How to respond to cybercrime
A cyber attack can go undetected for a long period of time. Consistently performing enterprise-wide monitoring and diagnostics is the key to early detection and resolution.
Isolate the incident and zero in on the impact. Knowledge of the enterprise network environment is critical. Based on the severity, complexity and urgency of the incident, determine whether the appropriate response includes a full-scope investigation following the cybercrime response plan.
3. Investigate and remediate
Remediation usually runs concurrently with the investigation.
Determine how and when the compromise occurred, what was the root cause and what was the impact to the organization. The investigation needs to be initiated and conducted with a great sense of urgency and in a secured environment. To do so, each organization should have a pre-established, scalable cybercrime response team consisting of relevant lines of business and executive functions, with defined roles and responsibilities, as well as internal and external communication protocols. The effectiveness of the plan needs to be tested through table-top exercises.
- Identify, collect andpreserve evidence
Acquire all host-based evidence pertinent to the type of incident in a timely, efficient and forensically sound way. Identify any running processes, open ports and remote users. Collect network-based log files including, but not limited to, routers, firewalls, servers and intrusion detection system (IDS) sensors. Conduct necessary internal and external interviews.
- Perform forensic analysis and data analytics
Conduct a comprehensive forensic examination to determine the attack vector, the scope and depth of the compromise. Identify any unauthorized user accounts or groups, rogue processes and services and any unauthorized access points.
- Develop and understandfact patterns
Determine who is involved. Tell the story of who, what, when, where and how. Consider necessary disclosures as facts develop.
- Draw conclusions and make recommendations
Prepare report of recommendations on disclosures, program improvement, discipline and remediation.
Identify and address vulnerabilities in the environment, sufficiently harden the environment to complicate the attacker’s effort to get back in, enhance the ability to detect and respond to future attacks, and prepare for eradication events.
Response to the root case of initial incident will likely start out as tactical but should further grow to be strategic. Companies should perform attack and penetration exercises to determine if tactical fixes were effective.
Effective eradication plans must be well-coordinated and executed with speed and precision as the attackers will often try to re-establish a presence and entrench themselves into the network. Preparation for an eradication event starts during the investigation phase so that the eradication can start soon after the investigation is completed.
Prepare data based on varying requirements for regulatory reporting, insurance claim and dispute, litigation, threat intelligence and/or customer notification. Cross-border collaboration is critical.
Determine what to disclose to any or all of the following:
- Regulators/law enforcement
- The board
- Audit committee