Executing an Response Plan

This blog post is the third installment of a six-part series discussing the best practices relating to cyber security.  The first two blog posts discussed the best practices for preparing a business in case of a cyberattack.  This post will discuss the initial steps that a business should take after a cyberattack occurs.

Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation.  It is important to determine whether the disruption is a purposeful cyberattack or a system accident.  This determination will assist a business in executing the appropriate Response Plan.  If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations.  If the incident is a product of faulty software, the business may be able to take less extreme measures.

Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation.  The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network.  Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.

During the initial assessment it is important to determine if data was exported from the system.  The data trail may illustrate the possible motive behind the attack and where it could strike next.  If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators.  This may help to weaken the attack and increase the chance of retrieving stolen data.

After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data.  Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network.  If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately.  In more extreme cases, an entire network may need to be shut down if an attack persists.  A business should store backup copies of critical data if its Response Plan calls for the network to be shut down.  This allows the business to continue some operations from a remote network while its main network is disabled.

It is important that all steps taken to gather information and diminish damages are recorded accurately.  This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.

The following blog post will discuss the next steps for a business to take once these initial steps are complete.