...
- Remove or isolate the affected system(s) from the network
- Notify the Chief Technical Officer, or, if unavailable, the Director of Technology Support
- Notify senior Carleton College executives, at minimum the President and Treasurer, and provide ongoing impact assessments to their offices
- Notify local law enforcement and contact and, if local law enforcement or we ourselves deem it necessary, contact the local office of the FBI or the U.S. Secret Service
- Assemble an initial internal forensics team; start the process of engaging external forensics experts, if needed
- Determine whether the system(s) should be shut down (doing this can wipe out evidence and should be avoided initially)
- Attempt to preserve all evidence, including SIEM and firewall logs, backups, snapshots, and other internal (OS) and external monitoring logs, without altering the system itself (root/admin logins should be avoided)
- Document everything we do, including dates, times, and individuals involved
...