ISC team and community,
There are many articles out there on "steps to do after a breach" -- but a lot from what I see is high level.
Wanted to see if anyone has good resources / good links to a "post breach" checklist which would list out say the top key things a company should do after they realize they have been hacked.
I believe this would be useful for others in our ISC community too, so look forward to sharing through this thread.
I don't have specific resource for you, but here are some thoughts;
1) In order to do a good job post-breach, you need to do a good job pre-breach. Backups, logging, having a response plan, testing it, factoring it into your risk management etc. all are requisite steps if you hope to recover and learn anything from a breach. Those topics alone could fill a book.
2) Involve counsel somewhere near step 1. Once you have a breach, get your lawyer involved ASAP, and let them be the conduit with law enforcement or regulators. You don't want system administrators talking directly to people who will assess your liability any more than you want your corporate counsel managing your firewall.
Bear in mind that what works for one incident or organization might not work for another. There is a plethora of guidance/frameworks out there, but the mistake is to assume these templates are executable out of the package. When/if you have a breach, you will have the naysayers who will say why did we go to all this effort just to get nailed anyway. That's like a team that loses the game giving up on practicing because "it didn't work." But this all gets to the communication gap between the technical side of the house and the corporate side. Ultimately what you want post-breach is to close that gap and not widen it.