3 minute read 10 May 2019
Five steps to take in response to cybercrime

Five steps to take in response to cybercrime

By EY Americas

Multidisciplinary professional services organization

3 minute read 10 May 2019
Related topics Assurance Cybersecurity

With the prevalence of cyber attacks increasing, it’s imperative that companies know how to prepare for and respond to threats. 

How to respond to cybercrime

1. Prepare

A cyber attack can go undetected for a long period of time. Consistently performing enterprise-wide monitoring and diagnostics is the key to early detection and resolution.

2. Triage

Isolate the incident and zero in on the impact. Knowledge of the enterprise network environment is critical. Based on the severity, complexity and urgency of the incident, determine whether the appropriate response includes a full-scope investigation following the cybercrime response plan.

3. Investigate and remediate

Remediation usually runs concurrently with the investigation.


Determine how and when the compromise occurred, what was the root cause and what was the impact to the organization. The investigation needs to be initiated and conducted with a great sense of urgency and in a secured environment. To do so, each organization should have a pre-established, scalable cybercrime response team consisting of relevant lines of business and executive functions, with defined roles and responsibilities, as well as internal and external communication protocols. The effectiveness of the plan needs to be tested through table-top exercises.

  • Identify, collect andpreserve evidence

Acquire all host-based evidence pertinent to the type of incident in a timely, efficient and forensically sound way. Identify any running processes, open ports and remote users. Collect network-based log files including, but not limited to, routers, firewalls, servers and intrusion detection system (IDS) sensors. Conduct necessary internal and external interviews.

  • Perform forensic analysis and data analytics

Conduct a comprehensive forensic examination to determine the attack vector, the scope and depth of the compromise. Identify any unauthorized user accounts or groups, rogue processes and services and any unauthorized access points.

  • Develop and understandfact patterns

Determine who is involved. Tell the story of who, what, when, where and how. Consider necessary disclosures as facts develop.

  • Draw conclusions and make recommendations

Prepare report of recommendations on disclosures, program improvement, discipline and remediation.


Identify and address vulnerabilities in the environment, sufficiently harden the environment to complicate the attacker’s effort to get back in, enhance the ability to detect and respond to future attacks, and prepare for eradication events.

Response to the root case of initial incident will likely start out as tactical but should further grow to be strategic. Companies should perform attack and penetration exercises to determine if tactical fixes were effective.

4. Eradicate

Effective eradication plans must be well-coordinated and executed with speed and precision as the attackers will often try to re-establish a presence and entrench themselves into the network. Preparation for an eradication event starts during the investigation phase so that the eradication can start soon after the investigation is completed.

5. Resolve

Prepare data based on varying requirements for regulatory reporting, insurance claim and dispute, litigation, threat intelligence and/or customer notification. Cross-border collaboration is critical.

Determine what to disclose to any or all of the following:

  • Regulators/law enforcement
  • Auditors
  • The board
  • Audit committee
  • Employees
  • Shareholders
  • Suppliers
  • Customers
There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.
Mike Rogers
House Intelligence Committee Chairman


In the event of a cyber attack, every organization should be sufficiently prepared. These five steps outline the critical capabilities necessary to respond to cybercrime. 

About this article

By EY Americas

Multidisciplinary professional services organization

Related topics Assurance Cybersecurity