Preparation

Identification

Containment

Eradication

Identify and confirm the incident by analyzing logs and alerts.

Ignore the traffic as it might be a false alarm.

Immediately shut down all network operations.

Contact the internet service provider to block the traffic.

Yes, because it indicates a potential account takeover and requires immediate containment.

No, because it might be a false alarm and can be ignored.

Yes, because it is a common occurrence and does not require immediate action.

No, because it is not related to cybersecurity threats.

Shut down the affected systems immediately.

Disconnect the affected systems from the network.

Wait for instructions from higher authorities.

Attempt to decrypt the files themselves.

Isolate affected systems and update antivirus software.

Ignore the outbreak and continue normal operations.

Unplug all network cables immediately.

Contact the media to report the outbreak.

Notify the IT department and change all passwords immediately.

Ignore the attack and continue working.

Share credentials with the attacker to monitor their actions.

Wait for the attacker to make the next move.

Investigate the source of access and revoke permissions

Ignore the access as it might be a false alarm

Immediately shut down the server

Notify all users about the breach