Step 1: Identify the Exposed Data

When reviewing the results, pay close attention to the following data fields:

Email Addresses: Identify any corporate or employee-associated addresses.

Passwords: Check for plaintext or weakly hashed credentials.

Data Breach Source: Determine where the breach occurred (e.g., specific platforms or databases).

Breach Date: Understand the timeline of exposure to assess potential risks.

Prioritization Criteria:

Credentials linked to current employees or corporate domains (e.g., john@company.com).

Presence of plaintext or weakly hashed passwords.

Multiple exposures tied to the same user or email address.

Step 2: Prioritize and Categorize the Findings

To effectively manage exposed data, use the following guidelines:

Apply filters to identify high-risk exposures, such as:

Leaked credentials with passwords

Multiple exposures for a single user/email

Categorize the findings:

Internal Employee Credentials: High priority, immediate action required.

Former Employee Credentials: Assess relevance and risk.

3rd-Party or Vendor Accounts: Coordinate with vendors to ensure credential updates.

Mark Exposures:

Use internal ownership tags to mark items that require follow-up action.

Step 3: Notify Affected Users

When notifying impacted users, follow these steps:

Inform Users of Exposure: Clearly explain the breach and the details of the compromised data.

Password Reset Instructions: Advise users to change passwords immediately on any associated accounts.

Enable MFA: Strongly recommend enabling multi-factor authentication (MFA) wherever applicable.

Step 4: Enforce Password Reset (If Applicable)

For active accounts within your organization:

Initiate a password reset via your Identity and Access Management (IAM) system, such as:

Active Directory

Azure AD

Google Workspace

Ensure the new password meets complexity requirements and that old credentials are invalidated.

Step 5: Update Credentials Used in Tools & Systems

If the exposed credentials are linked to critical systems:

Update and rotate passwords immediately.

Log out of all active sessions on affected accounts and devices.

Apply updates to:

Remote Access (VPNs, RDP)

SaaS Platforms

Shared Admin Accounts

Step 6: Document and Track Actions in CYRISMA

Within the Dark Web Monitor Module:

Mark each entry as Reviewed, In Progress, or Remediated.

Use the checkbox or action button to update the status.

Add detailed remediation notes for future audits.

Export the updated CSV report to maintain a record of actions taken.

Step 7: Perform a Security Awareness Reminder

To reinforce cybersecurity best practices, remind employees to:

Never reuse company credentials for personal accounts.

Utilize a password manager to maintain unique credentials.

Remain vigilant for phishing attempts, especially following credential leaks.

Step 8: Rescan or Monitor Continuously

To maintain continuous protection:

Schedule regular re-scans to detect new breaches.

Increase scan frequency during high-risk periods or after significant breach announcements.

Step 9: Report to Management or Compliance

Prepare a summary report including:

Number of Exposed Credentials: Total instances found.

Risk Rating: Based on the severity of each finding.

Actions Taken: Details of remediated issues.

Outstanding Items: Any unresolved risks or pending actions.

Recommendations: Strategies to improve security posture.

Include in Your Report:

Attach the latest CSV export for reference.

Share insights on any recurring vulnerabilities or patterns.

By following these structured steps, you can efficiently manage dark web exposures and maintain a proactive stance on cyber hygiene. Regular monitoring and timely action will significantly reduce the risk of compromised credentials impacting your organization.