Responding to Cyber Incidents

Any organization that does business online can fall prey to a disruptive network intrusion or costly cyberattack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is before an incident occurs.

We’ll go over small business computer security best practices as defined by the Cybersecurity Unit of the Department of Justice (Opens in a new tab) to assist organizations in preparing a cyber incident response plan and how to respond to a cyber security incident. 

How to Prevent Cyberattacks

Having well-established plans and procedures in place for preventing, managing and responding to a cyberattack is a critical first step toward preparing an organization to weather a cyber incident. Such pre-planning can help organizations limit damage to their computer networks, minimize work stoppages, and maximize the ability of law enforcement to locate and apprehend perpetrators. Organizations should follow the precautions outlined below now, before learning that a computer security incident has affected their networks.

Identify essential data, assets & services

Handling a cyberattack will depend on each company’s critical needs. For some organizations, even a short-term disruption in their ability to send or receive email will have a devastating impact on operations; others may suffer significant harm if certain intellectual property is stolen. For others still, the ability to guarantee the integrity and security of the data they store and process, such as customer information, is vital to their continued operation.

The expense and resources required to protect a whole enterprise may force an organization to prioritize its efforts and may shape its incident response planning. Before formulating a cyber incident response plan, an organization should first determine which of their data, assets and services warrants the most protection.

Prioritizing the protection of an organization’s critical information is an important first step to preventing a cyberattack from causing catastrophic harm. The Cybersecurity Framework (Opens in a new tab) produced by the National Institute of Standards and Technology (Opens in a new tab) (NIST) provides guidance on risk management planning and policies and merits consideration.

Have a cyber incident response plan in place

Organizations should have a plan in place for how to handle a cyberattack before an intrusion occurs. During a data security breach, management and personnel should be focused on containing the intrusion, mitigating the harm, and collecting and preserving vital information that will help assess the nature and scope of the damage and the source of the threat. A cybersecurity incident is not the time to be creating emergency procedures or considering for the first time how best to respond.

The cyber incident response plan should be “actionable.” It should provide specific, concrete procedures to follow in the event of a cyberattack. At a minimum, the procedures should address:

• The decision maker for public communications, information technology access, implementation of security measures and resolving legal questions
• How to contact critical personnel at any time, day or night
• How to proceed if critical personnel are unreachable and who will serve as backup
• What critical data, networks or services should be prioritized
• How to preserve data related to the intrusion in a forensically sound manner
• The criteria for ascertaining whether data owners, customers or partner companies should be notified if their data is stolen
• Procedures for notifying law enforcement and/or computer security incident-reporting organizations

All personnel who will play a role in making technical, operational or managerial decisions during an incident should have access to and familiarity with the cyber incident response plan. For instance, the cyber incident response plan procedures can be integrated into regular personnel training.

The plan may also be practiced through regularly conducted exercises to ensure that it is up to date. Such exercises should be designed to verify that necessary lines of communication exist, that decision-making roles and responsibilities are well understood, and that any technology that may be needed during an actual incident is both available and effective. Deficiencies and gaps identified during an exercise should be noted for speedy resolution.

Cybersecurity plans for small businesses may differ depending upon an organization’s size, structure and nature of its business. Similarly, decision-making under an incident response plan may differ depending upon the size and nature of a cyberattack. In any event, familiarity with the organization’s framework for addressing a data breach will expedite response time and save critical minutes during an incident.

Implement data protection technology and services

Organizations should already have ready access to the technology and services that they will need to respond to a data security breach. Such equipment may include:

• Off-site data backup
• Intrusion detection capabilities
• Data loss prevention technologies
• Devices for traffic filtering or scrubbing

Computer servers should be configured to conduct logging to identify a network security incident and to perform routine backups of important information. The requisite technology should already be installed, tested and ready to deploy. Any required services should be acquired beforehand or identified and ready for acquisition.

Monitor and secure your networks

Real-time monitoring of your own network is typically lawful if prior consent is obtained from network users. Before an incident takes place, obtain user consent for monitoring user’s communications, to detect and respond to a security breach. Commonly used methods are network warnings or “banners” that inform users who log into a network how the organization will collect, store and use their data.

A banner can also be installed on the ports through which an intruder is likely to access the organization’s system. Computer user agreements, workplace policies and personnel training may also be used to obtain user consent to monitoring. Obtain written acknowledgement from personnel after the training to provide proof that the legal requirements for conducting network monitoring have been met.

Consult appropriate legal counsel

Ensure legal counsel is familiar with technology and cyber incident management to reduce response time during an incident. Cyberattack incidents can raise unique legal questions. An organization faced with decisions about how it interacts with government agents, the types of preventive technologies it can lawfully use, its obligation to report the loss of customer information and its potential liability for taking specific remedial measures — or failing to do so — will benefit from obtaining legal guidance from attorneys who are conversant with technology and knowledgeable about relevant laws (e.g., the Computer Fraud and Abuse Act (18 U.S.C. § 1030 (Opens in a new tab)), electronic surveillance, and communications privacy laws). Legal counsel that is accustomed to addressing these types of issues that are often associated with cyber incidents will be better prepared to provide a victimized organization with timely, accurate advice.

Many private organizations retain outside counsel who specialize in legal questions associated with data breaches, while others find such cyber issues are common enough that they have their own cyber-savvy attorneys on staff in their General Counsel’s offices. Having ready access to advice from lawyers well acquainted with cyber incident response can speed an organization’s decision-making and help ensure that a victim organization’s incident response activities remain on firm legal footing.

Ensure organization policies align with the cyber incident response plan

Some preventive measures related to incident planning may need to be implemented outside the context of preparing a cyber incident response plan. For instance, an organization should review its personnel and human resource policies to ensure they will reasonably minimize the risk of cyber incidents, including from “insider threats.” Proper personnel and information technology (IT) policies may help prevent a cyber incident in the first place.

For instance, a practice of promptly revoking the network credentials of terminated employees — particularly system administrators and information technology staff — may prevent a subsequent cyber incident from occurring. Furthermore, reasonable access controls on networks may reduce the risk of harmful computer misuse.

Engage with law enforcement before data security breach

Establish a relationship with local law enforcement before a security breach. Having a point-of-contact and a pre-existing relationship with law enforcement will facilitate any subsequent interaction that may occur if an organization needs to enlist law enforcement’s assistance. It will also help establish a trusted relationship that cultivates bidirectional information sharing that is beneficial both to potential victim organizations and to law enforcement.

The principal federal law enforcement agencies responsible for investigating criminal violations of the federal Computer Fraud and Abuse Act are the Federal Bureau of Investigation (FBI) and the U.S. Secret Service. Both agencies conduct regular outreach to private companies and other organizations likely to be targeted for intrusions and cyberattacks.

Establish relationships with cyber information sharing organizations

Defending a network from every cyberthreat is a daunting task. Access to information about new or commonly exploited vulnerabilities can help an organization prioritize its security measures. Information sharing organizations for every sector of the critical infrastructure exist to provide such information.

Information Sharing and Analysis Centers (Opens in a new tab) (ISACs) have been created in each sector of the critical infrastructure and for key resources. They produce analysis of cyberthreat information that is shared within the relevant sector, with other sectors and with the government. Depending upon the sector, they may also provide other cybersecurity services. The government has also encouraged the creation of new information sharing entities called Information Sharing and Analysis Organizations (Opens in a new tab) (ISAOs) to accommodate organizations that do not fit within an established sector of the critical infrastructure or that have unique needs. ISAOs are intended to provide such organizations with the same benefits of obtaining cyberthreat information and other supporting services that are provided by an ISAC.

Back to top

Responding to a Cyberattack

An organization can fall victim to a cyberattack even after taking reasonable precautions. That's why having a vetted, actionable cyber incident response plan is critical. A robust incident response plan does more than provide procedures for handling an incident; it also provides guidance on how a victim organization can continue to operate while managing an incident and how to work with law enforcement and/or incident response firms as an investigation is conducted. Follow the steps below to take action after identifying a data breach has occurred.

Assess the security breach

During a security breach, immediately assess the nature and scope of the incident. Determine whether the incident is a malicious act or a technological glitch. The nature of the incident will determine the type of assistance an organization will need to address the type of damage and remedial efforts that may be required.

Having appropriate network logging capabilities enabled can be critical to identifying the cause of a cybersecurity incident. Using log information, a system administrator should attempt to identify:

• The affected computer systems
• The apparent origin of the incident, intrusion, or attack
• Any malware used in connection with the incident
• Any remote servers to which data were sent (if information was taken)
• The identity of any other victimized organizations, if any

In addition, the initial assessment of the cyber incident should document:

• Which users have currently logged in
• What the current connections to the computer systems are
• Which processes are running or currently active
• All open ports and their associated services and applications
• Any communications (in particular, threats or demands) received by the organization that might relate to the incident
• Suspicious calls, emails or other requests for information

Evidence that an intrusion or other criminal incident has occurred will typically include logging or file creation data indicating that someone:

• Improperly accessed, created, modified or deleted data
• Copied files or logs
• Changed system settings
• Added or altered user accounts or permissions

In addition, an intruder may have stored “hacker tools” or data from another intrusion on your network. In the case of a root-level intrusion, victims should be alert to signs that the intruder gained access to multiple areas of the network.

The victimized organization should take care to ensure that its actions do not unintentionally or unnecessarily modify stored data in a way that could hinder incident response or subsequent criminal investigation. Relevant files should not be deleted, and if possible, avoid modifying data or at least keep track of how and when information was modified.

Minimize continuing damage from the cybersecurity incident. After determining a cybersecurity incident is an intentional intrusion or attack rather than a technical glitch, take steps to stop ongoing damage caused by the perpetrator by:

• Rerouting network traffic
• Filtering or blocking a distributed denial-of-service attack
• Isolating the compromised network
• Blocking further illegal access or watching the illegal activity to identify the source of the attack to learn the scope of the compromise

If proper preparations have been made, an organization will have an existing backup copy of critical data and may elect to abandon the network in its current state and to restore it to a prior state. If an organization elects to restore a backup version of its data, it should first make sure that the backup is not compromised as well.

Where a victimized organization obtains information regarding the location of exfiltrated data or the apparent origin of a cyberattack, it may choose to contact the system administrator of that network. Doing so may stop the attack, assist in regaining possession of stolen data or help determine the true origin of the malicious activity.

A victimized organization may also choose to blunt the damage of an ongoing intrusion or attack by “null routing” malicious traffic, closing the ports being used by the intruder to gain access to the network or otherwise altering the configuration of a network to thwart the malicious activity. In computer networking, a null route or blackhole route is a network route that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called “blackhole filtering.”

The victimized organization should keep detailed records of whatever steps are taken to mitigate the damage and should keep stock of any associated costs incurred. Such information may be important for recovering damages from parties responsible and for any subsequent criminal investigation.

Record and collect information

Always document the affected computer(s). Immediately make a “forensic image” of the computers compromised in the data breach, which will preserve a record of the system at the time of the incident for later analysis and evidence. This may require the assistance of law enforcement or professional incident response experts. In addition, the victimized organization should locate any previously generated backups, which may assist in identifying any changes made to the network.

New or sanitized media should be used to store copies of any data that is retrieved and write-protect the media to safeguard it from alteration. The victimized organization should also restrict access to this media to maintain the integrity of the copy’s authenticity, assuring it’s safeguarded from unidentified malicious insiders, while establishing a chain of custody. These steps will enhance the value of any backups as evidence in any later criminal investigations and prosecutions, internal investigations or civil lawsuits.

Keep logs, notes, records & data

Take immediate steps to preserve existing logs and keep an ongoing, written record of all steps undertaken. If this is done while responding to the security breach or shortly thereafter, personnel can minimize the need to rely on their personal recall or the memories of others to reconstruct the order of events. As the investigation progresses, information that was collected by the organization contemporaneous to the intrusion, may take on unanticipated significance.

The types of information that the victimized organization should retain include:

• A description of all incident-related events, including dates and times
• Information about incident-related phone calls, emails, and other contacts
• The identity of persons working on tasks related to the cyberattack including a description, the amount of time spent, and the approximate hourly rate for those person’s work
• Identity of the systems, accounts, services, data and networks affected by the incident and a description of how these network components were affected
• Information relating to the amount and type of damage inflicted by the incident, which can be important in civil actions by the organization and in criminal cases
• Information regarding network topology
• The type and version of software being run on the network
• Any peculiarities in the organization’s network architecture, such as proprietary hardware or software

Ideally, a single, designated employee will retain custody of all such records. This will help to ensure that records are properly preserved and can be produced at a later date. Proper handling of this information is often useful in rebutting claims in subsequent legal proceedings (whether criminal or civil) that electronic evidence has been tampered with or altered.

Records related to continuing cyberattacks

When an incident is ongoing (e.g., during a distributed denial of service attack, as a worm is propagating through the network, or while an intruder is exfiltrating data), the victimized organization should record any continuing activity.

If a victimized organization has not enabled logging on an affected server, it should do so immediately. It should also consider increasing the default size of log files on its servers to prevent losing data. A victimized organization may also be able to use a “sniffer” or other network-monitoring device to record communications between the intruder and any of its targeted servers.

Such monitoring, which implicates the Wiretap Act (18 U.S.C. §§ 2510 et seq.) is typically lawful, provided it is done to protect the organization’s rights or property or system users have actually or impliedly consented to such monitoring. An organization should consult with its legal counsel to make sure such monitoring is conducted lawfully and consistent with the organization’s employment agreements and privacy policies.

Back to top

Who Should You Notify of Cyber Crime?

Managers and other personnel within the organization should be notified about the incident as provided in the incident response plan and should be given the results of any preliminary analysis. The incident response plan should set out individual points-of-contact within the organization and the circumstances in which they should be contacted.

Law enforcement

If an organization suspects at any point during its assessment or response that the cyber incident constitutes criminal activity, law enforcement should be contacted immediately.

Historically, some companies have been reticent to contact law enforcement following a cyber incident fearing that a criminal investigation may result in disruption of its business or reputational harm. However, a company harboring such concerns should not hesitate to contact law enforcement.

The FBI and U.S. Secret Service place a priority on conducting cyber investigations that cause as little disruption as possible to a victim organization’s normal operations and recognize the need to work cooperatively and discreetly with victimized companies. They will use investigative measures that avoid computer downtime or displacement of a company's employees. When using investigative measures likely to inconvenience a victimized organization, they will do so with the objective of minimizing the duration and scope of any disruption.

Contacting law enforcement may also prove beneficial to a victimized organization. Law enforcement may be able to use legal authorities and tools that are unavailable to non-governmental entities and to enlist the assistance of international law enforcement partners to locate stolen data or identify the perpetrator. These tools and relationships can greatly increase the odds of successfully apprehending an intruder or attacker and securing lost data.

The Department of Homeland Security

The Department of Homeland Security has components dedicated to cybersecurity that not only collect and report on cyber incidents, phishing, malware and other vulnerabilities, but also provide certain incident response services.

The National Cybersecurity & Communications Integration Center (Opens in a new tab)(NCCIC) serves as a 24/7 centralized location for cybersecurity information sharing, incident response, and incident coordination. By contacting the NCCIC, an organization can both share and receive information about an ongoing incident that may prove beneficial to both the victim organization and the government. An organization may also obtain technical assistance capable of mitigating an ongoing cyber incident.

Other potential victims of the same cyber security incident

If there is evidence of additional victims while assessing a cyber incident — for example, in the form of another company’s data stored on the network — they should be promptly notified.

While the initial victim can conduct such notification directly, notifying victims through law enforcement may be preferable. It insulates the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigation, which may uncover additional victims warranting notification. Similarly, if a forensic examination reveals an unreported software or hardware vulnerability, the victimized organization should make immediate notification to law enforcement or the relevant vendor.

Such notifications may prevent further damage by prompting the victims or vendors to take remedial action immediately. The victim organization may also reap benefits, because other victims may be able to provide helpful information gleaned from their own experiences managing the same cyber incident (e.g., information regarding the perpetrator’s methods, a timeline of events, or effective mitigation techniques that may thwart the intruder).

Back to top

What Should a Company Avoid After a Data Breach?

After a data breach occurs, avoid using a system suspected of being compromised to communicate about an incident or to discuss its response to the incident. If the victim organization must use the compromised system to communicate, it should encrypt its communications.

Do not hack into or damage another network

Do not attempt to access, damage or impair another system that may appear to be involved in the cyber intrusion or attack. Regardless of motive, doing so is likely illegal, and could result in civil and/or criminal liability.

Back to top

After a Cyberattack

Even after a cyber incident appears to be under control, remain vigilant. Many intruders return to attempt to regain access to networks they previously compromised. It is possible that, despite best efforts, a company that has addressed known security vulnerabilities and taken all reasonable steps to eject an intruder has nevertheless not eliminated all means by which the intruder illicitly accessed the network. Continue to monitor your system for anomalous activity.

Once recovered from the attack or intrusion, initiate measures to prevent similar attacks. Conduct a post-incident review of the organization’s response and assess the strengths and weaknesses of its performance and incident response plan. Part of the assessment should include ascertaining whether the organization followed each of the steps outlined above and, if not, why not.

Note and discuss deficiencies and gaps in the cyber security plan and response and take remedial steps as needed.

Back to top

Cyberattack Protection for Businesses

A cyberattack or data breach are challenging ordeals many organizations face today. Thankfully though, through proactive measures like creating a cyber incident response plan and taking immediate action if a breach occurs, these attacks can be mitigated and recovery can begin quickly.

To learn more ways to protect your business, visit our Loss & Risk Control Resource Center. You’ll find many great guides and articles that can help protect your business from the unexpected.

This article is for informational purposes only and based on information that is widely available. This information does not, and is not intended to, constitute legal advice. You should contact an attorney for legal advice specific to your situation.