The Cyber Incident Survival Guide
The worst has happened. Someone hacked your company's network, stealing thousands of documents and compromising customer and employee data in the process. And you're not sure what else the hackers had access to, if they are still in your network, or who is responsible.
If your company hasn't prepared for a major cyber incident of this scope, this scenario can quickly become overwhelming as you attempt to work with law enforcement, deal with the media, and restore business operations.
With more than 2,100 confirmed data breaches in 2015 and almost 80,000 incidents, according to Verizon's 2015 Data Breach Investigations Report, developing an incident response plan for a cyber incident should be a top priority.
"Protecting your organization from a data breach could save your business tens of millions of dollars, and help maintain customer loyalty and shareholder confidence," the report explains. "Data security isn't something that should be left to the IT department. It's so important that it should matter to leaders, and indeed employees, from all functions."
To help security leaders plan for the worst and know what to expect in the aftermath, Security Management spoke with experts about their best practices for cyber incident response.
Before the Breach
Just as a company has an incident response plan in case the building catches on fire and burns to the ground, it needs to have an incident response plan to handle a cyber incident before one actually occurs.
Craft a plan. Gary Bahadur, senior director of FTI Consulting's Risk Management Practice, helps companies craft these plans on a regular basis. He suggests that organizations first think about how they are most likely to be attacked and who is most likely to be behind the attack.
For instance, banks that allow customers to conduct transactions online—say through an online banking portal—may be vulnerable to a breach through their Web applications. Or high-tech firms may be most concerned about an insider threat compromising their intellectual property.
"The first step is determining how we're going to be attacked and then figuring out what are the best controls and roadblocks to block the most likely scenarios," Bahadur explains.
From that point, companies can use the U.S. Department of Justice's (DOJ) Cybersecurity Unit's Best Practices for Victim Response and Reporting of Cyber Incidents guidance to craft an actionable incident response plan.
It suggests, at a minimum, identifying who has the lead responsibility for different elements of the company's cyber incident response, from decisions on public communications to information technology to implementation of security measures to resolving legal questions.
Companies should also determine how to contact critical personnel at any time, how to proceed if critical personnel are unreachable, and what mission-critical data, networks, or services should be prioritized for the greatest protection.
"All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident," the guidance says.
Completing this process is becoming especially important because a new legal standard is emerging as organizations develop a track record of reasonableness for assessment, planning, incident response, and recovery, says Ed McAndrew, partner in Ballard Spahr LLP's Privacy and Data Security Group and a former federal prosecutor.
"There's a new legal standard that is emerging where organizations need to employ reasonable data security standards to mitigate foreseeable risk," explains McAndrew, who is also a former DOJ national security cyber specialist. "Companies need to have appreciated the risk, attempted to manage the risk, and then have a plan for attempting to respond to these incidents."
After companies identify their low-hanging fruit and craft an incident response plan, Bahadur suggests creating a roadmap to analyze the likelihood of that particular attack and how to prevent it. Companies should also consider how they will create a long-term strategy that continues to adapt to new security challenges as new business functions are developed.
"You have to be able to grow your security organization and its functionality," he adds.
Consider law enforcement. While companies are developing their incident response plans, they need to consider their relationship with local and national law enforcement.
McAndrew says there's a "real appetite in law enforcement" to develop relationships with the private sector when it comes to cybersecurity. This is because law enforcement understands that "effective investigation of cyber requires a level of trust and personal relationships between investigators and their counterparts inside organizations," he explains.
For this reason, the government has created a variety of outreach programs that target the private sector, including InfraGard, Information Sharing and Analysis Centers and Information Sharing and Analysis Organizations, and the U.S. Department of Homeland Security's new cybersecurity information sharing program.
"Joining these organizations and attending those outreach programs is a great and easy way to begin to build relationships" with law enforcement, something companies should do before a cyber incident occurs, McAndrew says.
Companies can also reach out to their local FBI office, because agents there are often willing to help companies conduct cybersecurity risk assessments, incident planning, and data security planning.
These relationships can also help companies know what to expect from their law enforcement partners, should a breach occur, says Mick Stawasz, deputy chief for computer crime and head of the DOJ Cybersecurity Unit.
"Before there's an event, we, the FBI, and other investigative agencies are trying to lay the groundwork so that there are relationships in place and an understanding of what may happen when we arrive," Stawasz explains. "We're out there doing events to try and tell people, when we show up, this is the type of information to have before an event."
For instance, he says that companies should think about what data they can share with law enforcement and what kind of access they will be willing to provide should an incident occur. This can help streamline the process of an incident investigation because companies won't be doing original legal research "while the clock is ticking," Stawasz says. "We really encourage people to think ahead of time because there are certain things we're going to want."
However, McAndrew says that while it's great to engage with law enforcement, companies should do so carefully. "You need to understand the levels of engagement, and the logistics where law enforcement can be helpful, but also where engaging them may result in an investigation," he adds.
To help companies navigate this area, McAndrew recommends relying on outside counsel with experience in cybersecurity
Practice makes perfect. After companies outline their cyber incident response plans, they need to practice them to identify problem areas and ensure that they are effective.
Bahadur recommends conducting a tabletop exercise with all the key stakeholders in the room, including representatives from the C-suite, IT, public relations, legal, marketing, and even sales staff.
"People say that a cyber breach is an IT problem," he explains. "It's not...when a breach occurs we need our PR people. We need legal to discuss what the repercussions are for the industry we are in. And we need executive support, marketing, and sales because this could impact relationships with clients."
Leonard Bailey, special counsel for national security in the DOJ Computer Crime and Intellectual Property Section, agrees that practicing the incident response plan is important because it reinforces what people's roles are when an incident occurs, and allows companies to designate an alternate to fill those roles should the designated person not be available.
During the Breach
Despite careful preparation and cyberattack prevention tactics, even "the best laid plans of mice and men often go awry," as Robert Burns wrote. But by remembering the following tips, companies can prevent a cyber incident from becoming a cyber crisis.
Make an assessment. When companies identify a cyber incident, they should immediately make an assessment about the nature and scope of the incident, according to the DOJ guidance.
"In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch," the guidance explains. "The nature of the incident will determine the type of assistance an organization will need to address the incident and the damage and remedial efforts that may be required."
To identify the nature of an incident, companies can have systems administrators attempt to identify the affected computer systems, the origin of the incident, any malware used in connection with the incident, remote servers to which data was sent, and the identity of any other victim organizations.
The initial assessment should also document what users are currently logged on, what the current connections to the computer system are, what processes are running, and all open ports and their associated services and applications.
"Any communications (in particular, threats or extortionate demands) received by the organization that might be related to the incident should also be preserved," the guidance explains. "Suspicious calls, e-mails, or other requests for information should be treated as part of the incident."
Maintain evidence. Often, the first reaction when a company learns about a cyberattack is to do whatever it takes to stop the bleeding.
"The first thing companies do is unplug the device that's been hacked to stop the bleeding, potentially," Bahadur says. "But if you want to do forensic analysis—track the attack or report it—if you change the environment and erase a server that's been hacked, you're losing really valuable evidence."
To prevent evidence from being compromised, Bahadur says companies should follow good forensic practices—something most organizations struggle with. "Most companies don't handle chain of custody well," he adds. "They will literally screw up the whole process and tamper the evidence so badly."
Instead, companies should create a chain of custody for evidence and should have IT staff work with the legal department to ensure that technology is in place to maintain and preserve that evidence, says Patrick Dennis, CEO of Guidance Software.
"If you want to have an infrastructure in place that includes people, technology, and policies that can work with law enforcement and produce evidence, there has to be a program put in place beforehand to do that," he explains. "Otherwise, generally they will end up compromising some or all of that evidence."
Notify law enforcement. Once an initial assessment has been made and evidence has been gathered, managers and other personnel within the organization should be notified following the protocols outlined in the cyber incident response plan.
Then, if the company suspects that criminal activity has taken place, it can consider notifying law enforcement. The FBI and the U.S. Secret Service conduct cyber investigations, and contacting law enforcement may prove beneficial for victim organizations, because law enforcement can use tools and methods typically not available to private companies.
"These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data," the DOJ guidance explains. "In addition, a cyber criminal who is successfully prosecuted will be prevented from causing further damage to the company or to others, and other would-be cyber criminals may be deterred by such a conviction."
When it comes to reaching out to the FBI, McAndrew recommends that companies use their knowledge about the bureau because some agents are "true superstars" when it comes to cybersecurity. "Not all agents are created equal, just like not all lawyers are created equal," he jokes.
And in some cases, it may be better to have someone on the corporate legal team reach out to a U.S. Attorney's Office to use a lawyer-to-lawyer relationship.
"Speaking lawyer to lawyer can sometimes be more helpful," McAndrew says. "I know that if I get them interested in the matter, I won't have to cold call an FBI office I've never dealt with."
And everyone should be on the same page about what's happening to prevent information from falling through the cracks, or being inadvertently shared.
"Is the IT department the one that has the relationship with the FBI and is legal out of the picture?" McAndrew asks. "Is IT sharing information without legal's knowledge? Is senior management briefed and knowledgeable about what happens next when you begin interacting with law enforcement, and are they willing to do those things?"
Asking these questions—often ahead of time—will help companies simplify decision making if an incident occurs, he adds.
Avoid pitfalls. While there are many actions companies should take following a cyber incident, the DOJ guidance explicitly urges companies not to use compromised systems to communicate.
"If the victim organization must use the compromised system to communicate, it should encrypt its communications," the guidance says. "To avoid becoming the victim of a social engineering attack, employees of the victim organization should not disclose incident-specific information to unknown communities inquiring about an incident without first verifying their identity."
The DOJ guidance also says companies should not hack into or damage another network following a cyber incident.
"Regardless of motive, doing so is likely illegal, under U.S. and some foreign laws, and could result in civil and/or criminal liability," it explains. "Furthermore, many intrusions and attacks are launched from compromised systems. Consequently, 'hacking back' can damage or impair another innocent victim's system rather than the intruder's."
After the Breach
Once companies have managed to stop the bleeding of a cyberattack, they may find themselves in court if the perpetrators of a breach are prosecuted. Because of this, Bailey and Stawasz explain that companies need to keep a potential court appearance in mind.
Victim status. When a cyber incident happens, it's important for companies to remember that they are a victim of a crime, and that prosecutors should treat them as such, Stawasz says.
"We really are trying to help. We will work with them in the process of an investigation, and with luck a prosecution—of somebody—for what was done," he explains.
Stawasz also says that the DOJ is trying to do a better job of keeping companies informed of how the investigation and prosecution are proceeding. Companies have a right to be informed at various stages, such as before a case is resolved, when charges are brought, if a plea deal is made, and to appear to make a sentencing statement if an individual is convicted.
"We encourage them to make a statement to highlight for the public and the court the impact a cybercrime has on a victim," Stawasz explains.
Remain vigilant. After a cyber incident has been resolved and appears to be under control, it's important for companies to remain vigilant in case of future attempts to breach their systems.
"It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all of the means by which an intruder illicitly accessed the network," the DOJ guidance explains. "Continue to monitor your system for anomalous activity."