Step 5, Stakeholder notification and escalation: If any evidence of compromise is found, escalate to incident response immediately. Notify payment card brands and acquiring bank per PCI DSS breach notification obligations. Brief executive leadership given confirmed enterprise-level targeting. Update threat intelligence feeds with any confirmed IOCs.
Detection & Analysis
NIST 800-61r3 §3.1 (detection and analysis: incident declaration and notification), NIST 800-61r3 §3.4 (post-incident activities: lessons learned)
NIST 800-53 IR-2 (Incident Response Training), IR-4 (Incident Handling), IR-6 (Incident Reporting)
CIS Controls 19.1 (Establish and Maintain an Incident Response Process)
Compensating Control
For organizations without formal IR function: (1) document evidence immediately: create incident log with datetime, compromised systems, IOCs, and evidence file paths (`echo "Incident: PolyShell, Time: $(date -u +%Y-%m-%dT%H:%M:%SZ), Systems: [list], Evidence: [paths]" >> incident_log_$(date +%s).txt`); (2) notify payment processor via documented breach notification process (reference your PCI-DSS attestation document for processor contact and timeline — typically 30 days); (3) engage external IR firm if internal capability is insufficient — request forensic preservation protocol before they begin (`Chain-of-Custody form, evidence inventory, forensic image methodology`); (4) publish IOCs to CISA AIS portal or threat intelligence sharing platform (e.g., AlienVault OTX) with anonymization if needed.
Preserve Evidence
Document notification chain: (1) incident declaration form with date/time, affected systems, compromise indicators, and decision authority; (2) communication log with timestamps of all notifications (IR team, management, payment processor, legal); (3) evidence inventory spreadsheet listing all collected artifacts (file paths, hashes, capture times); (4) IOC export (IPs, domains, file hashes, file paths) formatted for threat intel platform submission (`json: {"type": "file_hash", "value": "abc123...", "context": "PolyShell skimmer", "date": "2026-03-04"}`).
