The recent WannaCry ransomware attack is more proof that it’s just not possible for any organization, regardless of size, to entirely prevent professional cybercriminals from breaching their data networks. There will always be someone out there with the skills and motive to figure out how to penetrate even the most expensive, most comprehensive, most state-of-the-art cybersecurity system. The U.S. Department of Justice has even released a guidance document outlining best practices for developing response plans to an inevitable breach.
Perhaps a good analogy would be to consider home security. You can purchase and deploy the most sophisticated home alarm system available, but it doesn’t prevent a criminal from penetrating that security. If you have a window in your house, it can be broken and your home can still be burglarized. You can board up your windows, but the doors can still be removed and the house can be burglarized. No security system is sufficient to stop a determined criminal.
So here is the question that leaders of all large organizations will likely need to ask of their team one day: Now that a breach has occurred in our systems, what do we need to do to assess the damage and investigate the cause?
There are five key steps that you should take in an aggressive post-incident response to a cyberattack:
- Go to the Plan Review your Incident Response plan and make sure that everyone is clear about who is handling which functions, when their deadlines are, and to whom they’re reporting. If you don’t have a clearly defined cyber incident response plan, McKinsey & Co. provides a good explanation of the components you should include.
- Evaluate your Training Do an objective assessment of the skills and the training of your internal professionals for the nature of the breach involved so you can determine your expertise gaps. This will allow you to obtain the appropriate level of external assistance you need for the Incident Response.
- Procure the Tools Whether you conduct the Incident Response with your own team or with outside assistance, the investigators will need to use the proper software tools to perform an advanced forensic analysis of computers, mobile devices, and network communications, so they can deliver a comprehensive view into exactly what happened and who was involved. You can procure these tools from a digital forensics software company such as AccessData or you can rely on your third-party consulting firm to use the best tools available.
- Protect the Evidence One of the key fundamentals to effective Incident Response is preserving evidence collected in the digital forensics investigation. It’s essential that your team is properly trained in the chain of custody that needs to be respected during their response and they use software tools that collect all evidence of cyberattacks in a forensically sound manner.
- Memorialize the Response Finally, it’s a best practice to make sure that someone on your Incident Response team is charged with taking very thorough journal notes of all aspects of the investigation into the breach – this includes the actions taken, the dates/times they were taken, the people who were responsible, the results and any follow-up that was necessary. By committing every component of the response to a memorial record, you will be able to learn from what went right and what went wrong, then make appropriate adjustments for the next inevitable cyberattack that requires an Incident Response.
It’s essential for any organization to invest in the best possible cybersecurity system in order to protect themselves against cyberattacks — but don’t be misled … you can’t stop cybercriminals, all you can do is try to make it harder for them and slow them down. A clear Incident Response protocol can help organizations assess the damage from a breach and deal with the problem in a fast, forensically sound manner.