Your IT manager comes to you with a look on his or her face that is a combination of panic, shock, and depression. “We’ve been breached, and it looks like they got into the customer database, but I’m not sure how long they’ve been on our network, and what else they might have done.” Do you know what you need to do next?
In previous articles we have covered how to keep cyber-criminals off your network. Today we are going to discuss what to do after the incident has occurred. But first, the two rules of a computer security incident:
- Rule #1 – It’s an “incident” until it isn’t. The term “breach” of carries legal and regulatory requirements of disclosure and notification. It is best to use the term “computer incident” instead of “data breach” for as long as you can. This is especially true in any form of written communication that may later be subject to legal discovery in a lawsuit.
- Rule #2 – Involve your attorney early. Call your outside legal counsel right away and involve him or her in any meetings, and CC them on any emails discussing the incident. This puts all the discussions under the shield of attorney-client privilege. In-house legal personnel do not enjoy the same veil of privilege as outside, independent counsel.
Here are the steps you need to take after taking care of Rule 1 and Rule 2.
- Step 1 – Get out your computer incident response plan. Dust off your CIRP and gather the members of the response team, and then call the business principals and affected stakeholders. Of course you have one of these documents to guide you through your response, but if not, there is a great guide from the NIST Computer Security Resource Center (CSRC). Do not wait until after the breach to put this critical document together.
- Step 2 – Preserve the evidence. Isolate the affected systems by taking them off the network, but do not power them off. Many malware packages run exclusively in the memory (RAM) and powering down the computer will erase that evidence. Start a chain of custody document. Call in a professional computer forensics group to start an investigation.
- Step 3 – Review the logs. This is not so much to discover the source of the breach (that will come later) as to ensure that logging of critical systems was not disabled by the attacker. Save logs for the forensics team, or restore them if they have been disabled.
- Step 4 – Change your passwords. Enforce password changes for all staff, making sure to change all administrative passwords and increase password length to at least 12 characters to prevent automated brute force password cracking by the attackers from revealing you new passwords.
- Step 5 – Verify user accounts. Make sure you recognize all user accounts active on your network, and disable any that are no longer needed. Watch for new or unusual accounts that may have been created by the attacker.
- Step 6 – Determine the scope of the incident. Who was affected? What data was compromised? What data was destroyed?
- Step 7 – Investigate the cause. Begin the investigation into how the incident happened and how long it has been active on your network. Was this an internal penetration, or did the attack start with a compromised vendor with access to your network?
- Step 8 – Remediation. Once all the evidence is gathered, the next focus should be on restoring services that may have been taken offline for investigative purposes.
- Step 9 – Make an internal announcement. Members of the Response Team should already be keeping principals informed of progress in the investigation and response. Management needs to inform staff about the incident if only to settle the rumors and speculation that are already being communicated internally.
- Step 10 – Make a public announcement. It is best if you can involve a PR firm that specializes in computer incident work. But get out in front of the news cycle, and be the first to report the incident. Being honest and transparent has been shown to be the best path. Assume everything “hidden” or “confidential” is going to come to light eventually. The general public is use to the fact that these sorts of incidents happen, and are quick to forgive companies that appear to be open and honest. This is also when you would make any legally or regulatorily required disclosures to affected parties.
- Step 11 – Report the incident to law enforcement. Follow the advise of your legal counsel, and understand that once law enforcement is involved you will no longer control the direction or pace of the investigation. At the least, reporting your incident on the FBI’s IC3 website allows your data to be aggregated with other attacks for eventual inclusion in a larger investigation. This also provides information that can be used to warn other businesses of potential attacks like yours.
By the way, this process should not take longer than 2 days. Certainly, the investigation may take more time to complete, but you should have make your public disclosure in the first 48 hours.
After the incident is resolved, it is time for a “lessons learned” review. The goal is to develop and implement a plan to prevent another incident like this one from happening again. Update the CIRP document, and make yourself ready for the next incident.Share