On April 29, 2015, the Cybersecurity Unit in the Computer Crime and Intellectual Property Section (CCIPS) of the U.S. Department of Justice released a best practices document (Document) for victims of cyber incidents. The Document provides useful and practical tips that will assist organizations, regardless of size and available resources, in creating a cyber-incident response plan and responding quickly and effectively to cyber incidents. It iterates many of the important lessons that federal prosecutors and private sector companies have learned in handling cyber incidents, investigations, prosecutions and recoveries.
Assistant Attorney General Leslie Caldwell delivered a speech at the Criminal Division’s Cybersecurity Industry Roundtable on April 29, 2015, wherein she described the Document as “living,” and one that CCIPS will “continue to update as the challenges and solutions change over time.” Caldwell added that this Document is an example of the assistance CCIPS plans to continue to provide in order to elevate cybersecurity efforts and build better channels of communication with law enforcement.
Best Practices for Cybersecurity Preparedness
CCIPS recommends eight steps as part of an organization’s pre-planning activities to help limit computer damage, minimize work disruption, and maximize the ability of law enforcement to locate and apprehend perpetrators:
- Identify your “Crown Jewels”—an organization’s most valued assets that warrant the most protection.
- Have an actionable plan in place before an intrusion occurs—stressing the word “actionable,” CCIPS suggests organizations decide on specific, concrete procedures to follow in the event of a cyber incident.
- Have appropriate technology and services in place—equipment, such as data back-up, intrusion detection capabilities, data-loss-prevention technologies, and devices for traffic filtering or scrubbing, should be installed, tested, and ready to deploy before a cyber incident occurs.
- Have appropriate authorization in place to permit network monitoring—obtain employee consent to monitor and disclose, as necessary, their communications to facilitate early detection and response to a cyber incident.
- Ensure your legal counsel is familiar with technology and cyber incident management—legal counsel who are conversant and accustomed to addressing issues associated with cyber attacks will speed up an organization’s decision-making process and reduce the organization’s response time.
- Ensure organization policies align with the cyber incident response plan—preventative and preparatory measures should be implemented in all relevant organizational policies, such as human resources policies.
- Engage with law enforcement before an incident—meeting and engaging with local federal law enforcement offices will facilitate interaction and establish a trusted relationship.
- Establish a relationship with cyber information sharing organizations—information sharing organizations exist in every sector of critical infrastructure and may provide cybersecurity-related services.
The Cyber Incident Preparedness Checklist (included in the Document) succinctly outlines these eight steps, and is of practical use to an organization that is creating or improving its already-existing incident response plan. For an incident response plan, the Document provides explicit examples of the types of information an organization should evaluate when assessing the nature and scope of an incident. It also includes the information an organization should document in its initial assessment and the types of notes, logs and records it should retain related to the attack that will assist law enforcement, recovery time and post-incident review. These records include:
- A “forensic image” of the affected computer(s)
- Descriptions of incident-related events, including dates and times
- Information about incident-related phone calls, emails, and other contacts
- Identity of persons working on tasks related to the incident, including a description and the amount of time spent
- Descriptions of the systems, accounts, services, data, and networks affected by the incident and how each were affected
- Information relating to the amount and type of damage inflicted by the incident
- Information regarding network topology, the type and version of software run on the network and any peculiarities in the organization’s network architecture
Putting Guidance to Practice
We agree with CCIPS that the best time to plan for a cyber attack is well before it occurs, and reviewing this guidance is a great first step. Other important steps include assembling an effective incident response plan tested regularly through table-top exercises, and also having in place appropriate information-security controls designed to reduce the risk of an attack—or at least reduce the severity of the attack when it (inevitably) occurs.