Preparing for a Cyber Incident
Introduction
Cyber incidents and data breaches continue to proliferate globally, targeting organizations across all industries and sectors. Worldwide monetary loss to cybercrime is measured in the hundreds of billions. The Secret Service has extensive experience in cyber incident response and the subsequent criminal investigation thereof. We offer the following guidance outlining basic steps an organization can take before, during, and after a cyber incident.
A comprehensive and integrated approach to cybersecurity with organized cyber incident response policies is the only sustainable path to achieving continuity in uncertain times. An organization cannot anticipate every disruption or prevent every cyber incident. Even the most advanced tools and methods do not guarantee perfect cybersecurity implementation. Organizations must anticipate an evolving risk environment and be prepared to respond at a moment’s notice when a disruption to their business occurs. Accomplishing continuity of operations requires a resilient approach to cybersecurity - an integrated, holistic way to manage security risks, business continuity, disaster recovery, and information technology (IT) operations. To achieve this, a comprehensive plan for incident management and incident response (IR), with regular testing and updating, is crucial.
Engaging with Law Enforcement
Criminals maneuver in the anonymity of cyberspace using tradecraft to limit risk from law enforcement. To build on the principle of deterrence, the role of law enforcement in an organization’s IR plan is critical to our nation’s cybersecurity strategy. It is essential for an organization to develop a trusted relationship with law enforcement and integrate them into the development of a cyber IR plan. This early preparation can facilitate a mutually created framework for restoring business operations to a victim organization, while assisting in evidence collection for law enforcement. Preplanning and rehearsing a cyber IR plan helps target the relevant sources of evidence for a criminal investigation, while facilitating speedy restoration of business operations. Engagement with law enforcement before, during, and after a cyber incident will increase opportunities to arrest and prosecute cybercriminals. This collective effort will result in the enhancement of law enforcement’s strategic focus to dissuade criminals from continuing to target organizations. A growth in partnerships between the private sector and law enforcement built on trust and communication will continue to shape cyber resiliency, layer by layer.
About this Guide
This guide explains the actions organizations should take to cultivate an understanding of the technological and regulatory limitations, responsibilities, and resources available to them, and how to apply the acquired knowledge to their operations. Understanding and Preparing are important initial steps which organizations should incorporate into their IR plan. This guide does not constitute legal advice and is only for reference purposes.
Understand
A. Establish liaison and partnerships
Begin by identifying law enforcement agencies responsible for combating cybercrime within your geographic area. Determine which cybersecurity information and resources they have available publicly or through partnership initiatives.
The Secret Service operates Cyber Fraud Task Forces (CFTFs). A CFTF is a partnership between the Secret Service, other law enforcement agencies, prosecutors, private industry, and academia. The goals and priorities of CFTFs are to combat cybercrime through prevention, detection, mitigation, and investigation of cyber incidents. The strategically located CFTFs across dozens of Secret Service field offices boast a strong alliance of over 4,000 private sector partners, 2,500 international, federal, state and local law enforcement partners, and 350 academic partners. State and local law enforcement CFTF partners are trained by the Secret Service’s National Computer Forensics Institute (NCFI). CFTFs also host partner meetings to discuss the latest in prevention, detection, mitigation, and cooperation among law enforcement and private sector organizations. CFTF partners receive quarterly bulletins, which include current trends in cybercrime and detection, policy, legal topics, and other CFTF developments. This partnership model facilitates incident response and allows the Secret Service to be a trusted resource to an organization for guidance during an initial stage of a cyber incident.
The Secret Service shares the law enforcement responsibility for protecting the United States from cybercriminals with the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and U.S. Immigration and Customs Enforcement (ICE). Local and state police departments may also have resources dedicated to investigating cybercrime or maintain a relationship with a federal task force.
When and where possible, you are encouraged to establish liaison with public and private cybersecurity organizations. The cyber domain evolves continually, and information sharing is crucial to remain current on cybercrime trends, tactics, and methods.
B. Study the legal framework
Consult with external and internal legal experts who are familiar with technology, data breaches, and cyber incident management. Learn the laws and regulations governing communications, data privacy, information sharing, and monitoring. Learn where your organization is storing the data and where the individuals/entities whose data your organization is storing reside, as this helps determine jurisdiction over the data. In 1986, the United States Congress enacted the Computer Fraud and Abuse Act (CFAA), as an amendment to 18 U.S.C. 1030. The CFAA has since been amended multiple times to address advancements in technology and cybercrime. The CFAA criminalizes knowingly accessing a computer without authorization, obtaining protected information with the intent to defraud, intentionally causing unauthorized damage to a protected computer, knowingly and with intent to defraud trafficking in passwords or access information, and extortion involving computers.
Multinational organizations, particularly those transmitting and storing data transnationally, must make additional considerations when working towards greater cyber resilience. These considerations will vary based on the specific country where an organization operates, transmits, and stores data. Consider the citizenship of those whose data your organization handles. Learn if and how your organization is protected by laws and regulations as a potential victim of a data breach. For example, the European Union (EU) has enacted a single EU-wide data protection reform, the General Data Protection Regulation (GDPR), allowing EU citizens to better control their personal data, while allowing businesses to reduce red tape and to benefit from greater consumer trust.
C. Understand legal responsibilities
Understand your organization’s responsibility regarding data protection and data breach reporting under federal, state, local, and international law. Determine the threshold for mandatory breach reporting and which entities require notification, as there is no comprehensive law in the United States that addresses data privacy and protection, but there are sector-specific laws. The U.S. Federal Trade Commission (FTC) is responsible for protecting consumers and competition by preventing anticompetitive, deceptive, and unfair business practices, whereas the U.S. Securities and Exchange Commission (SEC) was established to protect investors and to maintain fair, orderly, and efficient markets. The U.S. Department of Health and Human Services (HHS) oversees compliance with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, each state may have its own legislation concerning data privacy. Determine if your organization is required to implement threat detection and data loss prevention programs for compliance under federal, state, local, and international law. Identify the legal consequences of decisions your organization will make during a potential incident, and how to prepare for potential interaction with law enforcement and/or regulatory agencies. If using contracted third-party services for storing or transmitting your organization’s data, determine how responsibility is shared between your organization and contracted third party service providers. Determine which provisions to include in contracts and agreements with these providers, to include addressing cooperation during a cyber incident and furnishing information to IR firms.
D. Maintain cyber awareness
Continually learn about existing and emerging cyber threats and risk management strategies by participating in cybersecurity events and educational programs. Such events are often sponsored by private firms as well as law enforcement agencies. Develop a further understanding of the threat environment and the protective measures available to your organization. Subscribe to receive timely information about cyber security issues, vulnerabilities, and exploits from reputable cybersecurity organizations. For example, the U.S. Department of Homeland Security (DHS) created the National Cyber Awareness System, which provides subscribers access to timely information about security topics and threats. For a more customized approach to preparedness for your organization, consider seeking industry-specific guidance and consult with cybersecurity services organizations.
Prepare
E. Determine vulnerabilities
Identify network and device vulnerabilities specific to your organization’s operations. It is important to consider all devices, stationary and mobile, with network and data access. Such devices include desktop and laptop computers, printers, copiers, Internet of Things (IoT) devices, cellphones (organization and employee-owned), and any other devices that are connected to a network or other devices, wirelessly or through Ethernet cables. Assess how and where your organization backs up data. Evaluate vulnerabilities associated with using contracted third-party service providers and other outside entities that host and/or have access to your organization’s network and data. These include cloud and backup storage, software services, or any other contractors and vendors that have some level of access to your network and data. Learn how your organization’s data is being protected by these contracted third parties and understand your responsibilities and liabilities when it comes to using contracted third parties. When entering into a contract with a third-party vendor, ensure your contract includes a stipulation on them notifying your organization when they are subject of a data breach, and on what effect the breach has on your network and data. The Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection established a national policy for federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks. If your organization’s line of work can potentially affect critical infrastructure and public safety, the directive delivers policy statements defining the roles various federal, state, and local agencies will play in carrying out in the protection of critical infrastructure. In 2018, the Cybersecurity and Infrastructure Security Agency Act of 2018 established CISA, a federal risk advisor, collaborating with partners to defend against threats and build a more secure and resilient infrastructure.
F. Prioritize and institute cybersecurity measures
Ensure that basic cybersecurity best practices, such as robust passwords, multi-factor authentication, disabling USB storage devices, and perimeter defense (firewalls) are instituted. As an additional layer of security, consider using data encryption that resides on networks and devices (at rest), as well as for data that is transmitted (point-to-point). Subsequently determine which data, assets, and services warrant the greatest protection and prioritize cybersecurity efforts based on mission-critical needs. Specific measures may include instituting access controls and network segmentation that appropriately limit the availability of data, particularly mission-critical data, and maintaining server logs (firewall, event, and active directory), which could be critical to establishing the cause and origin of a cyber incident. Consider procuring cybersecurity technology and services that align with threats that would cause most harm to your organization, and may include intrusion detection capabilities, data loss prevention, and traffic filtering or scrubbing. Test technological solutions regularly, to include involving contracted third-party service providers, to ensure they perform as expected. Routinely review access privileges and discontinue access when employees leave your organization. Routinely back up data, ensure the backups are not connected to the network, and are stored securely offsite.
G. Monitor networks
Consider monitoring your organization’s network traffic (internal and external, inbound and outbound), which can be critical to detecting, analyzing, preventing, and addressing cyber incidents. However, prior to procuring technology to monitor systems and devices for cybersecurity threats, understand your organization’s responsibilities under federal, state, local, and international law and ensure compliance when conducting such monitoring. Consider using login banners, user agreements, workplace policies, training, and written acknowledgement from employees and contractors to inform that their use of the network constitutes consent to your organization monitoring the communications, in accordance with applicable laws and regulations. The Cybersecurity Information Sharing Act of 2015 explicitly authorized organizations to monitor their own information systems, and, upon written consent, the systems of other organizations, for cybersecurity purposes. DHS created the Automated Indicator Sharing (AIS) to enable the exchange of cyber threat indicators between the federal government and the private sector. Note that the laws in some countries and regions may restrict your ability to monitor the content of employees’ communications and may not allow employees to consent to such monitoring. Consider additional steps to preventing employee error, such as implementing email filtering and web restrictions.
H. Develop policies and conduct training
Develop internal policies addressing cybersecurity in general, and, more specifically, for handling cyber incidents. Develop a framework for your organization’s employees to be cognizant of and maintain good “cyber hygiene,” and encourage employees to recognize and swiftly report suspicious activity. Studies have shown that employees have continually been a weak link in organizations’ cyber resilience, intentionally (insider threat) or unintentionally (insider risk). Conduct regular briefings with employees and keep them informed on cybersecurity procedures and responsibilities. If possible, test your employees to enhance cybersecurity awareness.
I. Develop a communication strategy
After having acquired an understanding of the legal framework and specific reporting requirements, develop a communication strategy for your organization to implement during a cyber incident. Establishing a communication strategy prior to a cyber incident, which requires a swift response, should be an important component of an organization’s preparation phase. Consider establishing “out of band” communication methods. Determine how you will communicate with all employees, those that will participate in the IR plan execution and those who will not. At a minimum, an organization should have preapproved notification templates for law enforcement, regulatory agencies, and, if applicable, media. Communication templates can vary depending on a specific situation and reporting requirements. Continuous proactive liaison with law enforcement will help understand the requirements law enforcement may have during an incident and a subsequent investigation and should be included in your organization’s communication strategy.
J. Consider retaining legal services
Consider retaining the services of experts to address legal issues and assist with decision making during a potential cyber incident. Include them in IR planning and tabletop exercises for an opportunity to address questions regarding interacting with contracted third parties, issuing public communications, addressing local reporting requirements, coordinating with law enforcement, and engaging with IR firms.
K. Consider retaining IR services
Consider retaining an IR firm to expedite your organization’s response to a cyber incident. If considering an IR firm, ensure that it has experience with local data protection laws and regulations, is using forensically sound methods of evidence collection and data preservation, and has well established channels of communication with law enforcement. Law enforcement is responsible for investigating criminal violations with the objective of identifying, apprehending, and prosecuting perpetrators. Thus, law enforcement is focused on collecting information about the criminal conduct and is frequently limited to technical data that can be used to track activities and events on the network. This technical information may be distinct from, but sometimes commingled with, information collected by the IR firm, and law enforcement may need to coordinate with the IR firm to obtain technical data the firm has already collected. This coordination can minimize disruption of an organization’s operations, avoid duplication of efforts, and expedite an investigation.
L. Prepare for evidence preservation
While prioritizing and instituting preventative cybersecurity measures is of utmost importance, preparation should include preemptive measures for dealing with an incident when, not if, one occurs. This includes understanding that evidence preservation begins well before having detected a cyber incident. Some evidence preservation will depend on the type of incident and organization-specific vulnerabilities, but there are general rules to ensuring evidence preservation. The average cyber incident remains undetected for months. There are rules your organization should implement to support evidence preservation during an incident, such as maintaining server logs (firewall, event, and active directory) for at least a year and maintaining a current network map. Maintaining an up-to-date network map, that includes authorized remote connections, will expedite detection and isolation of an incident, as well as assist with the investigation and prosecution.
M. Create an IR plan
Develop an IR plan with specific and concrete procedures to follow in the event of a cyber incident. The IR plan should include the following:
- An IR team consisting of decisionmakers and critical personnel (senior management, legal counsel, human resources, corporate security, IT security, public relations), and, if needed, a retained IR firm.
- If retaining the services of an IR firm, collaborate with the IR firm on your organization’s IR plan and review their processes.
- Assignment of specific tasks and timelines for the completion of critical tasks.
- Contact information for the members of the IR team, day and night, and how to proceed if they are unreachable or unavailable.
- Contact information for senior management, communications personnel, shareholders, and legal counsel, and a description of the circumstances under which each should be contacted.
- Consider “out of band” communication methods to coordinate during an IR event, so that when a cyber incident occurs, you are not using your organization’s integrated communications (email, phones, etc.) to prevent intruders from monitoring your organization’s IR.
- Prioritization of which mission-critical data, networks, assets, or services should receive primary attention during an incident and procedures for implementing security measures, such as segmenting the network (isolating the threat).
- Procedures for preserving evidence for potential criminal prosecution. These should include procedures already in action (server logs and network maps), along with predetermined incident specific procedures that can be quickly implemented as part of the IR plan.
- Instructions for contacting and engaging with law enforcement, to include providing known and relevant information about the incident.
- Steps for resolving legal questions, such as compliance with data protection under the law.
- Procedures for notifying regulatory agencies, if, and when, applicable.
- Instructions for contacting contracted third party service providers, and other outside entities who host the affected data and services, such as cloud storage service providers and commercial data centers.
- Procedures for restoring data backups, including measures for ensuring the integrity of backed up data before restoration.
- Templates for issuing public communications in compliance with the law.
- Conduct tabletop exercises to ensure that employees become and remain familiar with the IR plan, and that communication channels and emergency processes remain up to date.
- If using contracted third parties to transmit and store data, inquire about and study their IR plan.
- Keep the IR plan up to date and maintain hard copies easily accessible by the IR team. Do not save the digital copy of the IR plan on your primary systems where it can be accessed by intruders.
Following the above steps will save valuable time during an incident. Documenting the steps taken will save valuable time during your organization’s interaction with law enforcement and will create a solid foundation for investigating and prosecuting the intruders. The sequence of above steps will depend on your organization’s specific needs and responsibilities under federal, state, local, and international law.