The US Department of Justice (DOJ) has released a helpful set of “best practices” for planning for and responding to cyberattacks. The guide—drafted by DOJ’s Computer Crime and Intellectual Property Section—offers more concrete and specific guidance for companies than the National Institute of Standards and Technology (NIST)’s Cybersecurity Framework, though its focus is more limited. Companies would be wise to consult the guidance as they formulate their cyber incident response plans and evaluate their state of readiness.
In Best Practices for Victim Response and Reporting of Cyber Incidents, DOJoffers advice on what steps to take before an attack occurs, how best to respond to an incident, and what to do after an incident. (The advice will ring a bell for anyone familiar with Steptoe’s Data Breach Toolkit, which may be why we like it.) Some of the most important advice includes:
BEFORE AN ATTACK
- Identify Your “Crown Jewels” – Determine what data, assets, and services warrant the most protection and prioritize security measures accordingly.
- Have an Actionable Plan in Place Before an Intrusion Occurs – Decide who has lead responsibility for elements of the response, how to contact people at any time of day or night, how to preserve critical evidence, and how to decide whom to notify (individuals, customers, law enforcement, regulators etc.), and then train and exercise the plan.
- Have Appropriate Technology and Services Available Before an Incident Takes Place– This can include off-site data back-up, intrusion detection capabilities, devices for traffic filtering, and technology for logging network activity.
- Have Appropriate Authorization to Permit Network Monitoring – Be sure to have network users’ consent to monitor network activity before an incident takes place, through log-in banners, workplace policies, training, etc. Logging may be critical to a company’s ability to detect, identify, and trace an attack.
- Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident Management to Reduce Response Time During an Incident – “Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victim organization with timely, accurate advice.” We couldn’t agree more.
- Engage with Law Enforcement Before an Incident – You’re likely to get a prompt and helpful response from law enforcement if you have established a relationship with particular individuals and offices before an incident. (Your legal counsel should be able to help you accomplish that.)
RESPONDING TO AN INCIDENT
- Make an Initial Assessment – Using system logs, identify the affected systems, the apparent origin of the attack, any malware used, any remote servers to which data were sent, the identity of other victims, which users are logged on, what computers are connected to the system, which processes are running, and what ports and services and applications are open. Preserve relevant communications (including suspicious calls or emails) and log files that might relate to the intrusion.
- Implement Measures to Minimize Continuing Damage – As necessary and depending on the circumstances, reroute network traffic, filter or block a distributed denial-of-service attack, isolate compromised parts of the network, and block further illegal access.
- Record and Collect Information – Make a forensic image of the affected computers to preserve a record for later analysis and potentially for use as evidence at trial, and keep logs of system activity and records of all steps undertaken by the response team and of any continuing attacks.
- Notify All Appropriate Parties – Notify appropriate managers and other personnel within the organization. Decide whether law enforcement and regulators should be called. Evaluate breach notification obligations under state (and federal) law. Determine whether to contact other victims in order to prevent further damage.
AFTER AN INCIDENT
- Conduct a post-incident review of the response and assess the company’s performance. Note any deficiencies and gaps in the response, take remedial steps and (in our view) adjust the plan as appropriate.