The U.S. Department of Justice (DOJ), Computer Crime and Intellectual Property Section (CCIPS) Cybersecurity Unit recently issued a comprehensive list of Best Practices for Victim Response and Reporting of Cyber Incidents. While the recommendations were "drafted with smaller, less well-resourced organizations in mind," the measures can likewise be beneficial to larger organizations. The DOJ emphasized that the best time to plan for a cyber incident is before it occurs. The recommendations are broken down by the cyber incident life cycle, identifying what companies should do before, during and after a cyber-attack.
The DOJ set forth several measures that a company should take before it suffers a cyber incident:
- Asset Prioritization - Determine which data, assets, and services warrant the most protection and prioritize efforts accordingly. The DOJ also backed the NIST Cybersecurity Framework as an ideal resource for cyber risk management guidance.
- Incident Response Plan - Companies should have an actionable incident response plan (IRP) that provides specific, concrete procedures for cyber incidents. The DOJ urged that, at a minimum, the IRP should address: (1) who will serve as incident command; (2) communication protocols, including procedures regarding how to proceed when critical personnel is unavailable; (3) asset prioritization; (4) forensic preservation; (5) notification procedures; and (6) engagement with law enforcement and third-party vendors.
- Training & Exercises - All personnel with responsibilities under the IRP should have both access to and familiarity with the plan. The DOJ stressed that the best way for organizations to ensure "institutionalized familiarity" with the IRP is to regularly conduct personnel training as well as cyber exercises.
- Technology & Network Monitoring - Companies should have in place, or have ready access to, the technology and services needed for the incident response process, such as off-site data back-up, intrusion detection capabilities, data loss prevention technologies, and traffic filtering or scrubbing devices. Organizations should also adopt necessary procedures for obtaining user consent to network monitoring.
- Legal Counsel - Ensure your organization's legal counsel is well-acquainted with the cyber incident management process and related laws. Specifically, the DOJ stated, "Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization's decision making and help ensure that a victim organization's incident response activities remain on firm legal footing."
- Consistent Policies - Review and assess other corporate policies, such as human resources and information technology (IT) policies, to ensure they align with the IRP and are designed to minimize the risk of cyber incidents (e.g., revoking network credentials of terminated employees and access controls).
- Law Enforcement & Information Sharing - Establish relationships with law enforcement and cyber information sharing organizations, such as Information Sharing and Analysis Centers (ISACs).
The DOJ's guidance pointed out that a robust IRP goes beyond merely providing procedures for handling an incident; it also gives direction for how a company can continue to operate while managing the incident as well as how to coordinate with outside parties during an investigation.
The DOJ emphasized that any organization's IRP should, at a minimum, give serious consideration to the following steps:
- Step 1: Assessment - Immediately assess the nature and scope of the incident and determine whether it is a malicious act or a technological glitch. Appropriate network logging capabilities are key to identifying the source of a cyber incident and should be utilized to identify, for example, affected systems, incident origin, associated malware, remote servers receiving data and other victim organizations. The organization should also preserve all relevant communications and files.
- Step 2: Mitigation - Implement measures to minimize and stop ongoing damage, such as rerouting network traffic, filtering or blocking a distributed denial-of-service attack, or isolating all or parts of the compromised network. In the event of a cyber intrusion, the system administrator may choose to either block illegal access or instead watch the illegal activity to obtain further information regarding the source and scope of the attack. The organization should be sure to keep detailed records of all mitigation tactics deployed during the incident as well as associated costs incurred.
- Step 3: Recordkeeping - The organization should take three primary actions in order to record and collect information pertaining to the incident: (1) forensically image the affected computers; (2) preserve relevant existing logs and keep an ongoing, written record of all steps taken; and (3) record all activity related to an ongoing attack. The DOJ underscored the importance of immediately enabling logging on affected servers if such capability is not already in place.
- Step 4: Notification - The DOJ suggested that victim organizations take steps to notify the following parties during a cyber incident: (1) relevant personnel within the organization; (2) law enforcement (noting that those companies who cooperate with law enforcement may be viewed more favorably by regulators); (3) the Department of Homeland Security's National Cybersecurity & Communications Integration Center (NCCIC), which provides certain incident response services; and (4) other potential victim organizations (mentioning that doing so via law enforcement may be preferable).
The DOJ also suggested actions to take after a cyber incident is seemingly under control:
- Ongoing Monitoring - Even if it appears that the incident has ceased, organizations should remain vigilant and continue to monitor their systems for anomalous activity.
- Lessons Learned - After the organization has recovered from the attack, it should conduct a post-incident review of the response process to identify and address deficiencies and gaps, including an assessment of whether the organization followed the steps described herein.
Cyber Incident Missteps
The DOJ also articulated what not to do during a cyber incident:
- Communicating via the Compromised System - Refrain from using a system suspected of being compromised to discuss the incident or the response process. If doing so is not possible, companies should encrypt its communications. Employees should also be trained on communication protocols to prevent against incident-related disclosures to unknown (or unauthorized) parties.
- "Hacking Back" - The DOJ stressed that organizations should never attempt to access, damage or impair another system that may seem to be involved in the attack (i.e., "hacking back"), noting that doing so is likely illegal and could also harm innocent victim's systems (for example, where the attack was launched from another compromised system).
The guidance also identified several areas of potential legal liability, including surveillance and privacy considerations as well as "hack back" measures. In particular, the DOJ went into great detail regarding methods for obtaining consent to network monitoring and stressed that organizations should always "notify users that their use of the system constitutes consent to the interception of their communications and that the results of such monitoring may be disclosed to others, including law enforcement." The DOJ also highlighted that Fourth Amendment concerns may be implicated for government entities or those acting as an instrument or agent of the government.
The DOJ also issued a warning against "hacking back," stating that such measures, regardless of motive, are likely illegal under both U.S. and foreign laws and could result in civil and/or criminal liability. Although the guidance is voluntary, organizations should take heed of the DOJ's view that "hacking back" is typically illegal, as CCIPS (housed under the DOJ Criminal Division) has jurisdiction to prosecute computer-related crimes.
The DOJ also went to great lengths to emphasize the importance of cooperation with law enforcement and Federal agencies, both before and during a cyber incident. Specifically, the DOJ suggested that having a point-of-contact and pre-existing relationship with law enforcement will facilitate future cooperation if assistance is needed and will also help cultivate a bi-directional information sharing relationship.
The DOJ also recommended immediately contacting law enforcement if an organization suspects an incident constitutes criminal activity, noting that the Federal Bureau of Investigation (FBI) and Secret Service "place a priority on conducting cyber investigations that cause as little disruption as possible to a victim organization's normal operations and recognize the need to work cooperatively and discreetly with victim companies." The DOJ also recommended that companies share cyber incident-related press releases with law enforcement before making them public in order to avoid compromising an ongoing investigation.
The guidance did not stress engagement with law enforcement without highlighting the benefits to victim organizations, like the fact that law enforcement may be in a position to leverage legal authorities and tools that would otherwise be unavailable to private entities. Of particular significance is the DOJ's comment that companies that cooperate with law enforcement are viewed more favorably by regulators during cyber incident investigations.
Interpreting the Guidance
While the measures prescribed by the DOJ are not mandatory, companies should take them into consideration when developing and assessing their information security program and cybersecurity risk management framework. The suggested best practices are consistent with our previous recommendations for cyber incident preparedness and will help facilitate a coordinated and streamlined response process when a cyber incident does occur.
Moreover, as it is generally accepted that a cyber-attack is not a matter of "if" but "when," regulators and consumers alike expect that companies take these matters seriously and adequately prepare for a cyber event. Similarly, regulators and class action attorneys frequently look to government-issued best practices as well as those that are generally accepted by industry as a benchmark for measuring whether a company took adequate steps to protect against and prepare for a cyber incident. As the DOJ rightly notes, "The best time to plan such a response is now, before an incident occurs."
View the DOJ's complete list of cybersecurity recommendations.