Your company just got hacked. Now what?According to a top cybercrime expert who specializes in data breaches and incident response, the first step is keeping the CISOs and IT security staff calm. A high impact cyber-attack can be a stressful and disorienting event - even for the most veteran technology and business executive.Dario Forte was police officer in Italy for 15 years, in various crime enforcement squads, including cybercrime enforcement. He\u2019s now founder and CEO of DF Labs in Crema, Italy, a leader in information security, incident management, e-discovery, litigation support and digital forensics.\u201cThe first step is definitely supporting the customer who is reporting the incident - in order to avoid panic,\u201d says Forte.Forte has extensive real-world experience as a cybersecurity first responder. He has 15 years experience in the Italian military and financial police, and has worked in the United States with NASA and many federal agencies. In both countries, Forte has managed information security strategies and undertook incident management and digital investigations. He is currently the Italian Chief of Delegation and a Subject Matter Expert and Co-Editor serving the Italian Delegation for ISO Standards on Digital Evidence and Investigations, and Incident Management.When asked if his experience as a police officer carries over to cyber incident response, Forte says yes. \u201cI\u2019ve spent over 15 years in the police, working in the drug and then organized crime enforcement for 10 years. The first thing they teach you is - Don\u2019t panic. If you cannot keep calm things will only get worse\u201d.\u201cThe CISOs we usually talk with have four priority questions to answer about incident response,\u201d says Forte. He explains:What is happening?How can I prioritize my response?How can I contain the damage?Has this occurred elsewhere?Forte continues \u201cThe answers to these questions can be given only by a structured approach, where a well prepared Incident Management Team can orchestrate the investigation and response, sharing the artifacts with their trusted peers in order to reduce the reaction time.\u201dAfter the first interaction when he helps to keep level heads, Forte explains the next step. \u201cWe ask if they\u2019ve been notified of any information that has been disclosed to unauthorized parties, stolen, deleted or corrupted. That will help us to understand the incident scope, its potential impact and the customer ability to govern it. From a technical standpoint, our team immediately engages a conference call with the technical staff at the customer site. Usually that happens no later than 45 minutes from the first call. This phase is fundamental as it gives us an immediate sense of which information is available for investigation and\/or helping the customer to avoid any mistake in evidence handling. The latter is the most common cause of failure in the investigation and in response to the incident.\u201dBreach and incident response can be an emotional, chaotic affair for organizations - our first priorities are to calm people down and set some expectations.Reg Harnish, Founder and CEO at GreyCastle SecurityForte makes a crucial point about the importance of securing the (cyber) crime scene.Brian Minick, former CISO at a Fortune 500 corporation - GE Aviation and Energy - agrees. \u201cWhen a client discovers they\u2019ve had a breach, there is often a mistaken assumption that the scope of the breach is fairly static,\u201d says Minick, now CEO at Morphick, a cybersecurity professional services firm in Cincinnati. \u201cIn reality, the intrusion usually starts weeks or months before detection, and the intruder likely has broad access to the client's network and can move around it quickly. The Morphick Incident Response Team's first priority with a client is to rapidly identify and disrupt the attacker's access to the client's networks and data to mitigate further losses. Preserving evidence and identifying the perpetrators is important, but the investigation can't begin until the crime scene is secured."Seems like cybercrime response is a lot like street crime response. Another cyber-expert confirms that thought. Ondrej Krehel, managing director and founder at LIFARS, LLC, a New York City digital forensics and cybersecurity intelligence firm that provides data breach incident response - chimes in on his best practices for first-responder work. \u201cThe primary objective is to provide intelligence about the technical skill-set and the motivation of the attacker, along with immediate steps to remediate and protect critical assets.\u201dKrehel goes on to say \u201cwe holistically examine the situation to address the incident. This includes initial damage assessment, initial vector of compromise, indicators of compromise, preservation of forensic artifacts, and further forensic analysis of information collected.\u201d\tSome first-responders sound more like detectives. Seth Danberry is one of them. After a 16-year career as a CIO, Danberry started up his cybersecurity firm Grid32 in Jersey City, N.J., almost six years ago. When asked about his firm\u2019s incident response, Danberry provided Grid32\u2019s methodology - which is a well defined five-step process:Step 1. Identification. "Step one is to dive in and fully identify the incident by reviewing errors, log files and other telling information from the client's firewalls, [intrusion-detection systems] and other assets."Step 2. Containment. "Once we have identified the issue, we look to contain the threat and stop the bleeding by putting in filters, altering routing or DNS, or if necessary, taking systems offline.\u201dStep 3. Eradication. "Once the situation is initially stabilized, we move to fully eradicate the threat from all affected systems and ensure reinfection cannot occur."Step 4. Recovery. "After the threat is eradicated, our focus shifts to recovery, where affected systems are brought back online to resume normal operations, all while monitoring to ensure no further signs of compromise."Step 5. Analysis and Lesson Learned. "Once the immediate crisis is over, we then use forensics and other investigatory techniques to attempt to track the source of the incident and also glean any information to prevent subsequent incidents with the client."Corporations and government agencies who handle cyber-incidents internally may want to model around Grid32\u2019s five-step process.Some cybersecurity experts are more focused on keeping CSOs and CISOs grounded in reality after their company has been the victim of a cyber-attack. "Breach and incident response can be an emotional, chaotic affair for organizations - our first priorities are to calm people down and set some expectations,\u201d says Reg Harnish, Founder and CEO at GreyCastle Security in Troy N.Y. \u201cThese are not the best days for the organization, but they don't have to be the worst\u201d he adds.Harnish has 15-years of hands-on security and incident response experience in several industries including financial services, healthcare, and higher education. He offers interesting advice. \u201cFirst, the client should understand that this is not CSI or a Tom Cruise movie - the likelihood of identifying a cybercriminal in the foothills of Romania, getting your money back and bringing them to justice - is near nil. In addition, the client should be focused on minimizing the negative impact of the event, not chasing criminals. Setting this expectation is key\u201d.When Harnish\u2019s firm looks in to a breach, they are also thinking about what comes after\u2026 and sometimes that can mean legal action including courtroom appearances. \u201cThe investigation begins with triage, and making some rough determination of scope and impact. How many records, how much money, how much evidence and how much negative impact - all of these factors will drive the response process. Also important is to decide if litigation is possible as a result of the incident, if it is we will integrate evidence and chain of custody procedures to be prepared for court.\u201d Harnish differs with the step-by-step process advocated by others. \u201cThe client should understand that breach response is organic and dynamic. There is no such thing as a step-by-step procedure that applies to all incidents."With high-profile hacks getting ink on the front pages of major newspapers and more visibility on the evening news, perhaps we might see Tom Cruise starring in a cyber film playing Reg Harnish - cybercrime expert witness. Who would play the corporate CISO? That\u2019s not important if you listen to Albert Whale, another cybercrime first-responder who says \u201ceach CISO is one breach away from losing their current position.\u201dWhale is president and CSO at Pittsburgh-based IT Security, In the past, he has worked as an Ethical Intruder - helping companies to prepare for the worst. If you believe Whale, then whoever plays the CISO would only be making a cameo appearance. In the real world a CISO might hang up with his or her legal counsel after reporting a serious breach, and then dial a headhunter.