Containment
In serious cases, you may need to turn off key internet and core network connections, including network hardware such as routers and switches.
Discuss these actions with your incident lead, technical support, and service providers:
- Identify all devices and systems impacted by the malware, and where the initial incident occurred.
- Prioritise isolating critical systems that are essential to daily operations. This includes systems that hold learner data, financial systems and any systems that may affect safeguarding. Check if your school has an asset list to help with this.
- If taking the network temporarily offline is not possible, take any devices that are infected (or suspected infected) offline by removing internet or network connectivity.
- For cloud environments, take a digital image snapshot using the relevant tooling of affected volumes to get a point-in-time copy for further forensic investigation.