DOJ Issues Best Practices for Cyber Incident Response
The US Department of Justice, Criminal Division, Cybersecurity Unit has issued a 15-page best practices document “to assist organizations in preparing a cyber incident response plan and…in preparing to respond to a cyber incident.” The document explains in detail steps necessary before, during and after a cyber attack or intrusion, summarized in a “Cyber Incident Preparedness Checklist” (see below). “Any Internet-connected organization” is advised to review and adopt these best practices in order to provide a prompt, effective response to incidents, minimize resulting harm, expedite recovery, and, most importantly, take steps to prevent an intrusion from occurring in the first instance. A complete copy of the Best Practices guidelines can be found here.
Department of Justice Cyber Incident Preparedness Checklist
Before a Cyber Attack or Intrusion
- Identify mission critical data and assets (i.e., your “Crown Jewels”) and institute tiered security measures to appropriately protect those assets.
- Review and adopt risk management practices found in guidance such as the National Institute of Standards and Technology Cybersecurity Framework.
- Create an actionable incident response plan.
- Test plan with exercises
- Keep plan up-to-date to reflect changes in personnel and structure
- Have the technology in place (or ensure that it is easily obtainable) that will be used to address an incident.
- Have procedures in place that will permit lawful network monitoring.
- Have legal counsel that is familiar with legal issues associated with cyber incidents.
- Align other policies (e.g., human resources and personnel policies) with your incident response plan.
- Develop proactive relationships with relevant law enforcement agencies, outside counsel, public relations firms, and investigative and cybersecurity firms that you may require in the event of an incident.
During a Cyber Attack or Intrusion
- Make an initial assessment of the scope and nature of the incident, particularly whether it is a malicious act or a technological glitch.
- Minimize continuing damage consistent with your cyber incident response plan.
- Collect and preserve data related to the incident.
- “Image” the network
- Keep all logs, notes, and other records
- Keep records of ongoing attacks
- Consistent with your incident response plan, notify—
- Appropriate management and personnel within the victim organization should
- Law enforcement
- Other possible victims
- Department of Homeland Security
- Do not—
- Use compromised systems to communicate.
- “Hack back” or intrude upon another network.
After Recovering from a Cyber Attack or Intrusion
- Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have regained control of your network.
- Conduct a post-incident review to identify deficiencies in planning and execution of your incident response plan.