The Cybersecurity Unit of the U.S. Department of Justice released in April its “Best Practices for Victim Response and Reporting of Cyber Incidents,” which it says reflects “lessons learned by federal prosecutors while handling cyber investigations and prosecutions.” Much of the guidance is of the common sense variety. However, because it is relatively comprehensive and clearly presented in plain English, it is a useful tool for companies trying to stay on top of mushrooming cybersecurity threats.
Below are slightly edited extracts from the DOJ’s fifteen pages of guidance. Companies that do not currently have a cyber incident plan may want to use these guidelines as a starting point for developing one. Companies that already have a plan should use these guidelines to confirm that all bases are covered.
Steps to Take Before a Cyber Intrusion or Attack Occurs
- Identify your “crown jewels”. Because resources are finite, most companies must determine which of their data, assets and services warrant the most protection in order to make proper resource allocations.
- Have an actionable plan in place. The plan should provide specific, concrete procedures to follow in the event of a cyber incident.
- Have appropriate technology and services in place. This may include off-site data backup, intrusion detection capabilities, data loss prevention technologies and devices for traffic filtering or scrubbing.
- Have appropriate authorization in place to permit network monitoring. Companies should have proper mechanisms in place for obtaining user consent to monitor users’ communications so cyber incidents can be detected.
- Ensure your legal counsel is familiar with technology and cyber incident management to reduce response time during an incident. This can speed decision making and help ensure that incident responses are on firm legal footing.
- Ensure organization policies align with your cyber incident response plan. This might include, for example, revoking the network credentials of terminated employees and reasonable access controls on networks.
- Engage with law enforcement before an incident. Having a point of contact will facilitate any subsequent interaction and help cultivate bi-directional information sharing. The principal federal enforcement agencies are the FBI and the Secret Service, both of which regularly conduct cybersecurity outreach to companies likely to be targets of cyber attacks.
- Establish relationships with cyber information sharing organizations. This is particularly important for companies operating within identified critical infrastructure sectors.
Responding to a Computer Intrusion: Executing Your Incident Response Plan
- Make an initial assessment. It is important at the outset to determine whether the incident is malicious or a technical glitch in order to determine the nature of the assistance needed, the scope of the damage and the remedial efforts required.
- Implement measures to minimize continuing damage. Such steps may include rerouting network traffic, filtering or blocking an attack or isolating all parts of the compromised network.
- Record and collect information. Preserve a record of the system at the time of the incident for later analysis and potentially for use as evidence at a trial. (This may require the assistance of law enforcement personnel or professional incident response and forensic experts.) Keep logs, notes, records and data. Record activity during continuing attacks, for example, while a worm is propagating through the network or while an intruder is exfiltrating data.
- Notify the proper people and organizations. This will likely include key management personnel, law enforcement units (for example the FBI, Secret Service and/or The Department of Homeland Security). Importantly, it may also include potential victims.
What Not to Do Following a Cyber Incident
- Do not use the compromised system to communicate. If you must, be sure to encrypt any such communications. Also, do not disclose incident-specific information to unknown persons inquiring about an incident without first verifying their identity.
- Do not hack into or damage another network. “Hacking back” can damage another innocent victim’s system, rather than the intruder’s.
After a Computer Incident
Stay vigilant, even after it appears that everything is under control, since many intruders return to networks that they have previously compromised. Then, after you have determined that the company has fully recovered from the incident, initiate measures to prevent similar attacks in the future. This might include a post-incident review of the company’s response and an assessment of the strengths and weaknesses of that response. Take remedial steps, as necessary.