Assistant United States Attorney and Cybercrime Coordinator with the U.S. Attorney's Office in the District of Delaware Ed McAndrew, and Guidance Software Director of Security Anthony Di Bello, have compiled best practices for preparing and responding to a cyber attack and working with law enforcement:
* Have an incident response plan Creating established and actionable plans and procedures for managing and responding to a cyber intrusion can help organizations limit the damage to their computer networks and minimize work stoppage. It also helps law enforcement locate and apprehend the perpetrators.
* Identify key assets It may be cost prohibitive to protect the entire enterprise. Before creating a cyber incident plan, an organization should determine which of its data, assets and services warrant the most protection. The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides excellent guidance on risk management planning and policies and merits consideration.
* Make an initial assessment of the threat Once an attack or breach is identified, it's critical to assess the nature and scope of the incident. It is also important to determine whether the incident was a malicious act or a technological glitch. The nature of the incident will determine what kind of assistance the organization will need and what type of damage and remedial efforts may be required.
* Engage with law enforcement before an attack Having a pre-existing relationship with federal law enforcement officials can help facilitate any interaction relating to a breach. It will also help establish a trusted relationship that cultivates bi-directional information sharing that is beneficial to both the organization and law enforcement.
* Have a post-attack plan of action Establish procedures addressing what steps you need to take after an attack. This includes identifying who is responsible for different elements of an organization's cyber incident response, having the ability to contact critical personnel at all times, knowing what mission critical data, networks or services should be prioritized for the greatest protection and how to preserve data related to the incident in a forensically sound manner.
* Capture the extent of the damage Ideally, the victim of a cyber attack will make a forensic image of the affected computers as soon as the incident is detected. Doing so preserves a record of the system for analysis and potentially for use as evidence at a trial. Organizations should restrict access to these materials in order to maintain the integrity of the copy's authenticity. Safeguard these materials from unidentified malicious insiders and establish a chain of custody.
* Take steps to minimize additional damage To prevent an attack from spreading, you must take steps to stop ongoing traffic caused by the perpetrator. Preventative measures include: rerouting network traffic, filtering or blocking a Distributed Denial of Service attack or isolating all or parts of the compromised network.
* Keep detailed records Take immediate steps to preserve relevant existing logs. All personnel participating in the incident response should keep an ongoing, written record of the steps taken to respond to and mitigate an incident and any costs incurred as a result of the attack. They should record all incident-related communications, the identity of the systems, accounts, services, data and network affected by the incident and information relating to the amount and type of damage inflicted.
* Notify law enforcement Many companies have been reluctant to contact law enforcement following a cyber incident due to concerns that a criminal investigation might disrupt their business. However, the FBI and U.S. Secret Service cause as little disruption to an organization's normal operations as possible. These agencies will also attempt to coordinate statements to the news media concerning the incident, ensuring that information harmful to a company's interests are not disclosed.
* Work with law enforcement to contact other potential victims Contacting other potential victims through law enforcement is preferable to contacting them directly. Doing so protects the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigations, which may uncover additional victims.
* Stay informed about threats An organization's awareness of new or commonly exploited vulnerabilities can help it prioritize its security measures. There are organizations that share real-time intelligence on threats. For example, Information Sharing and Analysis Centers, which analyze cyber threat information, have been created in each sector of the critical infrastructure. Some centers also provide cybersecurity services.