Part 2: More from DOJ on Cyber Investigations and Breach Preparedness
This is the second post in our two-part series about DOJ’s revised guidance on its “Best Practices for Victim Response and Reporting Cyber Incidents.” In the first installment, we looked at DOJ’s recommendations for preparedness. Today, we turn to the basics of data breach incident response and a list of DOJ’s “don’ts” when dealing with a hacker.
Responding to a Cyber Attack - Executing Your Incident Response Plan
The DOH’s Best Practices guidance suggests that incident response plans include the following four-step process for responding to a cyber-attack.
- Conduct an Initial Assessment. Following an attack, a victim organization will need to immediately assess the scope and nature of the attack. Using available forensic logs, organizations should identify the systems that were affected, determine the cause or origin of the attack, and document user activity – both seemingly authorized and unauthorized. Organizations should also collect any communications that may relate to the incident — such as suspicious calls, emails, or requests — and any evidence that a criminal act may have occurred. Incident response firms can help collect information and make initial assessments in a way that preserves the chain of evidence.
- Mitigate Damage. The Best Practices also suggest that victim organizations immediately implement procedures to prevent further damage following an attack. This may include rerouting traffic, isolating compromised portions of the network, or deleting and restoring compromised data from a back-up source. DOJ also recommends that organizations take steps to document and record the actions taken to minimize damage resulting from the attack, and to ensure that crucial evidence is properly preserved.
- Collect Information. As a starting point, DOJ recommends that victim organizations take steps to preserve existing log files and forensically image affected computers or networks for future analysis. The Best Practices also suggest documenting ongoing suspicious activity. Other relevant information includes a description of incident-related events, the identity of personnel working on tasks related to the intrusion, a list of the systems, networks, and data affected, and information related to the damage to the organization’s network or potential exfiltration of information.
- Notifications. A basic incident response plan should also identify both the appropriate people within the organization to notify in the event of a cyber-attack and the method that should be used to do so. Law enforcement and regulators should also be notified where appropriate (e.g., the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies require financial organizations to provide notice of a cybersecurity event “no later than 72 hours from a determination” that a qualifying event has occurred). Other notifications might be required as well including those mandated by commercial agreements.
Cyber Attack Don’ts
DOJ’s Best Practices guidance also includes a few tips about what “not” to do following a cyber-attack.
- Don’t Use a Compromised System to Communicate. To the extent possible, a victim organization should avoid using means of communication that may be compromised to discuss mitigation efforts. This may allow the perpetrator to disrupt mitigation, among other things.
- Don’t Retaliate. Victims of data breaches should not use information uncovered during an investigation to access or damage a computer that may have been involved with the cyber-attack. If an investigation reveals the identity of the perpetrator or, for example, an IP address, that information should be provided to law enforcement and not used to “hack back.”
What to Do Post-Cyber Incident
- Post-Incident Review. After recovering from a cyber-attack, victim organizations should conduct post-incident review to assess performance and execution of the incident response plan. Such “lessons learned” sessions are almost universally helpful in taking a step back and assessing what was done right and where improvements or enhancements might be beneficial.
- Remain Vigilant. While it might seem obvious, once hit by a cyber-attack, organizations are often vulnerable to a second wave. By now, it should go without saying, but organizations should remain vigilant and continually improve (and practice) their plans. Often times, intruders attempt to regain access to previously compromised networks, they often lie in wait for a second shot.
While the DOJ Best Practices cover the basics, that shouldn’t diminish their importance. It is often the organizations which focus on regularly enhancing their basic blocking and tackling of cybersecurity risks that are best positioned to deal with a crisis.