Dealing with the aftermath of a breach – a checklist

Sept. 27, 2016
Ed McAndrew, Former Federal Cybercrime Prosecutor, Partner, Ballard Spahr
Patrick Dennis, President and CEO, Guidance Software

More organizations are operating under the assumption of network compromise. This is wise, as cybercrime continues to increase in frequency, type, and cost. While they work to fortify their defenses, organizations still have little guidance about what to do immediately after a breach. Most organizations understand the need to mitigate damage and data loss. But they should also provide timely information to law enforcement – a step that often leads to better long-term, sustainable solutions to battling cyber threats that are unlikely to go away after one incident.

More common and costlier

According to Kaspersky Labs, 90 percent of businesses have experienced a cyberattack.1 Eighty percent of healthcare executives surveyed by KPMG said their organizations had been compromised by a cyberattack in the past two years.2 Only half said they were adequately prepared.

In 2016, the Ponemon Institute pegged the global average cost of a data breach at $4 million, or $158 per record. This does not include additional regulatory, legal, and reputational costs. Preparedness can materially reduce this cost. For example, organizations with a CISO paid on average $8 less per compromised record. Board-level involvement reduced incident response cost by $6 per record, and participating in threat sharing by $9 per record. The most effective step in reducing the cost, though, is having a dedicated incident response team – a reduction of $13 per record.

What to do before a breach

The risk of cyberattack cannot be eliminated, but it can be managed. Here are steps that companies can take now:

  1. Start with the board – Board activity should include: cybercrime education, a periodic review of the security program, and monitoring of cybersecurity risks and responses. Healthcare organizations with significant technology investments should consider establishing a cyber risk subcommittee of the board.
  2. Periodically assess cyber risk – The HIPAA Security Rule requires analysis of potential risks to the confidentiality, integrity, and availability of ePHI. Organizations also must implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The Office of the National Coordinator for Health Information Technology’s Security Risk Assessment Tool and NIST’s Cybersecurity Framework provide excellent guidance on risk management planning and policies.
  3. Identify who is responsible for different elements of an organization’s cyber incident response – Clear escalation protocols and designated response team leaders are critical to making decisions quickly and effectively in the event of a breach.
  4. Distinguish key assets – All data is not created equal. Before creating a cyber-incident response plan, an organization should determine what level of protection different types of data, assets, and services warrant.
  5. Ensure appropriate internal resources are in place – Create a dedicated incident response team. Secure surge resources with third parties in case an incident response requires additional scale or expertise.
  6. Have an approved and practiced incident response plan – Creating actionable plans for responding to different types of cyber incidents can help organizations limit damage to their networks/devices, minimize work stoppage, and mitigate potential harm to exposed data. Proper planning and an organized response also help preserve evidence for law enforcement to identify, apprehend, and successfully prosecute the perpetrators.
  7. Engage with law enforcement before an attack – Forging pre-existing relationships with law enforcement can facilitate positive interaction relating to cyber incidents. It also helps establish trust needed for bi-directional, and mutually beneficial, information sharing. Organizations can contact their local FBI and U.S. Secret Service field offices to connect with cyber agents. They also can participate in information sharing and analysis centers/organizations, and in law enforcement outreach organizations, such as the FBI’s InfraGard program.

The worst has happened – Now what?

Once an organization discovers an incident, it is critical to assess its nature, scope, and status. These factors will determine the type of response, as well as internal and external assistance that will be required.

  1. Capture the extent of the damage – The victim should preserve the digital crime scene. Impacted devices/systems should be identified, with forensic images of each device made as soon as possible. All relevant network logs, suspicious communications, and files should be preserved. Access to preserved materials must be restricted to maintain authenticity and a chain of custody. Some automated processes may need to be suspended to prevent data compromise.
  2. Take steps to minimize additional damage – Intrusions often continue past initial detection. Depending on the type of attack, companies may reroute network traffic; filter or block data flows and processes; and isolate all or parts of the compromised network. Organizations should consider how to implement black lists of malicious IP addresses and identified malware, while their anti-virus provider creates new signatures. To the extent reasonably possible, they should not use a system suspected of being compromised to communicate about an incident.
  3. Keep detailed records – All incident responders should keep a written record of their response activities. Relevant information includes all incident-related communications; the identity of the systems, accounts, services, data, and networks affected by the incident; changes made to the systems and devices during the incident response; an inventory and copies of any data or devices provided to the government; and information relating to the amount and type of damage inflicted.
  4. Leave the response to law enforcement – Companies should focus on damage mitigation and recovery, while leaving attribution to the authorities. Law enforcement agencies are better equipped to attribute the criminal conduct based on their broader understanding of the threat landscape. Any attempt to access, damage, or impair another system that appears to be involved in an attack is most likely illegal. Because many intrusions and attacks are launched from compromised systems, there’s also the danger of damaging another victim’s system or compromising what may already be an ongoing investigation into the threat actors.

How to work with law enforcement

Some companies have been reluctant to contact law enforcement following a cyber incident due to concerns of additional reputational, legal, or financial harm, and business disruption. The FBI and U.S. Secret Service are committed to causing as little disruption to an organization’s regular operations as possible. They can often provide timely insight into the attack that minimizes further harm. They can gather evidence, dismantle cybercrime infrastructure, recover stolen data, and seize criminal proceeds that are beyond the reach of private organizations. They often attempt to coordinate public statements concerning the incident to minimize additional harm to a victim.

Contacting other potential victims through law enforcement is also often preferable. Doing so protects the initial victim from unnecessary exposure and allows law enforcement to conduct further investigation under grand jury secrecy rules or court orders. Many regulators view favorably active engagement with law enforcement in breach response.

Making criminals pay

Most cyberattacks are perpetrated for financial gain by sophisticated, organized crime syndicates. Companies need to act in advance of incidents to protect themselves and their stakeholders. More also needs to be done to help law enforcement prosecute cybercriminals, dismantle their technological infrastructure, and cut off their revenue streams. By working more closely with law enforcement, organizations can help create a system that goes beyond managing short-term cyber risk, to more effectively policing cybercrime and its long-term impact.