Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014, according to a June 2016 report by the Ponemon Institute. The human instinct is to try to find those responsible. However, any attempt to access, damage or impair another system that appears to be involved in an attack is mostly likely illegal and can result in civil and/or criminal liability. Since many intrusions and attacks are launched from compromised systems, there’s also the danger of damaging an innocent victim’s system.
Following a breach, organizations should focus on mitigating damage and data loss and providing information to law enforcement. Partner at Ballard Spahr, LLP and former Assistant U.S. Attorney Ed McAndrew and Guidance Software President and CEO Patrick Dennis have compiled best practices for preparing and responding to a cyber-attack and working with law enforcement.
Depending on an organization’s needs, it may be cost prohibitive to protect their entire enterprise. Before creating a cyber incident plan, an organization should determine which of their data, assets, and services warrant the most protection.
Creating established plans and procedures to address what steps need to be taken after an attack can help any organization limit the amount of damage to their networks. This includes identifying who has lead responsibility for different elements of an organization’s cyber incident response, the ability to contact critical personnel at all times, knowing what mission critical data, networks or services should be prioritized for the greatest protection and how to preserve data related to the incident in a forensically sound manner. It also helps law enforcement’s ability to locate and apprehend the perpetrators
Having a pre-existing relationship with law federal enforcement officials, can help facilitate any interactions relating to a breach. It will also help establish a trusted relationship that cultivates bi-directional information sharing that is beneficial to both the organization and law enforcement.
An organization’s awareness of new or commonly exploited vulnerabilities can help it prioritize its security measures. There are organizations that share real-time intelligence on threats. For example, Information Sharing and Analysis Centers, which analyze cyber threat information, have been created in each sector of the critical infrastructure. Some centers also provide cybersecurity services.
Once an attack or breach is identified, it’s critical to assess the nature and scope of the incident. It is also important to determine whether the incident was a malicious act or a technological glitch. The nature of the incident will determine what kind of assistance the organization will need and what type of damage and remedial efforts may be required.
Ideally, the victim of a cyber attack will make a forensic image of the affected computers as soon as the incident is detected. Doing so preserves a record of the system for analysis and potentially for use as evidence at a trial. Organizations should restrict access to these materials in order to maintain the integrity of the copy’s authenticity, safeguard it from unidentified malicious insiders and establish a chain of custody.
To prevent an attack from spreading or the loss of more valuable data, companies must take steps to stop ongoing traffic caused by the perpetrator. Preventative measures include rerouting network traffic, filtering or blocking a Distributed Denial of Service attack or isolating all or parts of the compromised network. Also keep detailed records of what steps were taken to mitigate the damage as well as any costs incurred as a result of the attack.
In the past, some companies have been reluctant to contact law enforcement following a cyber incident due to concerns that a criminal investigation might disrupt their business. However, the FBI and US Secret Service are committed to causing as little disruption to an organization’s normal operations as possible. These two agencies will also attempt to coordinate statements to the news media concerning the incident, ensuring that information harmful to a company’s interests are not needlessly disclosed.
Contacting other potential victims through enforcement is preferable. Doing so protects the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigations, which may uncover additional victims.