9 secrets to cyberattack survival

Following a breach, organizations should focus on mitigating damage and data loss and providing information to law enforcement

Preparing and responding to a cyberattack
Thinkstock

Preparing and responding to a cyberattack

Cybersecurity incidents continue to grow in both volume and sophistication, with 64 percent more security incidents reported in 2015 than in 2014, according to a June 2016 report by the Ponemon Institute. The human instinct is to try to find those responsible. However, any attempt to access, damage, or impair another system that appears to be involved in an attack is mostly likely illegal and can result in civil and/or criminal liability. Since many intrusions and attacks are launched from compromised systems, there’s also the danger of damaging an innocent victim’s system.

Following a breach, organizations should focus on mitigating damage and data loss and providing information to law enforcement. Partner at Ballard Spahr, LLP and former Assistant U.S. Attorney Ed McAndrew and Guidance Software President and CEO Patrick Dennis have compiled best practices for preparing and responding to a cyberattack and working with law enforcement.

[ Docker, Amazon, TensorFlow, Windows 10, and more: See InfoWorld's 2017 Technology of the Year Award winners. | Cut to the key news in technology trends and IT breakthroughs with the InfoWorld Daily newsletter, our summary of the top tech happenings. ]

Identify key assets
Thinkstock

Identify key assets

Depending on an organization’s needs, it may be cost prohibitive to protect their entire enterprise. Before creating an incident plan, an organization should determine which of their data, assets, and services warrant the most protection.

Have a plan of action
Thinkstock

Have a plan of action

Creating established plans and procedures to address what steps need to be taken after an attack can help any organization limit the amount of damage to their networks. This includes identifying who has lead responsibility for different elements of an organization’s cyberincident response; the ability to contact critical personnel at all times; knowing what mission-critical data, networks, or services should be prioritized for the greatest protection; and how to preserve data related to the incident in a forensically sound manner. It also helps law enforcement’s ability to locate and apprehend the perpetrators.

Engage with law enforcement before an attack
Thinkstock

Engage with law enforcement before an attack

Having a pre-existing relationship with law federal enforcement officials can help facilitate any interactions relating to a breach. It will also help establish a trusted relationship that cultivates bidirectional information sharing that is beneficial to both the organization and law enforcement.

Stay informed about threats
Thinkstock

Stay informed about threats

An organization’s awareness of new or commonly exploited vulnerabilities can help it prioritize its security measures. There are organizations that share real-time intelligence on threats. For example, Information Sharing and Analysis Centers, which analyze cyberthreat information, have been created in each sector of the critical infrastructure. Some centers also provide cybersecurity services.

Make an initial assessment of the threat
Thinkstock

Make an initial assessment of the threat

Once an attack or breach is identified, it’s critical to assess the nature and scope of the incident. It is also important to determine whether the incident was a malicious act or a technological glitch. The nature of the incident will determine what kind of assistance the organization will need and what type of damage and remedial efforts may be required.

Capture the extent of the damage
Thinkstock

Capture the extent of the damage

Ideally, the victim of a cyberattack will make a forensic image of the affected computers as soon as the incident is detected. Doing so preserves a record of the system for analysis and potentially for use as evidence at a trial. Organizations should restrict access to these materials in order to maintain the integrity of the copy’s authenticity, safeguard it from unidentified malicious insiders, and establish a chain of custody.

Take steps to minimize additional damage
Thinkstock

Take steps to minimize additional damage

To prevent an attack from spreading or the loss of more valuable data, companies must take steps to stop ongoing traffic caused by the perpetrator. Preventative measures include rerouting network traffic, filtering or blocking a DDoS attack, or isolating all or parts of the compromised network. Also, keep detailed records of what steps were taken to mitigate the damage as well as any costs incurred as a result of the attack.

Notify law enforcement
Thinkstock

Notify law enforcement

In the past, some companies have been reluctant to contact law enforcement following a cyberincident due to concerns that a criminal investigation might disrupt their business. However, the FBI and US Secret Service are committed to causing as little disruption to an organization’s normal operations as possible. These two agencies will also attempt to coordinate statements to the news media concerning the incident, ensuring that information harmful to a company’s interests are not needlessly disclosed.

Work with law enforcement to contact other potential victims
Thinkstock

Work with law enforcement to contact other potential victims

Contacting other potential victims through enforcement is preferable. Doing so protects the initial victim from potentially unnecessary exposure and allows law enforcement to conduct further investigations, which may uncover additional victims.

RELATED: How much is a data breach going to cost you?