The Department of Justice (“DoJ”) recently issued new guidance for organizations on what it believes are best practices for managing cyber security incidents. As described further below, the guidance provides a broad overview on recommended steps to take to minimize the risk of an incident, as well as actions to take and avoid in the event of a cybersecurity incident.

In remarks to the Criminal Division’s Cybersecurity Roundtable, Assistant Attorney General for the Criminal Division Leslie Caldwell noted that this “guidance is built on our experience prosecuting and investigating cybercrime, and incorporates knowledge and input from private sector entities that have managed cyber incidents.”

I.  Incident Preparation: Steps to Take Before a Cyber Intrusion or Attack Occurs

The guidance provides the following recommendations on measures to take to take in advance of any cyber intrusion or attack, with an eye toward minimizing the harm that could result from such an attack.

  1. Identify Your “Crown Jewels”. The guidance notes that as a resource management issue, organizations (especially those that are smaller) should prioritize its protections and incident response efforts around its “crown jewels.”
  2. Have an Actionable Plan in Place Before an Intrusion Occurs. The guidance recommends that an organization maintain an actionable incident response plan that, at a minimum:
  • identifies lead responsibilities for different elements of an organization’s cyber incident response, including public communications, to information technology access, implementation of security measures, and legal questions;
  • includes a contact list and instructions on how to proceed if critical personnel are unreachable and who will serve as back-up;
  • identifies what mission critical data, networks, or services should be prioritized for the greatest protection;
  • addresses how to preserve data related to the intrusion in a forensically sound manner;
  • indicates criteria that can be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen;
  • includes procedures for notifying law enforcement and/or computer incident-reporting organizations; and
  • identifies what personnel should be trained periodically on such incident response plans.
  1. Have Appropriate Technology and Services in Place Before an Intrusion Occurs. The guidance emphasizes the importance of an organization possessing the technology — tailored to the size and sophistication of the organization — to identify and respond to a cyber intrusion, which may include having access to “off-site data back-up, intrusion detection capabilities, data loss prevention technologies, and devices for filtering or scrubbing.”
  2. Have Appropriate Authorization in Place to Permit Network Monitoring. To ensure that an organization does not inadvertently run afoul of federal and state privacy laws, the guidance recommends that organizations provide appropriate notice to —and, as necessary, receive consent from — their users that “the interception of their communications and that the results of such monitoring may be disclosed to others, including law enforcement.”
  3. Ensure Your Legal Counsel is Familiar with Technology and Cyber Incident Management to Reduce Response Time during an Incident. DoJ stresses that it is important for an organization to have access to “cyber-savvy” counsel so that it can swiftly obtain the necessary legal advice to adequately respond when presented with a cybersecurity incident that incorporates industry best practices based on firm legal principles.
  4. Ensure Organization Policies Align with Your Cyber Incident Response Plan. DoJ recommends that an organization ensure that its personnel and human resource policies incorporate best practices to minimize the risk of certain cybersecurity incidents, such as “insider threats,” by immediately revoking the network and security credentials of terminated employees.
  5. Engage with Law Enforcement before an Incident. DoJ emphasizes that an organization should also make an effort to build relationships with both federal and local law enforcement offices, including the FBI and Secret Service.
  6. Establish Relationships with Cyber Information Sharing Organizations. Finally, the guidance recommends that an organization establish relationships with cyber information sharing organizations to assist in “priortiz[ing] its security measures.”

II.  Incident Response

The guidance outlines the following steps that an organization should take in responding to a cyber security incident.

  1. Make an Initial Assessment. The first step in any incident response is the initial assessment. The guidance recommends that system administrations use log information to identify the affected systems; the apparent origin of the incident; any malware used in connection with the incident; any remote services to which data is exfiltrated (if any); and the identity of any other victim organizations, to the extent such data is available from the logs. In addition, the guidance also highlights the importance of the following foundational investigative items in the first phase of a response:
  • identify which users are currently logged on;
  • identify what the current connections to the computer systems are;
  • identify which system processes are running; and
  • identify will open ports and their associated services and applications.
  1. Implement Measures to Minimize Continuing Damag The guidance notes that an organization can remain susceptible to subsequent attacks from perpetrators after a cybersecurity incident, and accordingly, should take action to contain the access and limit the damage, including, “rerouting network traffic, filtering or blocking a distributed denial-of-service attack, or isolating all or parts of the compromised network.”
  2. Record and Collect Information. As part of mitigating any damage caused by a cybersecurity incident, the guidance recommends that an organization (1) “image the affected computers,” (2) “keep logs, notes, records, and data,” and (3) retain records related to continuing attacks.
  3. Notify. The Cybersecurity Unit states that the fourth step that an organization should take after discovering a cybersecurity incident is to provide proper notification to personnel within the organization, to law enforcement, to the Department of Homeland Security, and to “other potential victims.”

DoJ also emphasizes that there are various damaging actions that an organization must avoid taking. These include avoiding use of a compromised system to communicate about an incident or to discuss the response to the incident. The guidance also cautions against taking action to “hack back,” including accessing, damaging, or impairing a system that appears to be involved in the cyber intrusion in some capacity. The guidance notes that such actions are likely illegal and could expose the organization to both civil and criminal liability.

Finally, after an incident occurs and the organization has resolved the response, the guidance notes that it is a best practice to learn from the incident and implement measures to prevent similar attacks in the future.