Once a breach occurs, you’ll want to identify what the attackers accessed and how they accessed the data. This information helps you identify if you need to notify users that their data has been breached and learn how to protect yourself from the next attack.
First, make sure you have the necessary resources and preparations in place to investigate. The process of identifying how an attacker entered the network is often based on the evidence and timeline analysis. Knowing how best to handle the evidence and having a plan in place before an intrusion occurs are key to properly handling the investigation. The Cybersecurity Unit for the US Department of Justice has several resources to help with planning ahead.