

Raise an investigation into finding who was the owner

click to edit

How did it get there? Temp worker? Someone else?

Inject 3

Are they 'bluffing'?

Report to the authorities and shut down comms temporarily

Pay the ransom !?

Run a second pen test - double-check affected area

Prevent it from happening again? What do you do

Figure out entry-point of compromise, then respond

credentials

users/training/awareness

Does it affect customer data? Do you inform the customers? When/how?

Could it be connected to insider threats?

What information was collected/compromised from the finance departments?

Checking other devices in the company!

Device management

Voice samples? Conversations? Deep fakes

Reporting? Owner of the SIM card!?

CCTV/cameras? #

Insider threat?

click to edit

Inject 4/4a

User account / individual within the finance dept.

Inject 5

PR approach (neither deny nor confirm?)

Responding to comments on social media

Data safety priority

investigation of that account/individual

malicious threat/non-malicious threat

Inject 6

click to edit

click to edit

click to edit

correlation between physical/digital access

collect more information about individual (HR)

train on insider threats

IT Manager

Offer more money?
(is it a bluff ?)

Hire another party to take over responsibility

Investigate IT manager's relation with Finance/accounts

IT manager manipulating event logs, etc.

Informal benefits

Insider threat/ external pressure?

Poaching IT manager from competitor?

broader implications from competitor?

IT manager's team and develop someone internally

Phonecalls

Template voice recorded response

Who leaked the fact that the company was breached?

Social media policy

Make users aware of them

Re-establishing customer trust (prevent/policy/awareness)

Breach handling

Respond

No-comment

Reward for finding out who breached?

Hire a specialist PR company

Have an appointed person deal with the media

Set up a Hotline

Gather intelligence about what/where exfiltrated data exists