Department of Justice Cybersecurity Unit Cyber Incident Response Best Practices

The following guide was released by the Department of Justice on April 29, 2015.


Best Practices for Victim Response and Reporting of Cyber Incidents

  • 15 pages
  • April 2015


Any Internet-connected organization can fall prey to a disruptive network intrusion or costly cyber attack. A quick, effective response to cyber incidents can prove critical to minimizing the resulting harm and expediting recovery. The best time to plan such a response is now, before an incident occurs.

This “best practices” document was drafted by the Cybersecurity Unit to assist organizations in preparing a cyber incident response plan and, more generally, in preparing to respond to a cyber incident. It reflects lessons learned by federal prosecutors while handling cyber investigations and prosecutions, including information about how cyber criminals’ tactics and tradecraft can thwart recovery. It also incorporates input from private sector companies that have managed cyber incidents. It was drafted with smaller, less well-resourced organizations in mind; however, even larger organizations with more experience in handling cyber incidents may benefit from it.

I. Steps to Take Before a Cyber Intrusion or Attack Occurs

Having well-established plans and procedures in place for managing and responding to a cyber intrusion or attack is a critical first step toward preparing an organization to weather a cyber incident. Such pre-planning can help victim organizations limit damage to their computer networks, minimize work stoppages, and maximize the ability of law enforcement to locate and apprehend perpetrators. Organizations should take the precautions outlined below before learning of a cyber incident affecting their networks.

A. Identify Your “Crown Jewels”

Different organizations have different mission critical needs. For some organizations, even a short-term disruption in their ability to send or receive email will have a devastating impact on their operations; others are able to rely on other means of communication to transact business, but they may suffer significant harm if certain intellectual property is stolen. For others still, the ability to guarantee the integrity and security of the data they store and process, such as customer information, is vital to their continued operation. The expense and resources required to protect a whole enterprise may force an organization to prioritize its efforts and may shape its incident response planning. Before formulating a cyber incident response plan, an organization should first determine which of their data, assets, and services warrants the most protection. Ensuring that protection of an organization’s “crown jewels” is appropriately prioritized is an important first step to preventing a cyber intrusion or attack from causing catastrophic harm. The Cybersecurity Framework produced by the National Institute of Standards and Technology (NIST) provides excellent 1guidance on risk management planning and policies and merits consideration.

B. Have an Actionable Plan in Place Before an Intrusion Occurs

Organizations should have a plan in place for handling computer intrusions before an intrusion occurs. During an intrusion, an organization’s management and personnel should be focused on containing the intrusion, mitigating the harm, and collecting and preserving vital information that will help them assess the nature and scope of the damage and the potential source of the threat. A cyber incident is not the time to be creating emergency procedures or considering for the first time how best to respond. The plan should be “actionable.” It should provide specific, concrete procedures to follow in the event of a cyber incident. At a minimum, the procedures should address:

Who has lead responsibility for different elements of an organization’s cyber incident response, from decisions about public communications, to information technology access, to implementation of security measures, to resolving legal questions;

How to contact critical personnel at any time, day or night;

How to proceed if critical personnel is unreachable and who will serve as back-up;

What mission critical data, networks, or services should be prioritized for the greatest protection;

How to preserve data related to the intrusion in a forensically sound manner;

What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen; and

Procedures for notifying law enforcement and/or computer incident-reporting organization.

All personnel who have computer security responsibilities should have access to and familiarity with the plan, particularly anyone who will play a role in making technical, operational, or managerial decisions during an incident. It is important for an organization to institute rules that will ensure its personnel have and maintain familiarity with its incident response plan. For instance, the procedures for responding to a cyber incident under an incident response plan can be integrated into regular personnel training. The plan may also be ingrained through regularly conducted exercises to ensure that it is up-to-date. Such exercises should be designed to verify that necessary lines of communication exist, that decision-making roles and responsibilities are well understood, and that any technology that may be needed during an actual incident is available and likely to be effective. Deficiencies and gaps identified during an exercise should be noted for speedy resolution.

Incident response plans may differ depending upon an organization’s size, structure, and nature of its business. Similarly, decision-making under a particular incident response plan may differ depending upon the nature of a cyber incident. In any event, institutionalized familiarity with the organization’s framework for addressing a cyber incident will expedite response time and save critical minutes during an incident.

II. Responding to a Computer Intrusion: Executing Your Incident Response Plan

An organization can fall victim to a cyber intrusion or attack even after taking reasonable precautions. Consequently, having a vetted, actionable cyber incident response plan is critical. A robust incident response plan does more than provide procedures for handling an incident; it also provides guidance on how a victim organization can continue to operate while managing an incident and how to work with law enforcement and/or incident response firms as an 4investigation is conducted. An organization’s incident response plan should, at a minimum, give serious consideration to all of the steps outlined below.

A. Step 1: Make an Initial Assessment

During a cyber incident, a victim organization should immediately make an assessment of the nature and scope of the incident. In particular, it is important at the outset to determine whether the incident is a malicious act or a technological glitch. The nature of the incident will determine the type of assistance an organization will need to address the incident and the type of damage and remedial efforts that may be required. Having appropriate network logging capabilities enabled can be critical to identifying the cause of a cyber incident. Using log information, a system administrator should attempt to identify:

The affected computer systems;

The apparent origin of the incident, intrusion, or attack;

Any malware used in connection with the incident;

Any remote servers to which data were sent (if information was exfiltrated); and

The identity of any other victim organizations, if such data is apparent in logged data.

In addition, the initial assessment of the incident should document:

Which users are currently logged on;

What the current connections to the computer systems are;

Which processes are running; and

All open ports and their associated services and applications.

Any communications (in particular, threats or extortionate demands) received by the organization that might relate to the incident should also be preserved. Suspicious calls, emails, or other requests for information should be treated as part of the incident.

Evidence that an intrusion or other criminal incident has occurred will typically include logging or file creation data indicating that someone improperly accessed, created, modified, deleted, or copied files or logs; changed system settings; or added or altered user accounts or permissions. In addition, an intruder may have stored “hacker tools” or data from another 5intrusion on your network. In the case of a root-level intrusion, victims should be alert for signs that the intruder gained access to multiple areas of the network. The victim organization should take care to ensure that its actions do not unintentionally or unnecessarily modify stored data in a way that could hinder incident response or subsequent criminal investigation. In particular, potentially relevant files should not be deleted; if at all possible, avoid modifying data or at least keep track of how and when information was modified.

Share this: