DOJ Issues Best Practices for Cyber Incident Response

Posted by

The US Department of Justice, Criminal Division, Cybersecurity Unit has issued a 15-page best practices document “to assist organizations in preparing a cyber incident response plan and…in preparing to respond to a cyber incident.”  The document explains in detail steps necessary before, during and after a cyber attack or intrusion, summarized in a “Cyber Incident Preparedness Checklist” (see below).  “Any Internet-connected organization” is advised to review and adopt these best practices in order to provide a prompt, effective response to incidents, minimize resulting harm, expedite recovery, and, most importantly, take steps to prevent an intrusion from occurring in the first instance.  A complete copy of the Best Practices guidelines can be found here.

Department of Justice Cyber Incident Preparedness Checklist

Before a Cyber Attack or Intrusion

  • Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
  • Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cybersecurity Framework.
  • Create an actionable incident response plan.
    • Test plan with exercises
    • Keep plan up-to-date to reflect changes in personnel and structure
  • Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
  • Have procedures in place that will permit lawful network monitoring.
  • Have legal counsel that is familiar with legal issues associated with cyber incidents.
  • Align other policies (e.g., human resources and personnel policies) with your incident response plan.
  • Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that you may require in the event of an incident.

During a Cyber Attack or Intrusion

  • Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
  • Minimize continuing damage consistent with your cyber incident response plan.
  • Collect and preserve data related to the incident.
    • “Image” the network
    • Keep all logs, notes, and other records
    • Keep records of ongoing attacks
  • Consistent with your incident response plan, notify—
    • Appropriate management and personnel within the victim organization should
    • Law enforcement
    • Other possible victims
    • Department of Homeland Security
  • Do not—
    • Use compromised systems to communicate.
    • “Hack back” or intrude upon another network.

After Recovering from a Cyber Attack or Intrusion

  • Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network.
  • Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan.