Preparing and Responding to Cyber Attacks: A Comprehensive Guide

As cybercriminals constantly look for new ways to exploit security measures, it is important for organizations to have established plans for responding to a cyber attack. The following best practices, compiled by experts like Ed McAndrew from the U.S. Attorney’s Office and Anthony Di Bello from Guidance Software, can help minimize the damage and assist in apprehending the attackers.

Having an Incident Response Plan

The first and foremost step in preparing for a cyber attack is to have an incident response plan. This plan should include established and actionable procedures for managing and responding to a cyber intrusion, ensuring that the organization can limit the damage to their computer networks and minimize work stoppage. It also helps law enforcement in locating and apprehending the perpetrators, enhancing the overall effectiveness of the response efforts.

Identifying Key Assets

Given the vast array of data and services an organization may have, it is cost-prohibitive to protect everything. Therefore, it is crucial to identify which data assets and services warrant the most protection. Using the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) can provide excellent guidance for risk management planning and policies, ensuring that critical assets are prioritized for protection.

Initial Assessment of the Threat

Upon identifying an attack or breach, the first step is to assess the incident's nature and scope. It is essential to determine if the incident is a malicious act or a technological glitch. The nature of the incident will guide the organization in determining the type of assistance needed and the necessary damage control and remedial efforts.

Engaging with Law Enforcement Before an Attack

Maintaining a pre-existing relationship with federal law enforcement officials can facilitate any interaction relating to a breach. This relationship also helps establish a trusted, bi-directional information-sharing mechanism that benefits both the organization and law enforcement.

Post-Attack Plan of Action

After an attack, organizations must establish procedures for addressing the steps needed to mitigate damage effectively. This includes identifying responsible personnel, maintaining constant access to critical personnel, prioritizing mission-critical data, and ensuring data is preserved in a forensically sound manner for later reference.

Capturing the Extent of the Damage

It is important to make a forensic image of affected computers as soon as the incident is detected. This preserves a record of the system for potential analysis and evidence at a trial. Organizations must ensure the integrity of these materials and establish a chain of custody to protect against malicious insiders.

Minimizing Additional Damage

To prevent an attack from spreading, organizations must take steps to stop ongoing traffic. Technical measures such as rerouting network traffic, filtering or blocking Distributed Denial of Service (DDoS) attacks, and isolating compromised parts of the network can be effective. Ensuring that production traffic is separated from administrative traffic can also help prevent such incidents.

Keeping Detailed Records

Immediate steps should be taken to preserve relevant logs. Personnel involved in the incident response should maintain ongoing written records of actions taken, costs incurred, and all incident-related communications. Recording the identity of affected systems, accounts, services, data, and networks can provide valuable information for future reference.

Notifying Law Enforcement

While many companies hesitate to contact law enforcement due to concerns about disrupting business, it is important to note that agencies like the FBI and U.S. Secret Service strive to cause minimal disruption. They will strive to minimize the impact on the organization's normal operations and coordinate their statements to the news media to prevent information harmful to the company's interests from being disclosed.

Coordinating with Other Potential Victims

Contacting other potential victims through law enforcement is preferable to contacting them directly. This approach protects the initial victim from potential exposure and allows law enforcement to conduct further investigations which may uncover additional victims. Coordination with other potential victims can help contain and resolve security breaches more effectively.

Staying Informed about Threats: An organization's awareness of new or commonly exploited vulnerabilities can help it prioritize its security measures. Intelligence-sharing organizations such as Information Sharing and Analysis Centers (ISACs) can provide real-time threat intelligence. By being proactive, organizations can stay ahead of potential cyber threats.