How to prepare for and respond to a cyber attack

Cybercriminals are constantly looking for new ways to bypass security measures and no organization is immune from attack.

Cybercriminals are constantly looking for new ways to bypass security measures. In a survey conducted by the SANS Institute on the behalf of Guidance Software, 56% of respondents assumed they have been breached or will be soon, compared with 47% last year.

Assistant United States Attorney and Cybercrime Coordinator with the U.S. Attorney's Office in the District of Delaware Ed McAndrew, and Guidance Software Director of Security Anthony Di Bello, have compiled best practices for preparing and responding to a cyber attack and working with law enforcement:

* Have an incident response plan Creating established and actionable plans and procedures for managing and responding to a cyber intrusion can help organizations limit the damage to their computer networks and minimize work stoppage. It also helps law enforcement locate and apprehend the perpetrators.

* Identify key assets It may be cost prohibitive to protect the entire enterprise. Before creating a cyber incident plan, an organization should determine which of its data, assets and services warrant the most protection. The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides excellent guidance on risk management planning and policies and merits consideration.

* Make an initial assessment of the threat Once an attack or breach is identified, it's critical to assess the nature and scope of the incident. It is also important to determine whether the incident was a malicious act or a technological glitch. The nature of the incident will determine what kind of assistance the organization will need and what type of damage and remedial efforts may be required.

* Engage with law enforcement before an attack Having a pre-existing relationship with federal law enforcement officials can help facilitate any interaction relating to a breach. It will also help establish a trusted relationship that cultivates bi-directional information sharing that is beneficial to both the organization and law enforcement.

* Have a post-attack plan of action Establish procedures addressing what steps you need to take after an attack. This includes identifying who is responsible for different elements of an organization's cyber incident response, having the ability to contact critical personnel at all times, knowing what mission critical data, networks or services should be prioritized for the greatest protection and how to preserve data related to the incident in a forensically sound manner.

* Capture the extent of the damage Ideally, the victim of a cyber attack will make a forensic image of the affected computers as soon as the incident is detected. Doing so preserves a record of the system for analysis and potentially for use as evidence at a trial. Organizations should restrict access to these materials in order to maintain the integrity of the copy's authenticity. Safeguard these materials from unidentified malicious insiders and establish a chain of custody.

* Take steps to minimize additional damage To prevent an attack from spreading, you must take steps to stop ongoing traffic caused by the perpetrator. Preventative measures include: rerouting network traffic, filtering or blocking a Distributed Denial of Service attack or isolating all or parts of the compromised network.

* Keep detailed records Take immediate steps to preserve relevant existing logs. All personnel participating in the incident response should keep an ongoing, written record of the steps taken to respond to and mitigate an incident and any costs incurred as a result of the attack. They should record all incident-related communications, the identity of the systems, accounts, services, data and network affected by the incident and information relating to the amount and type of damage inflicted.

* Notify law enforcement Many companies have been reluctant to contact law enforcement following a cyber incident due to concerns that a criminal investigation might disrupt their business. However, the FBI and U.S. Secret Service cause as little disruption to an organization's normal operations as possible. These agencies will also attempt to coordinate statements to the news media concerning the incident, ensuring that information harmful to a company's interests are not disclosed.

* Work with law enforcement to contact other potential victims Contacting other potential victims through law enforcement is preferable to contacting them directly. Doing so protects the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigations, which may uncover additional victims.

* Stay informed about threats An organization's awareness of new or commonly exploited vulnerabilities can help it prioritize its security measures. There are organizations that share real-time intelligence on threats. For example, Information Sharing and Analysis Centers, which analyze cyber threat information, have been created in each sector of the critical infrastructure. Some centers also provide cybersecurity services.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Institutesecuritycyber attack

More about EngageFBIGuidance SoftwareSANS InstituteTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Ed McAndrew and Anthony Di Bello

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts